Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1463
Views
1
Helpful
2
Replies

Grace Period with Posture Lease

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎05-24-2023 09:35 AM

Hi,

I have a customer with a two-node ISE deployment (version 3.1.0.518 - Patch 5) with posturing for Windows Patching.

I have an issue especially when they rollout Windows Patching, this can cause a lot of users to become non-compliant for an extended period of time and this impact them being able to do their work.

In the "Posture Policy" under "Policy Options", I have enabled Grace Period for 8 hours with notification at 70%. I was under the impression with Grace Period that this would allow them to access the network allowing their devices to become compliant within this period. Patches were rollout out last night and a user had no access to the network when he was non-compliant.

For "Posture Lease" I have the following:

  • Perform posture assessment every "1 day"
  • Cache Last Known Posture Compliant Status - Enabled
  • Last known Posture Compliant State "18 hours"

With this, I was expecting that Posturing would start for all users and if non-compliant, Grace Period would allow them on the network. (Since after Covid, users are only in the office for about 2-days per week).

This "18 hours" is probably no longer applicable.

For this, I have a few questions: 

  • What would happen if I extended the Last Known Posture Compliant State from "18 hours" to "7-days"?
  • Would Posturing continue to scan for users every day as instructed by the Perform posture assessment every 1 day check?
  • Would Grace Period then check if the user has been complaint within the last 7-days and if they are, allow them onto the network for 8 hours in order to allow the device to become compliant? Does extending the cache to 7-days impact the daily scan?
  • If the device does not become compliant within the 8 hours, does it check the cache and if the device is sill in the cache (7-days), do it start another Grace Period of 8 hours?

Hope all this makes sense?

Thanks

Anthony.

 

 

 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to andrew-lees

‎05-03-2025 10:09 AM

Hi @andrew-lees ,

 let's start from the basics ...

You are able to find the following options at Work Centers > Posture > Settings > Posture General Settings:

A Posture Lease can't be "Off", the options are:

  • Perform Posture Assessment every time a User connects to the network
  • Perform Posture Assessment every 1-365 days

A Cache Last Known Posture Compliant Status can be "Off" or "On".

  •  If you enable the Cache Last Known Posture Compliant StatusISE caches the result of Posture Assessment (defined in Posture Lease) for the amount of time specified in this field, in other words, if the Users log off and log on multiples times during the Cache Last Known Posture Compliant Status amount of time then the User is provided access without Posture being run on the Endpoint ... pros: faster, cons: "less secure" (since you are trusting on the "last compliance status")
  • Valid values are from 1 to 30 days, or from 1 to 720 hours (1 hour to 30 days), or from 1 to 43200 minutes (1 minute to 30 days)

Posture Lease.png

 

You are able to find the following option at Work Centers > Posture > Posture Policy:

Grace Period feature allows endpoint to get a Compliant network access when it become Non-Compliant after being Compliant in the past, functionality is based on two attributes:

  • PostureLastCompliantExpiryGrace Period starts if Posture Status got changed to Non-Compliant within Last Known Posture Compliant State
  • Remaining Grace Period - ISE starts populating LAST_GRACE_EXPIRY after Endpoint has been marked as Non-Compliant while being within Last Known Posture Compliant State

Note: while Grace Period feature has been added in ISE 2.4, Cisco started to store Remaining Grace Period in Oracle DB starting from 2.6. In 2.4, Remaining Grace Period stored in special In-Memory cache.

Grace Period Settings.png

 

It's important to remember that:

" ... When the Posture Lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the Posture Lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same Compliance State since the same session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset..."

 

Hope this helps !!!

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
andrew-lees
Level 1
Level 1

‎05-02-2025 06:57 AM

Hi Anthony,

Just stumbled on this, did you ever find a fix as we also have this issue! 

Wondering if there's a better way to structure the timers to mitigate the impact.

Thanks, 

Andrew

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to andrew-lees

‎05-03-2025 10:09 AM

Hi @andrew-lees ,

 let's start from the basics ...

You are able to find the following options at Work Centers > Posture > Settings > Posture General Settings:

A Posture Lease can't be "Off", the options are:

  • Perform Posture Assessment every time a User connects to the network
  • Perform Posture Assessment every 1-365 days

A Cache Last Known Posture Compliant Status can be "Off" or "On".

  •  If you enable the Cache Last Known Posture Compliant StatusISE caches the result of Posture Assessment (defined in Posture Lease) for the amount of time specified in this field, in other words, if the Users log off and log on multiples times during the Cache Last Known Posture Compliant Status amount of time then the User is provided access without Posture being run on the Endpoint ... pros: faster, cons: "less secure" (since you are trusting on the "last compliance status")
  • Valid values are from 1 to 30 days, or from 1 to 720 hours (1 hour to 30 days), or from 1 to 43200 minutes (1 minute to 30 days)

Posture Lease.png

 

You are able to find the following option at Work Centers > Posture > Posture Policy:

Grace Period feature allows endpoint to get a Compliant network access when it become Non-Compliant after being Compliant in the past, functionality is based on two attributes:

  • PostureLastCompliantExpiryGrace Period starts if Posture Status got changed to Non-Compliant within Last Known Posture Compliant State
  • Remaining Grace Period - ISE starts populating LAST_GRACE_EXPIRY after Endpoint has been marked as Non-Compliant while being within Last Known Posture Compliant State

Note: while Grace Period feature has been added in ISE 2.4, Cisco started to store Remaining Grace Period in Oracle DB starting from 2.6. In 2.4, Remaining Grace Period stored in special In-Memory cache.

Grace Period Settings.png

 

It's important to remember that:

" ... When the Posture Lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the Posture Lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same Compliance State since the same session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset..."

 

Hope this helps !!!

 

0 Helpful
Customers Also Viewed These Support Documents