Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
0
Helpful
6
Replies

ISE 2.0 Posture check audit mode skipped checks

sdoherty
Level 1
Level 1

‎05-27-2016 11:40 AM - edited ‎03-10-2019 11:49 PM

When using AnyConnect VPN 4.0 via ASA 9.2 to posture check a client not all checks are completed.  When one fails the rest are skipped.  It would be nice to check to see all the issues with the client vs finding one issue and fixing it then having to re-posture to find the next.

Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎06-04-2016 08:21 AM

There isn't an option to pick "AND/OR" operator when selecting the posture requirements. However, you can make the posture requirements "optional" or put them in "audit" mode. 

"Optional" mode is probably what you are looking for. For instance, you can make 3 out of 4 requirements optional and set one requirement as mandatory.

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

sdoherty
Level 1
Level 1
In response to nspasov

‎06-06-2016 12:11 PM

Thank you Neno,

Actually the posture requirement conditions are set to audit and there are many conditions..  For example we are checking for a registry key, a file existence, a service, and ps AV condition.  When one of these conditions fails then the others are 'skipped'.  

This shows in the operations/reports/endpoints and users/posture assessment by endpoint.

The idea is that you would want to see the complete posture results and not have the posture check abort when there is a failure of one of the items.

Thank you

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to sdoherty

‎06-06-2016 01:59 PM

Have you tried to set them all as "optional" and see if that gets you the desired result?

Thank you for rating helpful posts!

0 Helpful

sdoherty
Level 1
Level 1
In response to nspasov

‎06-07-2016 05:02 AM

Neno,

I have tested this also - Enforcement = Optional..  The firewall check passed, the file existence check failed, and the last 3 checks were skipped.

I tested this when they all passed and it checks them all.

To simulate the failure I changed the file check to search for a file that is not there.

Thank you

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to sdoherty

‎06-09-2016 03:55 PM

Sorry but I have no other suggestions/ideas...perhaps a call to TAC would be useful. 

Thank you for rating helpful posts!

0 Helpful

sdoherty
Level 1
Level 1
In response to nspasov

‎06-10-2016 04:38 AM

Thanks Neno,

It seems ISE will check each requirement if they are stacked in the Posture Policy. So the logic is to add a Posture Policy rule for each requirement and it will work.  I have about 17 posture rules so I make the Posture Conditions first then the requirements as the backend and then the Posture Policy to point to them.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents