Solved: Re: ISE 2.4 Posture and Reauth

cburger13 · ‎04-10-2019

Hello,

I have a customer who is utilizing the Posture module with ISE. The majority of their users lock their workstation overnight and when they log back in in the morning the posture client never kicks off for whatever reason leaving them in a remediation state and not giving them access to internal resources per the dACL. If they click the "Scan Again" button on the posture module it initiates the scan and makes them compliant and everything works as intended. Obviously this is not optimal for the entire user base as we roll this out organization wide.

Are there any best practices for re-auth or posture settings I can fidget with to try and get this to be an automated process. Users that take their laptops home with them and re-dock in the morning are not having this issue at all, it's only users who log out at night and re-login in the morning.

Timothy Abbott · ‎04-10-2019

I would investigate why the posture assessment is not happening when the user logs in. If the customer is doing user authentication via 802.1X, then posture should be performed every time the user logs into the machine. The fact that users who take home their workstations are postured when they connect the next day suggests that the posture lease configuration is set to perform posture every time a user connects to the network under "Posture General Settings" in ISE. You could explore changing the posture lease or the Cached compliance status in the same menu but I would be curious as to why users who leave their workstations are not being postured when they log in.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎04-10-2019

I would investigate why the posture assessment is not happening when the user logs in. If the customer is doing user authentication via 802.1X, then posture should be performed every time the user logs into the machine. The fact that users who take home their workstations are postured when they connect the next day suggests that the posture lease configuration is set to perform posture every time a user connects to the network under "Posture General Settings" in ISE. You could explore changing the posture lease or the Cached compliance status in the same menu but I would be curious as to why users who leave their workstations are not being postured when they log in.

Regards,

-Tim

cburger13 · ‎04-10-2019

It turns out the users are locking their machines and not doing a logoff when they leave for the night. I’m guessing when they unlock their machines it’s not actually doing a session re-authentication thus not kicking off the posture agent.

The posture settings are set to check when a user connects to the network, so shouldn’t that still be stored from when the user last logged in?

paul · ‎04-10-2019

Do you have a reassessment timer configured? You could configure a global 8 hour reassessment timer to see if that helps. Administration->Systems->Settings->Posture->Reassessments.

Jason Kunst · ‎04-10-2019

Also wha version of ise and Anyconnect

cburger13 · ‎04-10-2019

ISE is 2.4 patch 5 and Anyconnect is 4.6.

Jason Kunst · ‎04-10-2019

Thanks it would be good to also get logs and open a tac case to tweak what’s going on. You’re running good versions of the products.

Also good info is what kind of authentication you’re doing. Wondering if your supplicant is not correctly syncing? But it’s a discussion for a tac case with a dedicated engineer to run through instead of back and forth here

cburger13 · ‎04-10-2019

Yea, I have a TAC case open, but my engineer has been less than helpful so far. Won’t return e-mails nor calls.

Jason Kunst · ‎04-10-2019

I would suggest you ask for escalation to duty manager

cburger13 · ‎04-10-2019

I thought about this, but I don't see a way to do one of these based off AD groups. Only internal user or endpoint identity groups, of which the AD users are not a part of.

paul · ‎04-10-2019

Just sent the identity to Any.