Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
243
Views
1
Helpful
2
Replies

Cisco ISE Unknown or Pending Timeout

abarkley
Level 1
Level 1

‎05-16-2024 09:52 AM - edited ‎05-16-2024 10:02 AM

Good afternoon,

Does anyone know of way to configure a timeout or time limit for an endpoint to be in a Pending or Posture Unknown state?

We are concerned about credential theft and unauthorized devices remaining in this state with access.

Thank you

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎05-16-2024 05:16 PM

I suppose you could start with returning a Session-Timeout in your ISE Authorization Profile. When that timer expires, then the client will be re-auth'd and then it will be re-assessed. I am not experienced with Posture flow, but how would you like to handle endpoints that exceed their allotted time during posture assessment?

The Posturing Prescriptive Guide might have some insights.

ammahend
VIP
VIP

‎05-16-2024 06:18 PM

I haven't played around with these setting, but you can try

Administration > Settings > Posture > General Settings:

there is continuous monitoring setting, which basically states how frequently any connect will send status update to ISE.

If posture state changes to Unknown your policy should be such that it pushes different authorization profile to endpoint and limits their access to only resources required to become compliant.

you can read more under "posture general setting" here

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents