topic Re: posture rescan in Network Access Control

posture rescan

adrianmadley — Tue, 07 Jan 2020 11:51:50 GMT

Hello All

using ISE 2.2- client = anyconnect 4.6

getting ready to deploy posture checking :

when testing - forcing failures / successes - we where using a restart of the

cisco anyconnect secure mobility ISE posture agent - services, in order to repeat testing - get the host scanning again

As we're not expecting end users to do this - we used ISE Posture Profile Editor on the selected host and entered the recommended entry of

to the xml file

in order to perform a rescan ....this runs fine once.! after which I believe the following is occurring -

the client has made contact with ISE - which enforces it's configured setting in

AnyConnect Configuration >Profile Selection >* ISE posture setting

in the Posture Agent Profile Settings we have defined i cannot see a field to enforce rescan ?..... is this s/w version related / if so, is there a work around - or have I just missed a trick here ?

your continued support is greatly appreciated

Re: posture rescan

Mike.Cifelli — Tue, 07 Jan 2020 14:10:06 GMT

Take a peek in ISE under Administration->System->Settings->Posture->Reassessments
Under here you can setup custom reassessment configurations and map them to certain groups.

Re: posture rescan

adrianmadley — Wed, 08 Jan 2020 10:13:25 GMT

Thanks Mike

took a look where you suggested

- however, the lowest interval on reassessment is 1hr in these setting ? This period for a failed compliant / rescan is obviously too long for us

In our senario - we wish to see if the client fails compliance - they can try again at the clients will - ideally using the rescan button ( in POC we've been restarting the service - not an option for users)

please refer to attached as an overview of what we're experiencing

Re: posture rescan

adrianmadley — Wed, 08 Jan 2020 11:09:23 GMT

ok ladies & gentlemen

please stand down ...as we've managed to work it out ...

Ironically we had tried this previously , however, not in the correct way ....due to restricted access of the testing client we couldn't copy the *iseposture*.xml off the host after editing - so we rudimentarily copied the .xml into notepad ++ and saved a .xml - tried to use that as a -

AnyConnect Configuration > AnyConnent Posture Agent Profile

when we did this the hash value was accepted ...however, we saw an error message when we tried to bind that to our posture agent profile ( must have been because of the c'n''p - saving a txt as an .xml)

anyways - luckily the testing client could browser to the ISE - so we imported the /agent/ as a /customer created package/ from local disk - assigned this to our relevant / AnyConnent Posture Agent Profile/ and bingo -

the rescan button stays intact post ISE comms

thanks to all for looking / responding