Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
1
Helpful
2
Replies

ISE Posture Checking Questions

jmcgourt@cisco.com
Cisco Employee
Cisco Employee

‎06-29-2018 11:56 AM

My customer has a couple of questions on ISE that I'm unable to find the answers to, as follows:


1. During initial tests of posturing on a client, it was taking an unreasonable amount of time before the device gained access to the network configured with 802.1x,. Could low impact mode be used to speed this up, where we can allow some traffic before the posture checks are complete? If the device then fails, can the device then receive a block acl or the port shutdown?

2. For wireless clients - what options do we have to ensure that the correct startup of devices happens, such as mapping drives and them getting their group policy? If the posture checks fail, would it block the devices from accessing the network? We do not want to use ACLs for this. 

2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎06-29-2018 07:06 PM

On 1, the amount of time to assess the posture depends on that types of checks and remediations; e.g. Windows Updates can take a long long time. We could use fewer and faster checks during initial connections and perform posture reassessments (PRA) in some 4 hours or more later.

On 2, if not using ACL at all, there should be nothing blocking the access. Just ensure the startup script will wait for the connections authenticated and connected.

0 Helpful

paul
Level 10
Level 10

‎07-02-2018 12:33 PM

Posturing is a very tricky conversation with customers.  Their default thinking is to block network access until posture is known, but you have to educate the customer of when posturing actually happens.  If you get too restrictive in posturing you will break pre-login functions and login functions as posturing only runs after the user is logged in.

I wouldn't recommend using low impact as then you are forcing the customer to deal with the preauth ACL in a failed ISE state. 

I usually start customers out in audit mode posturing only so they can see what devices are not compliant.  Then I talk to them about posture unknown enforcement and that is needs to be something noticeable but not-detrimental to the function of the machine.  Noticeable but not-detrimental is "block access to the Internet".  This doesn't necessarily protect the internal network, but it forces the users to install posturing and it doesn't break things in the unknown state. 

If posture fails, then you can slam the door shut on the user. 

0 Helpful
Customers Also Viewed These Support Documents