This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
1) Is there a way to have a more intuitive approach to Posture non-compliance with the Anyconnect ISE posture module? The requirement is to have a non-compliant user be disconnected (or assigned a quarantine policy) when compliance checks fails, no remediation needed. Right now, the remediation window always pops up (in spite of my remediation action set to "Message Text Only" and runs for the remediation timer (minimum of 1 minute). This is really confusing to the end user as the message next to the posture condition is always "Click Start to Begin". Clicking start provides another dialog where the user clicks "Cancel". I could not find any way to not have the scary pop-up show up when I fail compliance. User has to wait for 1 minute at a minimum for the whole remediation process before it timing out. I feel that there should be a better way of handling this. Can there be a "No remediation" option the Remediation actions?
2) ISE posture audit mode. When set to audit mode, the ISE posture always shows up as compliant in the ISE posture reports. What most Admins would like to see is a report where I can see Compliant and Non-Compliant users without actually affecting initial deployment (and running it in mandatory mode) I know that this is a bug since the 1.3 release:
Is there a better way to run posture without affecting users and still figuring out who would fail if the posture if it was run in a non-audit mode?
This is not the first time I am running into these issues so trying to see if others have the same problems during deployments.
For #2 you are running the wrong report. Run the Posture Assessment by Condition report and set the filter to Condition Status failed. The Posture Assessment by Endpoint wont help. As you said, it shows everything as compliant when you are auditing. Although if you click details of the report you can see the audit conditions that failed.
I did try to look at that report. The problem with that is when I have a posture policy with 3 AND conditions and the second one fails, the 3rd condition check gets skipped and not checked. But, I think I could get away with it by configuring 3 separate posture policies with same matching condition but different requirements. Looking at the details in the Posture compliance report is a little cumbersome when it deployed across the board. Thanks for your thoughts on this.
Yeah I usually separate out my posture rules for readability:
Domain Computer McAfee AV Installed
Domain Computer McAfee AV Definitions Current
Domain Computer McAfee EPO Agent Running
Domain Computer Critical Patches Applied
I have the same problem, I don't really want to show any messages and confuse the user.
I have a requirement for a registry key (check if device is joined to AD) - when I enable stealth mode, i only have two options as remediation, and none of those apply to me
Hi, If the remediation is set to manual than the window will pop up asking to start remediation, if you set to Automatic the window will not pop-up
If you want to see whats happening in remediation, in the System Scan module, you can click on the Detail dialogue prompt.
Hope that helps
Hi, thanks for your reply. I really don't see an option for registration remediation, so I can't really figure out how to do automatic. thanks
Not all remedations actions allow for manual/automatic option as these tend to be usually AV, Patches etc. But here is an example:-
|Interval (in seconds)||Enter the time interval in seconds that clients can try to remediate after previous attempts.|
|Retry Count||Enter the number of attempts that clients can try to update an antivirus definition.|
|Operating System||Choose one of the following:|