cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3686
Views
5
Helpful
4
Replies

Grace period configuration for non compliance endpoints

hi all,

Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.

 

how to configure grace period ?

What is the best practice ?

Can we set the grace period notification in periodic manner so that user get to know he was running in grace period time ?

maximum how much time we can set the notification for grace period ?

 

kindly help me with this ....

 

warm regards,

Ishwar B

 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

How much time user will get the Grace period notification that he/her was running in grace period ?

-This is configurable within the posture policy under the 'Policy Options' column.  If you want to delay the notification you have the ability to select a specific percentage of the actual grace period before it actually notifies the user.  If you want the client/user to see that they are in the grace period immediately then leave the delay period at 0% (default setting).  Note that the grace period notification is never displayed if the endpoint is compliant.  

Example of grace period notification: You set the grace period on a posture policy to 20 minutes, with a delayed notification of 50%.  In this configuration the client/user will not be notified until the 10 minute mark.

Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?

- AFAIK, no. 

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.

-Will these non-compliant machines require full network access in that 8 hour window? Why not consider setting the remediation timer longer (can be up to 5 hours) in the posture global settings?  In this window the client is neither compliant nor non-compliant yet.  Essentially it is still deemed unknown since the scan would still be going, and the "non-compliant" machines would be stuck on a missing check.  In this AnyConnect unknown state you could have a dacl limiting network access, but grant the ability to reach resources that would allow your clients a window to patch/remediate to become compliant.  Then if clients are unable to get compliant within the remediation allowed window, they then move into a Non-compliant state, which limits network access and at this point is deemed non-compliant per policy assessment (sitting in a quarantine restricted state).  Note that you have the ability to push a 'Scan Again' button feature via the ISEPostureCFG.xml that would allow end users to initiate the module probe to ISE.  This could allow a true non-compliant client/user the ability to initiate a re-scan without the need of a DFG change, or some other action to initiate the probe.

 

how to configure grace period ?

-See here: ISE Posture Prescriptive Deployment Guide - Cisco Community

What is the best practice ?

-IMO this depends on your requirements and will vary per use case.

maximum how much time we can set the notification for grace period ?

-You can configure the grace period in minutes, hours, or days (up to a maximum of 30 days).  It is important to know that an endpoint is only able to utilize a grace period if they were previously deemed compliant.

HTH!

Dear Mike,

 

Thanks for your reply.

 

Will these non-compliant machines require full network access in that 8 hour window? 

Ans-: Yes.

 

How much time user will get the Grace period notification that he/her was running in grace period ?

 

Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?

 

 

warm regards,

Ishwar B

 

Mike.Cifelli
VIP Alumni
VIP Alumni

How much time user will get the Grace period notification that he/her was running in grace period ?

-This is configurable within the posture policy under the 'Policy Options' column.  If you want to delay the notification you have the ability to select a specific percentage of the actual grace period before it actually notifies the user.  If you want the client/user to see that they are in the grace period immediately then leave the delay period at 0% (default setting).  Note that the grace period notification is never displayed if the endpoint is compliant.  

Example of grace period notification: You set the grace period on a posture policy to 20 minutes, with a delayed notification of 50%.  In this configuration the client/user will not be notified until the 10 minute mark.

Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?

- AFAIK, no. 

Hi Mike ,

 

Thanks for information .