cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

207
Views
0
Helpful
10
Replies
Highlighted
Cisco Employee

ISE 2.4 Posture and Reauth

Hello,

 

 I have a customer who is utilizing the Posture module with ISE. The majority of their users lock their workstation overnight and when they log back in in the morning the posture client never kicks off for whatever reason leaving them in a remediation state and not giving them access to internal resources per the dACL. If they click the "Scan Again" button on the posture module it initiates the scan and makes them compliant and everything works as intended. Obviously this is not optimal for the entire user base as we roll this out organization wide.

 

Are there any best practices for re-auth or posture settings I can fidget with to try and get this to be an automated process. Users that take their laptops home with them and re-dock in the morning are not having this issue at all, it's only users who log out at night and re-login in the morning.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.4 Posture and Reauth

I would investigate why the posture assessment is not happening when the user logs in.  If the customer is doing user authentication via 802.1X, then posture should be performed every time the user logs into the machine.  The fact that users who take home their workstations are postured when they connect the next day suggests that the posture lease configuration is set to perform posture every time a user connects to the network under "Posture General Settings" in ISE.  You could explore changing the posture lease or the Cached compliance status in the same menu but I would be curious as to why users who leave their workstations are not being postured when they log in.

 

Regards,

-Tim

10 REPLIES 10
Cisco Employee

Re: ISE 2.4 Posture and Reauth

I would investigate why the posture assessment is not happening when the user logs in.  If the customer is doing user authentication via 802.1X, then posture should be performed every time the user logs into the machine.  The fact that users who take home their workstations are postured when they connect the next day suggests that the posture lease configuration is set to perform posture every time a user connects to the network under "Posture General Settings" in ISE.  You could explore changing the posture lease or the Cached compliance status in the same menu but I would be curious as to why users who leave their workstations are not being postured when they log in.

 

Regards,

-Tim

Cisco Employee

Re: ISE 2.4 Posture and Reauth

It turns out the users are locking their machines and not doing a logoff when they leave for the night. I’m guessing when they unlock their machines it’s not actually doing a session re-authentication thus not kicking off the posture agent.

The posture settings are set to check when a user connects to the network, so shouldn’t that still be stored from when the user last logged in?
VIP Engager

Re: ISE 2.4 Posture and Reauth

Do you have a reassessment timer configured?  You could configure a global 8 hour reassessment timer to see if that helps.  Administration->Systems->Settings->Posture->Reassessments.

Cisco Employee

Re: ISE 2.4 Posture and Reauth

Also wha version of ise and Anyconnect
Cisco Employee

Re: ISE 2.4 Posture and Reauth

ISE is 2.4 patch 5 and Anyconnect is 4.6.

Cisco Employee

Re: ISE 2.4 Posture and Reauth

Thanks it would be good to also get logs and open a tac case to tweak what’s going on. You’re running good versions of the products.

Also good info is what kind of authentication you’re doing. Wondering if your supplicant is not correctly syncing? But it’s a discussion for a tac case with a dedicated engineer to run through instead of back and forth here
Cisco Employee

Re: ISE 2.4 Posture and Reauth

Yea, I have a TAC case open, but my engineer has been less than helpful so far. Won’t return e-mails nor calls.
Cisco Employee

Re: ISE 2.4 Posture and Reauth

I would suggest you ask for escalation to duty manager
Cisco Employee

Re: ISE 2.4 Posture and Reauth

I thought about this, but I don't see a way to do one of these based off AD groups. Only internal user or endpoint identity groups, of which the AD users are not a part of.

VIP Engager

Re: ISE 2.4 Posture and Reauth

Just sent the identity to Any.