Hi Gibbs,

Thank you for he TechNote, I have Gone through the document, its very well explained.

I have a doubt, in the Posture Flow for Pre-2.2.

In Step 20 and 21 it states  Posture module is the one that Initiates Policy Server Detection by sending Probes and established Connection to the CPP.

and in Step 26 its States that Posture Module Collects information about the system(OS Version, Installed Security products and their Definition Version) this collected information(Report) is sent to ISE.

ISE makes the Endpoint Compliance Status decision based on the report. Till here every thing is well and good.

My doubt is what is the use of "Compliance Module"  ?  also we use the Compliance Module while creating Posture policy.

As posture module is the one that is collecting information and sending it to ISE.

Thanks,

Ali

Both are needed as part of the Posture function. The Posture module is essentially the agent and front-end, while the Compliance module mostly provides a library for the assessment and remediation of various 3rd-party products (e.g. anti-malware, patch management, disk encryption, etc.)

Newer versions of the Compliance module typically add support for new vendor products or versions.

You can see the support charts for the various versions of the Compliance Module here:

Cisco Identity Services Engine - Compatibility Information - Cisco

Hi Gibbs,

In the below possible scenarios how ISE determines posture status based on which condition.

1.Both Client Provisioning and Posture Policies are present – The compliance status is determined based on the posture check

2. Client Provisioning is missing and Posture Policy are Present - The compliance status is determined based on the posture check

3.Client provisioning policy is present, Posture policy is missing - How Compliance status is determine for this

(++ default Posture Status is set to Non-Complaint in Posture Setting)

4. Both Client Provisioning and Posture Policies are missing. How Compliance status is determine 

Here we have the following options:
(++ default Posture Status(Administration -> System -> Settings -> Posture -> General Settings) is set to Non-Complaint       what will be the Status ?   

   (++ default client provisioning configuration (Administration -> System -> Settings -> Client provisioning, “Native Supplicant      Provisioning Policy Unavailable” option is set to “Apply defined authorization policy”).  what will be the Status ?

  (++ if we change “Native Supplicant Provisioning Policy Unavailable” to “Allow network access”) what will be the Status ?

To be honest, it's been a few years since I've tested these failure scenarios, so I'm not sure I can confidently answer these questions.

hslai or chyps, are you able to help shed some light on these scenarios or point to documentation that does?

Hello Gibbs,
 
In our environment user unlock the screen when they are off shift, so the same session will be there for the user as the endpoint  has not got disconnected from network.
So, If a user doesn’t get disconnected from network how long ISE keep the Posture Status as Complaint in its database, as Posture lease is set to “ Perform Posture assessment every time a user connects to the network”

As per the Cisco Document Posture Process is Launched in below Situations

1) After Network Interface status (up/down)
2) Default gateway change
3) System restart

In our Environment sometimes the above 3 situations will not match for more than a week or two, along with that Periodic Re-assessment is not configured, so how long ISE keep the posture status of an Endpoint, does ISE have any default Posture time for the Endpoints ?

Thank you

if PRA is not configured, you can make use of the timeout in authorization profile to run the check again .

Since PRA is not configred. AS long as the radius Session stays up the posture session information stays the same and there is no change in state

perhaps the device or nic is going to sleep.

you need to look at the logs for a session change and perhaps get a DART file when it happens to debug further with tac

Thanks @Jason and Nidhi