Solved: Cisco AnyConnect and ISE Posture

john.dejesus · ‎08-14-2020

I have a scenario where in a corporate user connects to vpn and will go through posture check via ISE. Now if the user machine goes to compliant state, and intentionally disable/uninstall (e.g. windows firewall) can ISE detect this in real time and automatically re-scan? So if it detected that the firewall has been removed or disabled, ISE can issue a CoA push so that it will go to non-compliant state.

I tested this in my home lab and I can't make it work (see attached screenshot). Not sure which settings to tune in ISE. I can't find any documentation if this scenario is supported or not.

poongarg · ‎08-15-2020

ISE supports periodic reassessment depending upon your configuration:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
Here is how you can configure PRA:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_compliance_2_7.html#concept_A9C0E9F58A4A4FECBC9C5BB362F9B403

View solution in original post

hslai · ‎08-17-2020

poongarg is correct that your best bet is to use PRA as ISE Posture does not trigger real-time detection of such activities.

View solution in original post

poongarg · ‎08-15-2020

ISE supports periodic reassessment depending upon your configuration:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
Here is how you can configure PRA:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_compliance_2_7.html#concept_A9C0E9F58A4A4FECBC9C5BB362F9B403

hslai · ‎08-17-2020

poongarg is correct that your best bet is to use PRA as ISE Posture does not trigger real-time detection of such activities.