Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
2
Replies

AnyConnect Posture Validation with ISE

descalante2007
Level 1
Level 1

‎06-11-2015 10:54 AM - edited ‎03-10-2019 10:48 PM

My setup with ISE and AnyConnect client is working in lab ... but I have an issue with the customer.

The issue I have is because the time it takes to AnyConnect run and do posture validation is very variable. I have seen computers where it takes around one minute since the computer starts until the it gets the status Compliant, another computer takes around seven minutes !!!

 

So, the quetions are:

Is there any priority in the different checks? I mean validate first domain, then AV, then WSUS or validate first AV, then WSUS, then domain ...

In the ISE GUI, the Posture rules appears in alphabetical order in accord with the names I assign to every rule, but I don't know if they are executed in the same order.

Looking at System Scan it appears the client takes the longest time in validate the fourth requirement and even it is duplicated some times. But how can I know which validation is taking long time? My posture rules validate AV updated, AV executing, AV installed, Domain, Auto_Update_Check. (The order listed above is the same I have in the system). The fourth requirement is the Domain, I can´t believe it takes a long time to validate.

The remediation should be manual in any case, so a remediation process should not process by a long time.

Is there a way to set priority to AnyConnect in the Windows System?

 

Regards.

Labels:
0 Helpful
2 Replies 2

jan.nielsen
Level 7
Level 7

‎06-11-2015 12:34 PM

You could just look in anconnect while it is checking, it will say checking requirement #1, #2 and so on, so just follow it and see which on is taking a long time.  Also, when you say you have a check you call "Domain", what type of check is that ?

The order of how checks are run, is a little tricky to figure out, what i found is that if you create one rule in your posture policy, and then add all the requirements you wan't to have checked, then you can order them as you like, not if you create several rules in your posture policy. I attached a screenshot of my one rule.

Preview file
7 KB
0 Helpful

descalante2007
Level 1
Level 1
In response to jan.nielsen

‎07-17-2015 01:28 PM

I did not reply you before. I follow your advice and set one rule for all the requirements. We found the delay was caused because the Anyconnect agent exchange some information with the WSUS. Cisco TAC allegate it is normal, but we needed to change rules because the posture validation was taken up to 6 minutes or more.

0 Helpful
Customers Also Viewed These Support Documents