Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
2
Helpful
6
Replies

Cisco ISE posture policy match orders

cheng.cathy
Level 1
Level 1

‎07-09-2025 09:11 PM

When defining a posture policy, if we have 3 separate policies  with the same conditions {id group, operating system, other conditions}, one with requirements for AV and one is Anti-spyware and another one is Anti-Malware.

  It doesn't have to meet all these three polices to be marked as compliant. The client will be marked as compliant if any of this policies does meet. is it correct?

6 Replies 6

robertwilkinson1
Level 1
Level 1

‎07-17-2025 06:16 AM

I am just getting started in the posture world so I might be off, but it depends on how you have your policy set if audit, optional or mandatory.   If its audit or optional it will still mark as compliant even if not.  If set to mandatory, if it fails any of those conditions it will be marked as non-compliant.  

0 Helpful

MHM Cisco World
VIP
VIP

‎07-17-2025 06:29 AM - edited ‎07-23-2025 06:06 AM

more info will share
update soon

MHM

0 Helpful

robertwilkinson1
Level 1
Level 1
In response to MHM Cisco World

‎07-17-2025 07:42 AM

The way I understood their question is more on the posture policy config versus the policy set for mab/dot1x side where the authz rules are used.   Posture has it's own policy set to follow for that function

 

MHM Cisco World
VIP
VIP
In response to robertwilkinson1

‎07-17-2025 08:42 AM - edited ‎07-23-2025 06:07 AM

more info update soon 
thanks 

MHM

 

0 Helpful

MHM Cisco World
VIP
VIP

‎07-24-2025 02:01 AM

@cheng.cathy 

It doesn't have to meet all these three polices to be marked as compliant. The client will be marked as compliant if any of this policies does meet. is it correct?

Correct' ISE will check policy from top to down' first policy all conditions is meet is check other is skip

MHM

0 Helpful

elvera33ford
Level 1
Level 1

‎07-24-2025 05:17 AM

No, that is not correct. If you have three separate posture policies with identical conditions (ID group, operating system, other conditions) but distinct requirements (AV, Anti-spyware, Anti-Malware), a client must typically satisfy all applicable policies to be marked as compliant. Posture policies are generally evaluated conjunctively, meaning all defined conditions and requirements within the scope of the client must be met for overall compliance, unless the policy system explicitly offers an "OR" logical grouping option for requirements, which is not the standard behavior for independent policies.

www.mycardstatement.com
0 Helpful
Customers Also Viewed These Support Documents