Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
1
Replies

Does AnyConnect Posture re-scan endpoint just before remediation timer expires to see if it got remediated

Mike Masalla
Level 1
Level 1

‎01-28-2016 06:04 AM - edited ‎03-10-2019 11:26 PM

Hi ISE gurus,

I have ISE 1.3, P5 and using AnyConnect 4.0 for dot1x and posture check.

The posture requirement is Antivirus Installation and Definition date for Windows endpoints and it was working fine until I changed Posture Requirement from Audit mode to Mandatory.

The endpoints who have out-of-date AV, matches to Remediation policy, which gives them permission to access the in-house AV server, and they do get the update usually within 7-minutes from Remediation Timer kick off, which I set to 10-minutes.

The issue is, AC Agent do not re-scan to see if the endpoint got remediated, and the Remediation Timer expires, and endpoint get tagged as non-compliant until someone refreshes the network connection by AC Network Repair, or restart the endpoint to force posture check .

I wonder if that is normal behaviour, or its a bug in AC 4.0, or I am missing configuration here or there.

Appreciate your expertise

Mike

Labels:
0 Helpful
1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-31-2016 09:59 AM

When remediation is complete, all of the checks listed as required updates appear with a Done status and a green checkbox. Do we see the same? Also can you generate the ISE posture logs from the endpoint and upload it here? ~ Jatin

~Jatin
0 Helpful
Customers Also Viewed These Support Documents