topic Re: ISE 2.4 Posture and Reauth in Network Access Control

ISE 2.4 Posture and Reauth

cburger13 — Wed, 10 Apr 2019 15:27:38 GMT

Hello,

I have a customer who is utilizing the Posture module with ISE. The majority of their users lock their workstation overnight and when they log back in in the morning the posture client never kicks off for whatever reason leaving them in a remediation state and not giving them access to internal resources per the dACL. If they click the "Scan Again" button on the posture module it initiates the scan and makes them compliant and everything works as intended. Obviously this is not optimal for the entire user base as we roll this out organization wide.

Are there any best practices for re-auth or posture settings I can fidget with to try and get this to be an automated process. Users that take their laptops home with them and re-dock in the morning are not having this issue at all, it's only users who log out at night and re-login in the morning.

Re: ISE 2.4 Posture and Reauth

Timothy Abbott — Wed, 10 Apr 2019 15:30:55 GMT

I would investigate why the posture assessment is not happening when the user logs in. If the customer is doing user authentication via 802.1X, then posture should be performed every time the user logs into the machine. The fact that users who take home their workstations are postured when they connect the next day suggests that the posture lease configuration is set to perform posture every time a user connects to the network under "Posture General Settings" in ISE. You could explore changing the posture lease or the Cached compliance status in the same menu but I would be curious as to why users who leave their workstations are not being postured when they log in.

Regards,

-Tim

Re: ISE 2.4 Posture and Reauth

cburger13 — Wed, 10 Apr 2019 15:43:26 GMT

It turns out the users are locking their machines and not doing a logoff when they leave for the night. I’m guessing when they unlock their machines it’s not actually doing a session re-authentication thus not kicking off the posture agent.

The posture settings are set to check when a user connects to the network, so shouldn’t that still be stored from when the user last logged in?

Re: ISE 2.4 Posture and Reauth

paul — Wed, 10 Apr 2019 16:41:19 GMT

Do you have a reassessment timer configured? You could configure a global 8 hour reassessment timer to see if that helps. Administration->Systems->Settings->Posture->Reassessments.

Re: ISE 2.4 Posture and Reauth

Jason Kunst — Wed, 10 Apr 2019 16:55:26 GMT

Also wha version of ise and Anyconnect

Re: ISE 2.4 Posture and Reauth

cburger13 — Wed, 10 Apr 2019 17:00:43 GMT

ISE is 2.4 patch 5 and Anyconnect is 4.6.

Re: ISE 2.4 Posture and Reauth

cburger13 — Wed, 10 Apr 2019 17:05:22 GMT

I thought about this, but I don't see a way to do one of these based off AD groups. Only internal user or endpoint identity groups, of which the AD users are not a part of.

Re: ISE 2.4 Posture and Reauth

Jason Kunst — Wed, 10 Apr 2019 17:36:26 GMT

Thanks it would be good to also get logs and open a tac case to tweak what’s going on. You’re running good versions of the products.

Also good info is what kind of authentication you’re doing. Wondering if your supplicant is not correctly syncing? But it’s a discussion for a tac case with a dedicated engineer to run through instead of back and forth here

Re: ISE 2.4 Posture and Reauth

cburger13 — Wed, 10 Apr 2019 17:40:26 GMT

Yea, I have a TAC case open, but my engineer has been less than helpful so far. Won’t return e-mails nor calls.

Re: ISE 2.4 Posture and Reauth

paul — Wed, 10 Apr 2019 17:42:26 GMT

Just sent the identity to Any.

Re: ISE 2.4 Posture and Reauth

Jason Kunst — Wed, 10 Apr 2019 18:43:26 GMT

I would suggest you ask for escalation to duty manager