https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106688#M589479 <P>I suppose you could start with returning a Session-Timeout in your ISE Authorization Profile. When that timer expires, then the client will be re-auth'd and then it will be re-assessed. I am not experienced with Posture flow, but how would you like to handle endpoints that exceed their allotted time during posture assessment?</P> <P>The <A href="https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_self">Posturing Prescriptive Guide</A> might have some insights.</P> Fri, 17 May 2024 00:16:12 GMT Arne Bier 2024-05-17T00:16:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106247#M589468 <P>Good afternoon,</P><P>Does anyone know of way to configure a timeout or time limit for an endpoint to be in a Pending or Posture Unknown state?</P><P>We are concerned about credential theft and unauthorized devices remaining in this state with access.</P><P>Thank you</P> Thu, 16 May 2024 17:02:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106247#M589468 abarkley 2024-05-16T17:02:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106688#M589479 <P>I suppose you could start with returning a Session-Timeout in your ISE Authorization Profile. When that timer expires, then the client will be re-auth'd and then it will be re-assessed. I am not experienced with Posture flow, but how would you like to handle endpoints that exceed their allotted time during posture assessment?</P> <P>The <A href="https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_self">Posturing Prescriptive Guide</A> might have some insights.</P> Fri, 17 May 2024 00:16:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106688#M589479 Arne Bier 2024-05-17T00:16:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106713#M589480 <P>I haven't played around with these setting, but you can try</P> <P><SPAN><STRONG>Administration &gt; Settings &gt; Posture &gt; General Settings</STRONG>:</SPAN></P> <P><SPAN>there is continuous monitoring setting, which basically states how frequently any connect will send status update to ISE. </SPAN></P> <P><SPAN>If posture state changes to Unknown your policy should be such that it pushes different authorization profile to endpoint and limits their access to only resources required to become compliant. </SPAN></P> <P><SPAN>you can read more under "posture general setting" <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html" target="_self">here</A></SPAN></P> Fri, 17 May 2024 01:18:43 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-unknown-or-pending-timeout/m-p/5106713#M589480 Ambuj M 2024-05-17T01:18:43Z