02-03-2019 09:12 PM - edited 02-03-2019 09:12 PM
ISE 2.3 patch 5
I am testing BYOD posture with windows temporal agent and trying to understand what is best practice when a user becomes non-compliant during byod process - how do they rescan for compliance check after manual remediation done?
I am using dual ssid where after byod registration user connects to the corporate ssid and the posture check is done. I set up a posture condition to fail and to trigger non-compliance. In the non-compliant state I have only allowed internet access (no access to internal networks). However how do I get a rescan to happen again? My posture general settings has "Perform posture assessment every time a user connects to the network". So I closed all the browsers and disabled wireless. Reconnected to corporate ssid, but cant get posture rescan to happen automatically. I suspect this is expected behaviour?
Solved! Go to Solution.
02-05-2019 08:39 AM
With Temporal agent, Posture lease is not supported. There is no agent which resides in the system to perform the check again.
You will have to re-initiate the session, install the exe to check for the compliant status again.
You will need a persistent Anyconnect agent to perform periodic checks.
Thanks,
Nidhi
02-04-2019 02:03 AM
02-04-2019 02:33 AM
Hi Jason, thanks for the reply. I am not entirely sure if I connected with a new session id. I'll check on this tomorrow. And I did none of those.
I am thinking in terms of the user. If they don't remediate and go into non-compliant state does that mean they are stuck? It seems impractical that an administrator would have to manually remove the user endpoint from ISE for them to try again?
02-04-2019 03:45 AM
02-04-2019 04:38 AM - edited 02-04-2019 04:38 AM
Thanks for the suggestions, I'll check the timeout. So its understood the only way would be to go through the byod process from the beginning.
Anyconnect would definitely be better but there is the cost involved with apex licenses.
02-04-2019 04:49 AM
02-04-2019 05:22 AM
thats what I have at the moment: unknown > redirect to CPP, non-compliant > internet, compliant > full access. So posture to hit every time with temporal agent means the session needs to timeout (wlc idle timeout)? I closed my browser and immediately re-opened and didn't need to posture again. I'll have to run some tests again tomorrow.
02-04-2019 05:36 PM
I am trying to understand the mechanism which makes posture to hit every time with temporal agent? If a user is in non-compliant state with internet only access, how would temporal agent trigger to do posture check again?
02-05-2019 08:39 AM
With Temporal agent, Posture lease is not supported. There is no agent which resides in the system to perform the check again.
You will have to re-initiate the session, install the exe to check for the compliant status again.
You will need a persistent Anyconnect agent to perform periodic checks.
Thanks,
Nidhi
02-07-2019 06:12 AM
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide