topic Re: Posture Policy in Network Access Control

Posture Policy

jdal — Mon, 23 Apr 2018 16:15:23 GMT

When defining a posture policy, the requirements of any matching rule will need to be evaluated for a posture to be compliant (or not).

A customer is then asking what is best:

- one single rule with multiple requirements

- several rules with the same condition and a single requirement per rule

Functionally, this looks the same to me but is there any difference in terms of performance, scalability,...

From a manageability point of view, I'd tend to recommend a single rule with multiple requirements but happy to stand corrected 😉

TIA,

Re: Posture Policy

paul — Mon, 23 Apr 2018 20:36:09 GMT

Good question. Interested to hear the answer. I prefer to have individual rules so everything is very apparent vs. having to dig into the requirements of a single rule:

Windows AV Installed Audit

Windows AV Definitions Audit

Windows SCCM Installed Audit

Windows SCCM Enabled Audit

Windows SCCM Critical Patches Audit

etc.

Re: Posture Policy

hslai — Wed, 25 Apr 2018 03:49:25 GMT

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

Re: Posture Policy

jdal — Wed, 25 Apr 2018 07:34:58 GMT

Thanks, that's interesting!!

What happens when there are different policies then? Are they run in parallel or they may not be run in the sequence you'd expect?

Re: Posture Policy

hslai — Wed, 25 Apr 2018 23:22:39 GMT

The latter. ISE Posture Policy rules are match-all so anything matched will be the requirements. For example, in case AV install and AV definition are two separate rules and both matched, then AnyConnect ISE posture would check for AV definition regardless AV installed on the endpoint.

Re: Posture Policy

Ping Zhou — Thu, 26 Apr 2018 14:56:48 GMT

So, just to confirm...

Posture Policy is not like Access Control List that gets processed in top-down, sequential order and the first match defines the results. It's different for Posture Policy rule list, which is... as long as the conditions, etc match, ALL the defined requirements of the matching conditions need to be satisfied. In other words, it's AND operator for these matching rules.

For instance, I have two separate rules in my Posture Policy with the same conditions {id group, operating system, other conditions}, one with requirements for AV and another rule with requirement for patch management. They both need to be checked off successfully to flag the session as compliant.

Am I correct? thanks.

Re: Posture Policy

axeleratorcisco — Wed, 21 Sep 2022 11:26:51 GMT

I would like to know as well if this is a match-all, and where I can find this in the Cisco documentation?

Currently can't find anything on this subject if official docs, apart from this forum post.