Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
9
Replies

BYOD Posture temporal agent - how to become compliant after non-compliance

Go to solution
Madura Malwatte
Level 4
Level 4

‎02-03-2019 09:12 PM - edited ‎02-03-2019 09:12 PM

ISE 2.3 patch 5

 

I am testing BYOD posture with windows temporal agent and trying to understand what is best practice when a user becomes non-compliant during byod process - how do they rescan for compliance check after manual remediation done?

 

I am using dual ssid where after byod registration user connects to the corporate ssid and the posture check is done. I set up a posture condition to fail and to trigger non-compliance. In the non-compliant state I have only allowed internet access (no access to internal networks). However how do I get a rescan to happen again? My posture general settings has "Perform posture assessment every time a user connects to the network". So I closed all the browsers and disabled wireless. Reconnected to corporate ssid, but cant get posture rescan to happen automatically. I suspect this is expected behaviour? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎02-05-2019 08:39 AM

With Temporal agent, Posture lease is not supported. There is no agent which resides in the system to perform the check again. 

You will have to re-initiate the session, install the exe to check for the compliant status again. 

You will need a persistent Anyconnect agent to perform periodic checks. 

Thanks,

Nidhi

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-04-2019 02:03 AM

Are you sure you connected with a new session id? Just turning off WiFi doesn’t guarantee a new session

Did you do a coa terminate from ise live sessions? Or go to wireless controller client session and remove it?

Also that setting for perform assessment on every connection isn’t valid for the temporal agent. Temporal requires a scan upon every new connection regardless
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎02-04-2019 02:33 AM

Hi Jason, thanks for the reply. I am not entirely sure if I connected with a new session id. I'll check on this tomorrow. And I did none of those.

I am thinking in terms of the user. If they don't remediate and go into non-compliant state does that mean they are stuck? It seems impractical that an administrator would have to manually remove the user endpoint from ISE for them to try again?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎02-04-2019 03:45 AM

Just flapping wireless doesn’t give you an new session. The wireless controller likely has a default of 180 seconds for its use idle
Timeout value to save on wireless sessions flapping in the controller memory

The temporal agent once it’s gone the only way to get back is to go through a redirection again and then load it. If the user doesn’t keep it in front of them To remediate then they’re stuck

If you want. Better user experience then load Anyconnect which is meant for long term users. The temporal agent flow is not the most user friendly since it requires interaction with a web Portal upon every new connection to the network
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎02-04-2019 04:38 AM - edited ‎02-04-2019 04:38 AM

Thanks for the suggestions, I'll check the timeout. So its understood the only way would be to go through the byod process from the beginning.

 

Anyconnect would definitely be better but there is the cost involved with apex licenses.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎02-04-2019 04:49 AM

BYOD flow and posture flow are 2 separate issues

You only go through byod once.
Posture you would hit every time with temporal agent
A simple authorization rule could be if posture is equal to unknown then redirect to the client provisioning portal to launch agent
If posture is non compliant internet only?

Otherwise compliant

I would recommend looking at the posture guide
https://community.cisco.com/t5/security-documents/ise-posture/ta-p/3657443
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎02-04-2019 05:22 AM

thats what I have at the moment: unknown > redirect to CPP, non-compliant > internet, compliant > full access. So posture to hit every time with temporal agent means the session needs to timeout (wlc idle timeout)? I closed my browser and immediately re-opened and didn't need to posture again. I'll have to run some tests again tomorrow.

 

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎02-04-2019 05:36 PM

I am trying to understand the mechanism which makes posture to hit every time with temporal agent? If a user is in non-compliant state with internet only access, how would temporal agent trigger to do posture check again?

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎02-05-2019 08:39 AM

With Temporal agent, Posture lease is not supported. There is no agent which resides in the system to perform the check again. 

You will have to re-initiate the session, install the exe to check for the compliant status again. 

You will need a persistent Anyconnect agent to perform periodic checks. 

Thanks,

Nidhi

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Nidhi

‎02-07-2019 06:12 AM

Thanks.

0 Helpful
Customers Also Viewed These Support Documents