04-23-2021 03:29 AM
hi all,
Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.
how to configure grace period ?
What is the best practice ?
Can we set the grace period notification in periodic manner so that user get to know he was running in grace period time ?
maximum how much time we can set the notification for grace period ?
kindly help me with this ....
warm regards,
Ishwar B
Solved! Go to Solution.
04-23-2021 05:58 AM
How much time user will get the Grace period notification that he/her was running in grace period ?
-This is configurable within the posture policy under the 'Policy Options' column. If you want to delay the notification you have the ability to select a specific percentage of the actual grace period before it actually notifies the user. If you want the client/user to see that they are in the grace period immediately then leave the delay period at 0% (default setting). Note that the grace period notification is never displayed if the endpoint is compliant.
Example of grace period notification: You set the grace period on a posture policy to 20 minutes, with a delayed notification of 50%. In this configuration the client/user will not be notified until the 10 minute mark.
Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?
- AFAIK, no.
04-23-2021 05:20 AM
Need to configure grace period of 8 hr to non compliance endpoints,so that non compliance endpoint's user get time to make his/her system compliant as per the company policy.
-Will these non-compliant machines require full network access in that 8 hour window? Why not consider setting the remediation timer longer (can be up to 5 hours) in the posture global settings? In this window the client is neither compliant nor non-compliant yet. Essentially it is still deemed unknown since the scan would still be going, and the "non-compliant" machines would be stuck on a missing check. In this AnyConnect unknown state you could have a dacl limiting network access, but grant the ability to reach resources that would allow your clients a window to patch/remediate to become compliant. Then if clients are unable to get compliant within the remediation allowed window, they then move into a Non-compliant state, which limits network access and at this point is deemed non-compliant per policy assessment (sitting in a quarantine restricted state). Note that you have the ability to push a 'Scan Again' button feature via the ISEPostureCFG.xml that would allow end users to initiate the module probe to ISE. This could allow a true non-compliant client/user the ability to initiate a re-scan without the need of a DFG change, or some other action to initiate the probe.
how to configure grace period ?
-See here: ISE Posture Prescriptive Deployment Guide - Cisco Community
What is the best practice ?
-IMO this depends on your requirements and will vary per use case.
maximum how much time we can set the notification for grace period ?
-You can configure the grace period in minutes, hours, or days (up to a maximum of 30 days). It is important to know that an endpoint is only able to utilize a grace period if they were previously deemed compliant.
HTH!
04-23-2021 05:41 AM
Dear Mike,
Thanks for your reply.
Will these non-compliant machines require full network access in that 8 hour window?
Ans-: Yes.
How much time user will get the Grace period notification that he/her was running in grace period ?
Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?
warm regards,
Ishwar B
04-23-2021 05:58 AM
How much time user will get the Grace period notification that he/her was running in grace period ?
-This is configurable within the posture policy under the 'Policy Options' column. If you want to delay the notification you have the ability to select a specific percentage of the actual grace period before it actually notifies the user. If you want the client/user to see that they are in the grace period immediately then leave the delay period at 0% (default setting). Note that the grace period notification is never displayed if the endpoint is compliant.
Example of grace period notification: You set the grace period on a posture policy to 20 minutes, with a delayed notification of 50%. In this configuration the client/user will not be notified until the 10 minute mark.
Can we configured that notification time in periodic manner ? For ex. In 8 hours of grace period, can user get grace period notification eight times i.e. for every hour ?
- AFAIK, no.
04-24-2021 07:54 AM
Hi Mike ,
Thanks for information .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide