topic Re: Anyconnect ISE Posture Issues in Network Access Control

Anyconnect ISE Posture Issues

Rahul Govindan — Thu, 25 May 2017 01:45:25 GMT

Two concerns

1) Is there a way to have a more intuitive approach to Posture non-compliance with the Anyconnect ISE posture module? The requirement is to have a non-compliant user be disconnected (or assigned a quarantine policy) when compliance checks fails, no remediation needed. Right now, the remediation window always pops up (in spite of my remediation action set to "Message Text Only" and runs for the remediation timer (minimum of 1 minute). This is really confusing to the end user as the message next to the posture condition is always "Click Start to Begin". Clicking start provides another dialog where the user clicks "Cancel". I could not find any way to not have the scary pop-up show up when I fail compliance. User has to wait for 1 minute at a minimum for the whole remediation process before it timing out. I feel that there should be a better way of handling this. Can there be a "No remediation" option the Remediation actions?

2) ISE posture audit mode. When set to audit mode, the ISE posture always shows up as compliant in the ISE posture reports. What most Admins would like to see is a report where I can see Compliant and Non-Compliant users without actually affecting initial deployment (and running it in mandatory mode) I know that this is a bug since the 1.3 release:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus84376/?reffering_site=dumpcr

Is there a better way to run posture without affecting users and still figuring out who would fail if the posture if it was run in a non-audit mode?

This is not the first time I am running into these issues so trying to see if others have the same problems during deployments.

Re: Anyconnect ISE Posture Issues

paul — Thu, 25 May 2017 02:02:49 GMT

For #2 you are running the wrong report. Run the Posture Assessment by Condition report and set the filter to Condition Status failed. The Posture Assessment by Endpoint wont help. As you said, it shows everything as compliant when you are auditing. Although if you click details of the report you can see the audit conditions that failed.

Re: Anyconnect ISE Posture Issues

Rahul Govindan — Fri, 26 May 2017 02:08:00 GMT

Hi Paul,

I did try to look at that report. The problem with that is when I have a posture policy with 3 AND conditions and the second one fails, the 3rd condition check gets skipped and not checked. But, I think I could get away with it by configuring 3 separate posture policies with same matching condition but different requirements. Looking at the details in the Posture compliance report is a little cumbersome when it deployed across the board. Thanks for your thoughts on this.

Re: Anyconnect ISE Posture Issues

paul — Fri, 26 May 2017 11:33:50 GMT

Yeah I usually separate out my posture rules for readability:

Domain Computer McAfee AV Installed

Domain Computer McAfee AV Definitions Current

Domain Computer McAfee EPO Agent Running

Domain Computer Critical Patches Applied

Etc.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Anyconnect ISE Posture Issues

hslai — Sun, 28 May 2017 16:47:33 GMT

For the question 1, I would suggest you to try AnyConnect 4.4 and CM 4.2 in stealth mode.

Re: Anyconnect ISE Posture Issues

edondurguti — Fri, 21 Jul 2017 01:40:40 GMT

I have the same problem, I don't really want to show any messages and confuse the user.

I have a requirement for a registry key (check if device is joined to AD) - when I enable stealth mode, i only have two options as remediation, and none of those apply to me

Re: Anyconnect ISE Posture Issues

khalid_mahmood — Mon, 31 Jul 2017 16:16:47 GMT

Hi, If the remediation is set to manual than the window will pop up asking to start remediation, if you set to Automatic the window will not pop-up

If you want to see whats happening in remediation, in the System Scan module, you can click on the Detail dialogue prompt.

Hope that helps

Regards

Re: Anyconnect ISE Posture Issues

edondurguti — Mon, 31 Jul 2017 17:21:33 GMT

Hi, thanks for your reply. I really don't see an option for registration remediation, so I can't really figure out how to do automatic. thanks

Re: Anyconnect ISE Posture Issues

khalid_mahmood — Mon, 31 Jul 2017 17:50:33 GMT

Edon,

Not all remedations actions allow for manual/automatic option as these tend to be usually AV, Patches etc. But here is an example:-

Antivirus Remediation

The following table describes the fields in the AV Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_policy.html#23739

Table C-23 Antivirus Remediation

Fields	Usage Guidelines
Name	Enter a name for the antivirus remediation.
Description	Enter a description for the antivirus remediation.
Remediation Type	Choose one of the following: Automatic —When selected, you should enter values for the Interval and Retry Count. Manual —When selected, Retry Count and Interval fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that clients can try to update an antivirus definition.
Operating System	Choose one of the following: Windows Macintosh —when selected Remediation Type, Interval, and Retry Count fields are not editable
AV Vendor Name	Choose the antivirus vendor

Re: Anyconnect ISE Posture Issues

edondurguti — Mon, 31 Jul 2017 18:03:16 GMT

Thanks

Sent from my iPhone