Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2925
Views
0
Helpful
2
Replies

Delaying ISE Posture / Remediation

marioderosa2008
Level 1
Level 1

‎05-28-2013 03:32 AM - edited ‎03-10-2019 08:28 PM

Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.

Is this possible?

What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.

To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.

However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.

Hope that makes sense.

Mario                  

Labels:
0 Helpful
2 Replies 2

askhuran
Level 1
Level 1

‎05-28-2013 05:00 AM

Hello Mario,

You can customize remediation timeout settings for your requirement. Please review the following:

Remediation Timeout Customization

Parameter

Default Value

Valid Range

Description or   Behavior

Remediation   timer

4

1-300

Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.

Network   Transition Delay

3

2-30

Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.

Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.

For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841

You may also want to review more options that you can customize in Configure Client Provisioning Policies section.

Regards,

Ashok

0 Helpful

marioderosa2008
Level 1
Level 1
In response to askhuran

‎06-11-2013 07:44 AM

Thanks Ashok,

I have tried using the Network Transition Delay timer and it did not have any effect on the NAC agent. the remediation timer start counting down straight away. Is this because we do not perform an IP address release / renew? We do not have different vlans for remediation. During remediation we push a ver restrictive ACL and then upon successful remediation, we push the proper ACL according to the users AD group membership.

It looks like the Network Transition Delay is the timer that we want to use, but I cannot get it to work as is documented.

I shall test again hopefully this week or next week and get back to you to see if i can get it working.,

Mario

0 Helpful
Customers Also Viewed These Support Documents