https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392158#M566846 <P>Dear Mike,</P><P>&nbsp;</P><P>Thanks for your reply.</P><P>&nbsp;</P><P><SPAN>Will these non-compliant machines require full network access in that 8 hour window?&nbsp;</SPAN></P><P><SPAN>Ans-: Yes.</SPAN></P><P>&nbsp;</P><P><STRONG>How much time user will get the Grace period notification that he/her was running in grace period ?</STRONG></P><P>&nbsp;</P><P><STRONG>Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>warm regards,</SPAN></P><P><SPAN>Ishwar B</SPAN></P><P>&nbsp;</P> Fri, 23 Apr 2021 12:41:39 GMT IshwarBamane2910 2021-04-23T12:41:39Z https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392100#M566839 <P>hi all,</P><P>Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.</P><P>&nbsp;</P><P>how to configure grace period ?</P><P>What is the best practice ?</P><P>Can we set the grace period notification in periodic manner so that user get to know he was running in grace period time ?</P><P>maximum how much time we can set the notification for grace period ?</P><P>&nbsp;</P><P>kindly help me with this ....</P><P>&nbsp;</P><P>warm regards,</P><P>Ishwar B</P><P>&nbsp;</P> Fri, 23 Apr 2021 10:29:58 GMT https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392100#M566839 IshwarBamane2910 2021-04-23T10:29:58Z https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392149#M566844 <P><SPAN>Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.</SPAN></P> <P><SPAN>-Will these non-compliant machines require full network access in that 8 hour window? Why not consider setting the remediation timer longer (can be up to 5 hours) in the posture global settings?&nbsp; In this window the client is neither compliant nor non-compliant yet.&nbsp; Essentially it is still deemed unknown since the scan would still be going, and the "non-compliant" machines would be stuck on a missing check.&nbsp; In this AnyConnect unknown state you could have a dacl limiting network access, but grant the ability to reach resources that would allow your clients a window to patch/remediate to become compliant.&nbsp; Then if clients are unable to get compliant within the remediation allowed window, they then move into a Non-compliant state, which limits network access and at this point is deemed non-compliant per policy assessment (sitting in a quarantine restricted state).&nbsp; Note that you have the ability to push a 'Scan Again' button feature via the ISEPostureCFG.xml that would allow end users to initiate the module probe to ISE.&nbsp; This could allow a true non-compliant client/user the ability to initiate a re-scan without the need of a DFG change, or some other action to initiate the probe.</SPAN></P> <P>&nbsp;</P> <P>how to configure grace period ?</P> <P>-See here:&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#:~:text=Cisco%20ISE%20provides%20an%20option%20to%20configure%20a,the%20device%20is%20granted%20access%20to%20the%20network." target="_blank">ISE Posture Prescriptive Deployment Guide - Cisco Community</A></P> <P>What is the best practice ?</P> <P>-IMO this depends on your requirements and will vary per use case.</P> <P>maximum how much time we can set the notification for grace period ?</P> <P>-<SPAN>You can configure the grace period in minutes, hours, or days (up to a maximum of 30 days).&nbsp; It is important to know that an endpoint is only able to utilize a grace period if they were previously deemed compliant.</SPAN></P> <P><SPAN>HTH!</SPAN></P> Fri, 23 Apr 2021 12:20:57 GMT https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392149#M566844 Mike.Cifelli 2021-04-23T12:20:57Z https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392158#M566846 <P>Dear Mike,</P><P>&nbsp;</P><P>Thanks for your reply.</P><P>&nbsp;</P><P><SPAN>Will these non-compliant machines require full network access in that 8 hour window?&nbsp;</SPAN></P><P><SPAN>Ans-: Yes.</SPAN></P><P>&nbsp;</P><P><STRONG>How much time user will get the Grace period notification that he/her was running in grace period ?</STRONG></P><P>&nbsp;</P><P><STRONG>Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>warm regards,</SPAN></P><P><SPAN>Ishwar B</SPAN></P><P>&nbsp;</P> Fri, 23 Apr 2021 12:41:39 GMT https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392158#M566846 IshwarBamane2910 2021-04-23T12:41:39Z https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392169#M566847 <P><STRONG>How much time user will get the Grace period notification that he/her was running in grace period ?</STRONG></P> <P>-This is configurable within the posture policy under the 'Policy Options' column.&nbsp; If you want to delay the notification you have the ability to select a specific percentage of the actual grace period before it actually notifies the user.&nbsp; If you want the client/user to see that they are in the grace period immediately then leave the delay period at 0% (default setting).&nbsp; Note that the grace period notification is never displayed if the endpoint is compliant.&nbsp;&nbsp;</P> <P>Example of grace period notification: You set the grace period on a posture policy to 20 minutes, with a delayed notification of 50%.&nbsp; In this configuration the client/user will not be notified until the 10 minute mark.</P> <P><STRONG>Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?</STRONG></P> <P>- AFAIK, no.&nbsp;</P> Fri, 23 Apr 2021 12:58:13 GMT https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392169#M566847 Mike.Cifelli 2021-04-23T12:58:13Z https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392520#M566858 <P>Hi Mike ,</P><P>&nbsp;</P><P>Thanks for information .</P> Sat, 24 Apr 2021 14:54:52 GMT https://community.cisco.com/t5/network-access-control/grace-period-configuration-for-non-compliance-endpoints/m-p/4392520#M566858 IshwarBamane2910 2021-04-24T14:54:52Z