Re: Automatic Posture Reassessment

Guy Greenshtein · ‎08-30-2023

Hello,

I'm looking for a way to configure automatic posture reassessment using AnyConnect client on workstations every X minutes.

This is required to ensure that the workstation is compliant and if a change to the posture policy was made it would be propagated to and initiate a rescan.

I know the Reassessment configuration (PRA) and Posture Settings, but the lowest interval is 60 minutes which is a lot in our case.

hslai · ‎08-31-2023

@Guy Greenshtein We do not recommend performing PRA more frequently than every 4 hours. In case of a posture-policy change, you may use Session Reauthentication API or the like to get them re-evaluated.

Guy Greenshtein · ‎09-02-2023

Hi, thank you for your reply.

I believe that there must be a way to send the same re-authentication command using GUI - under Context Visibility > CoA Reauthentication.

The problem is that it is only valid for endpoints having an active session with ISE PSN and it requires a manual intervention. I was hoping that there's a way to lower the PRA for less than 60 minutes or trigger this automatically within built-in configuration and not API.

hslai · ‎09-02-2023

@Guy Greenshtein PRA is not for this. Besides, it also needs active sessions.

Guy Greenshtein · ‎09-03-2023

In that case I'd like to get a clarification, because based on Cisco's documentation it fits our needs.

If not PRA, what do you recommend beside of API?