https://community.cisco.com/t5/network-access-control/ise-posture-policy/m-p/3518923#M527689 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Dear experts,</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Please help on below two questions.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">1. How anyconnect posture module to decide the checking order of rules I configure in posture rules on ISE. The actual checking order is not the same with what I configure. In my testing, windows server update services is always the first one to be checked. Because WSUS remediation always spends more time downloading and installing patches and cause remediation time expired. So other rules are not even checked.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">2. I use the default remediation timer--4 minutes in my lab. But time of WSUS remediation which is one of three posture rules is longer than 4 minutes. So is there other specific timer for each remediation?</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">ISE Version: 2.2.0.470</P><P style="font-size: 13.3333px;">Anyconnect Version: 4.4.02034</P><P style="font-size: 13.3333px;">Compliance Module: 4.2.1134.0</P></BODY></HTML> Fri, 11 Aug 2017 15:57:53 GMT xili5 2017-08-11T15:57:53Z https://community.cisco.com/t5/network-access-control/ise-posture-policy/m-p/3518923#M527689 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Dear experts,</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Please help on below two questions.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">1. How anyconnect posture module to decide the checking order of rules I configure in posture rules on ISE. The actual checking order is not the same with what I configure. In my testing, windows server update services is always the first one to be checked. Because WSUS remediation always spends more time downloading and installing patches and cause remediation time expired. So other rules are not even checked.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">2. I use the default remediation timer--4 minutes in my lab. But time of WSUS remediation which is one of three posture rules is longer than 4 minutes. So is there other specific timer for each remediation?</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">ISE Version: 2.2.0.470</P><P style="font-size: 13.3333px;">Anyconnect Version: 4.4.02034</P><P style="font-size: 13.3333px;">Compliance Module: 4.2.1134.0</P></BODY></HTML> Fri, 11 Aug 2017 15:57:53 GMT https://community.cisco.com/t5/network-access-control/ise-posture-policy/m-p/3518923#M527689 xili5 2017-08-11T15:57:53Z https://community.cisco.com/t5/network-access-control/ise-posture-policy/m-p/3518924#M527690 <HTML><HEAD></HEAD><BODY><P>On 1, two possibilities:</P><UL><LI>Each of posture requirements may have one or more conditions. With 2+ conditions, we may OR them by the selection of "Any selected conditions succeeds".<IMG alt="Screen Shot 2017-08-11 at 6.47.09 PM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/110449_Screen Shot 2017-08-11 at 6.47.09 PM.png" style="height: 98px; width: 620px;" /></LI><LI>ISE posture policy is matched all. To have one requirement after another, we may add them into the same rule.<IMG alt="Screen Shot 2017-08-11 at 6.53.47 PM.png" class="jive-image image-2" src="/legacyfs/online/fusion/110454_Screen Shot 2017-08-11 at 6.53.47 PM.png" style="height: auto; width: auto;" /></LI></UL><P>On 2, there is no remediation timer for individual remediation so please set a longer timer for overall remediations.</P></BODY></HTML> Sat, 12 Aug 2017 01:55:25 GMT https://community.cisco.com/t5/network-access-control/ise-posture-policy/m-p/3518924#M527690 hslai 2017-08-12T01:55:25Z