cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2104
Views
20
Helpful
7
Replies

ISE 3.0: Can posture assessment every X days be done by AC Stealth?

Nadav
Level 7
Level 7

Hi,

 

Posture lease using AC Stealth works fine when configured for "Perform posture assessment every time a user connects to the network" (option 1), yet doesn't seem to work for "Perform posture assessment every X days" (option 2). 

 

1) Is this a limitation of AC stealth for Windows? I haven't found this documented anywhere if so. 

2) From what I can tell, if you configure option 2 it doesn't include option 1. Meaning physically disconnecting a workstation and reconnecting it doesn't perform posturing again. Is there a way to do both option 1 and 2?

 

Thanks!

7 Replies 7

Greg Gibbs
Cisco Employee
Cisco Employee

Those two options in the Posture Lease section of the Posture General Settings page are radio buttons, meaning you are selecting one or the other behaviour.

If you want to perform a posture assessment every time a user connects and have compliant devices automatically reassessed on a periodic basis, you need to look at the Periodic Reassessment (PRA) option.

Thanks Greg,

 

1) Option 2 doesn't seem to work, although it may be because PRA is a requirement? At present I don't have PRA configured. I set it for 1 day and saved, 3 days later there hasn't been a single reposturing. 

2) Is there any limitation on using PRA if using AC Stealth mode?

 

Thanks.

 

PRA should still work with Stealth Mode. The Stealth Mode limitations are listed in the AnyConnect Admin Guide.

Keep in mind that option 2 is mainly to prevent a user that disconnects/reconnects multiple times a day (or within the lease time) from being posture assessed every time they reconnect. If you're testing a constantly connected endpoint, you likely won't see a posture check without PRA.

Hi,

 

If I wanted checks to be performed both for option 1 and option 2, would I need to configure option 1 and PRAs?

I've tried doing this and I see PRAs are being sent every X minutes to the PSN and they appear in reports. However, a change in the Posture Policy before a PRA arrives doesn't enforce a compliant workstation to become non-compliant unless I bounce the port manually. I've tried both logoff and remediation PRA actions.

A week later and I still can't get this thing to work. I'm wondering if it's at all possible to update Posture Policies on the Anyconnect client without bouncing the port. 

 

I thought maybe the workstation needs to be awake for posture changes to take effect but that didn't help. 

thomas
Cisco Employee
Cisco Employee

Have you looked at the ISE videos on YouTube for posture to see if those help?

There is a series on posture configuration: Posture Configuration Series

And a webinar on posture configuration: Security Compliance with ISE Posture Webinar

 

Hi Thomas,

 

I've seen these in the past, they don't deal with the use of PRA to move a compliant workstation into non-compliant mode after periodic checks. I'm interested in having the anyconnect (stealth) check both on network connect and every 60 minutes (PRA period).