Re: How ISE Know A device posture is unknown via WIFI

pcno · ‎08-04-2020

Hi all,

I am doing a Wireless ISE Anyconnect posture using compliance module 4x... Can anyone tell me how ISE Gets to know the status of the device is Unknown? Which area & which information it is looking for to mark the device as posture unknown.

I know after any connect scan the supplicant, ISE knows if it is compliant or non-complaint. But how Does ISE know if the posture status is unknown to present the posture portal to the user? Is it checking in any endpoint registry store or any local folder in the device?

And one more thing once the device is marked as complaint and I am getting access to network .even if I disconnect the WIFI and connect again it automatically makes it as complaint without any scan until I manually disconnect the COA from ISE PAN.

Please reply the exact process happening here I have attachced a screenshot of policy set..

Mike.Cifelli · ‎08-04-2020

Can anyone tell me how ISE Gets to know the status of the device is Unknown? Which area & which information it is looking for to mark the device as posture unknown.
-ISE posture service classifies posture into three statuses you have identified: Compliant, Non-Compliant, & Unknown. If there is no matching posture policy within ISE defined for an endpoint, then the posture compliance status of the endpoint is typically set to unknown. Another reason for unknown posture status is when there is an enabled policy matching the endpoint, but posture assessment has not occurred. In this case no compliance update has been reported by the client agent.
Is it checking in any endpoint registry store or any local folder in the device?
-No.
And one more thing once the device is marked as complaint and I am getting access to network .even if I disconnect the WIFI and connect again it automatically makes it as complaint without any scan until I manually disconnect the COA from ISE PAN.
-Please check your general settings found here: Administration->System->Settings->Posture->General Settings. Is your posture lease set to 'Perform posture assessment every time a user connects to network'?
HTH!

pcno · ‎08-06-2020

Hello Mike, Thank you very much for the reply but my question is still unclear. Please go through the following example for a better understanding.

PHASE 1:
1 : John is an employee he clicks on his wifi SSID by selecting his user certificate which was pushed via GPO -))))
2 : ISE AAA Policy get a hit
3 : ISE checks the cert common name with AD and proceed to Authorisation profile.
4 : ISE Pick the Posture Status Unknown & present the provisioning portal.

So here as you seen there is no agent involved then how ISE got to know that the device has not done any posture check then how ISE understand that device has not done any posture assessment ....This is what I want to know.

Note: We have a firewall requirement configured for Users but this check is only done in phase 2 as below.
*******************************************************************************
Phase 2:
5 : ISE present the provisioning portal to the client
6: client download and install any connect
7 : Posture scan start and look for firewall requirement
8: Complaint = permit access or Non-complaint = deny access.

See in phase 2 the machine has a tool which checks and report to ISE about posture but in phase 1 who is reporting to ISE.

Please reply.

Mike.Cifelli · ‎08-06-2020

So here as you seen there is no agent involved then how ISE got to know that the device has not done any posture check then how ISE understand that device has not done any posture assessment ....This is what I want to know.
-Upon endpoint or user session initiation your Client Provisioning Policies (CPP) will determine which users/endpoints receive certain modules and/or resources. Your CPP works in conjunction with your authz profile which is configured to redirect users with an unknown posture status to the CPP to download a profile and/or config for ISE along with its compliance module. Lastly, a user or client is in the unknown state due to ISE not detecting AnyConnect. I hope this helps clear it up. Regardless, I suggest taking a look at: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId--232251767. HTH!

Dustin Anderson · ‎08-07-2020

I think the easiest way to know the 3 different states is the way I see it working. Basically if a device connects and ISE doesn't have it in it's endpoint list, then it's going to be an unknown device and will start to use what is available to figure out as much as it can for use in the policies.

So, Joe logs in for the first time on wireless. ISE gets the request and now has to figure out what is connecting so it can deal with it properly. Through profiling info, it figures out it's a PC sending it through your posture rules. As it is a new device, it knows it has not seen a posture check, so it is unknown for posture just like it was unknown at the start. This should send it to your redirect portal for AnyConnect install and check.

For us this is an onboarding limited network that unknown and non-compliant devices go until they are compliant. Once AnyConnect is installed, and the check comes back compliant, it should re-run the rules and hit your compliant based rules(s)

But, for me, the easiest way to think of how it is unknown is if there is no existing endpoint under content visibility/endpoints. If there is an endpoint, there should only be compliant/non-compliant based off the time settings for recheck.