https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229032#M593360 <P>The NAD (network access device) can operate in one of two modes</P> <P>load balance (command load-balance least outstanding)</P> <P>Linear (the order you define in the switch)</P> <P>&nbsp;</P> <P>you can manually load balance across your network or manage primary/secondary for distributed setups.</P> <P>&nbsp;</P> <P>ISE knows which network device sent the request but posturing is strictly client side (at the host computer). The posture “checklist” is sent to the host and the posture module on the device performs the checks. Once complete the node sends the results to ISE and a change of authorization is performed when required to apply the appropriate network access policy.</P> Tue, 26 Nov 2024 14:13:31 GMT stephan.l.martin1 2024-11-26T14:13:31Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228485#M593338 <P>I am planning to deploy posture assessment in my environment. I have three clustered ISE nodes v3.1, all with PSN enabled, two admin and monitoring roles (primary and secondary). So, I need your expertise/advise in the best/ recommended deployment more especially in creation of the authorization policies for posture statuses (unknown, non-compliant and compliant). Is it required to have authorisation policy for each status? for example, assuming my nodes are as follows; ISE1, ISE2, ISE3. Im i required to create unknown authorisation policy for ISE1, ISE2, and ISE, non-compliant authrz for ISE1, ISE2, ISE3, and compliant policy for ISE1,ISE2,ISE3.&nbsp;</P><P>Also, the Web redirection for unknown status profiles, is it required to state the static ip/host for each ISE nodes.&nbsp;</P> Mon, 25 Nov 2024 14:18:41 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228485#M593338 Tiroyaone72926925 2024-11-25T14:18:41Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228712#M593346 <P>I will do my best to assist however your question is slightly confusing.</P> <P>1) An authorization policy is required for each policy element. That being said- you would not need to create them individually for each server in a cluster rather you would create a single Authz result for compliant (typically ACCESS_ACCEPT) Not-Compliant (ACCESS_ACCEPT with dynamic VLAN or dACL to restrict access) or Unknown which includes URL redirect. <BR />Below is a link to an exceptionally well written guide that can help you to understand each aspect and how to integrate. Overall the policies and requirements must come from you or your organization to meet the intent of your posture requirements.<BR /><A href="https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273</A></P> Mon, 25 Nov 2024 22:43:48 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228712#M593346 stephan.l.martin1 2024-11-25T22:43:48Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228987#M593359 <P>Thank you for the helpful response. Based on your response, you seem to understand my question. But i still have questions; how does the PSN that is doing the asssessment know which node authenticated the endpoint. What if all the PSN fight or compete to do posture assessment, even the ones that did not authenticate the endpoint?</P> Tue, 26 Nov 2024 12:23:14 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5228987#M593359 Tiroyaone72926925 2024-11-26T12:23:14Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229032#M593360 <P>The NAD (network access device) can operate in one of two modes</P> <P>load balance (command load-balance least outstanding)</P> <P>Linear (the order you define in the switch)</P> <P>&nbsp;</P> <P>you can manually load balance across your network or manage primary/secondary for distributed setups.</P> <P>&nbsp;</P> <P>ISE knows which network device sent the request but posturing is strictly client side (at the host computer). The posture “checklist” is sent to the host and the posture module on the device performs the checks. Once complete the node sends the results to ISE and a change of authorization is performed when required to apply the appropriate network access policy.</P> Tue, 26 Nov 2024 14:13:31 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229032#M593360 stephan.l.martin1 2024-11-26T14:13:31Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229126#M593364 <P>Thanks Martin. much appreciated, Could you please point me to a cisco document that speaks to that?</P> Tue, 26 Nov 2024 17:21:56 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229126#M593364 Tiroyaone72926925 2024-11-26T17:21:56Z https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229158#M593365 <P>There are a couple of guides that tap dance around the process. Below are two links which provide quite a bit of material. At the end of the day there are multiple methods that can be used to posture assess (agent v. agentless) all of which have use cases and separate scenarios. You will be required to understand your organizations posture policy (or develop one). <BR />The last link is more from the design/framework side which is based around Zero-trust which is the core tenant of posturing to begin with. If you are unsure of how to get after developing a posture environment that meets the intent of your security requirements I would recommend reviewing the Zero-trust guide as it may give you some ideas on how to tackle this problem.<BR /><BR /><A href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-frameworks.html" target="_blank">https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-frameworks.html</A><BR /><BR />Please be sure to mark as helpful and accept as a solution if these answered your question!<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_compliance.html#ID873" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_compliance.html#ID873</A><BR /><A href="https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html" target="_blank">https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html</A><BR /><BR /></P> Tue, 26 Nov 2024 18:26:22 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-through-cisco-ise-3-1-in-distributed/m-p/5229158#M593365 stephan.l.martin1 2024-11-26T18:26:22Z