topic Re: ISE questions on Posturing in Network Access Control

ISE questions on Posturing

rbill1967 — Tue, 05 Jul 2022 16:05:11 GMT

Questions on ISE, if I can get some definitive answers on how it works?

1. Grace period - when does it start?

* Can it be pushed manually onto a client?

2. Windows updates - when non-compliant shouldn't the update still run if allowed from an internal wsus server?

* If it doesn't what is blocking it from running on a client?

3. Antivirus updates - same type of question like "windows", runs from an online site and allowed via ACLs.

* If it doesn't what is blocking it from not getting the updates?

Any thoughts or suggestions you can offer?

Re: ISE questions on Posturing

Marcelo Morais — Thu, 07 Jul 2022 01:26:02 GMT

Hi @rbill1967 ,

whenever you reach a Posture Status = NonCompliant at your Policy Sets, your Authorization Profiles (that you configured before at Policy > Policy Elements > Authorization > Authorization Profiles) must have a dACL (for ex.) that permit the Remediation Servers (internal WSUS Server, internal AV Servers, ...) and deny others Servers.

At Work Centers > Posture > Client Provisioning > Resources > select your AnyConnectProfile, and double check your configuration.

At Administration > System > Settings > Posture > General Settings > double check the Remediation Timer.

Hope this helps !!!

Re: ISE questions on Posturing

rbill1967 — Thu, 07 Jul 2022 15:13:46 GMT

Yes, all of those settings were checked and rechecked with Cisco support and vendor who assisted in the original setup. Even had them recheck and revalidate those changes and requirements. Unfortunately, it does not help the current situation.

Re: ISE questions on Posturing

Marcelo Morais — Thu, 07 Jul 2022 21:08:21 GMT

Hi @rbill1967 ,

please:

1. verify if a NonCompliant Endpoint is able to ping the Internal WSUS Server.

2. generate a PCAP during a NonCompliant Endpoint update vs Compliant Endpoint update and check if anything is blocked

Hope this helps !!!