Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
5
Replies

Posture lease not applied if PRA configured

Go to solution
aspandia
Level 1
Level 1

‎03-29-2018 11:09 PM

Hi All,

I have a customer using ISE 2.1 P5 with anyconnect 4.5, who is doing Posture with a lease of 1 day and a PRA every 4 hours. The posture policy for PRA uses 'session: Agent-request- type equals reassessment'.

The issue I am facing here, is that the users systems seems to be going to the posture unknown state every 4 hours, and then moves back to posture compliant, even though we have a posture lease set for 1 day. Because of this, they lose connectivity for a brief moment, and sometimes, for unknown reasons, the posture unknown state does not change and they are left with the redirection ACL. I have attached screen shots showing the posture conditions, the posture setting, the PRA settings, and the authorization logs of one of the users.

Is it expected behaviour to have the PRA configuration affect my posture lease? your opinions would be of great help.

Thank You,

Ashwin

Preview file
359 KB
Preview file
552 KB
Preview file
570 KB
Preview file
741 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎03-30-2018 07:02 AM

Correct.  Posture Lease does not apply to Passive Reassessment, only to initial posture.  The expected behavior with Lease is that user is NOT subject to posture assessment on each new connection for duration of lease. If goal is to not subject users to additional assessment, then disable PRA and rely solely on Posture Lease.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎03-30-2018 07:02 AM

Correct.  Posture Lease does not apply to Passive Reassessment, only to initial posture.  The expected behavior with Lease is that user is NOT subject to posture assessment on each new connection for duration of lease. If goal is to not subject users to additional assessment, then disable PRA and rely solely on Posture Lease.

0 Helpful

Go to solution
aspandia
Level 1
Level 1

‎04-01-2018 09:54 PM

So the requirement from my customer is to have one posture check every 4 hours, and have another set of 4 posture checks which have to be performed only once in a day (posture lease). This type of a setup would'nt be possible if i create the posture policy for the 4 posture requirements along with the condition 'session: Agent-request- type equals intial', and the PRA check as 'session: Agent-request- type equals reassessment'?


Thank you,

Ashwin

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to aspandia

‎04-02-2018 09:10 AM

I think the initial problem with moving from compliant to unknown during PRA is a buggy issue.  The only time you should move from compliant to unknown is if you had a new radius session. The PRA state would be compliant to non-compliant if user fails a mandatory check. Otherwise should stay compliant.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎04-02-2018 10:09 AM

You could have one posture policy which is applied at initial login and subject to Posture Lease and another posture policy which occurs at interval after login and is subject to Posture Reassessment.

0 Helpful

Go to solution
aspandia
Level 1
Level 1
In response to Craig Hyps

‎04-02-2018 09:05 PM

That's how i created the policies: I have a separate one for PRA and another for initial assessment.

PosturePolicy.png

The issue however is that every 4 hours (configured in PRA), the lease breaks and the endpoint moves to non compliant as can be observed in the authorization policies below.

PostureLogs.png

Im guessing this might be a bug like Jason mentioned.

0 Helpful
Customers Also Viewed These Support Documents