Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Posture Grace Period and Posture Reassessment

Hello All,


I'm running into an issue with configuring a Grace Period for an SCCM Posture Condition on Windows.  The customer would like to have a 21 day grace period from the time a critical patch is available to the time it is enforced in Posture Conditions.  When trying to configure a Grace Period in the Posture Policy we receive a message in ISE indicating the Grace Period cannot be longer than the Posture Reassessment interval.  The customer is using Posture over VPN and would like endpoints scanned every time they connect to the network.

ISE version is 2.6 and AnyConnect 4.9


Is there a way to have a 21 day Grace Period for a Posture Rule and Scan endpoints every time they connect to the network over VPN?


Hi @Arawak 

 please take a look at:

Work Centers > Posture > Settings > Posture General Settings
Posture Lease: Perform posture assessment every time a user connects to the network.

Hope this helps !!!


Yes, I'm familiar with that setting however if you try to configure a Grace Period for 21 days the system throws a message saying the Grace Period cannot be longer then the Posture Lease time.  So its a challenging problem to solve.

VIP Engager

Is there a way to have a 21 day Grace Period for a Posture Rule and Scan endpoints every time they connect to the network over VPN?

-I am not 100% sure this is feasible due to the fact that that the grace period needs to be less than the posture lease time, and since you want to scan every time a device connects it won't work.  I would suggest pinging TAC on this one too if nobody else provides feedback here.  Lastly, two options I think may work for you is to scan every time someone connects to the network, but have that specific check as 'optional' or 'audit'.  The two differences are described below:

When set to optional:

During policy evaluation, the agent provides an option to clients to continue, when they fail to meet the optional requirements specified in the posture policy. End users are allowed to skip the specified optional requirements.

For example, you have specified an optional requirement with a user-defined condition to check for an application running on the client machine, such as Calc.exe. Although, the client fails to meet the condition, the agent prompts an option to continue further so that the optional requirement is skipped and the end user is moved to Compliant state.

When set to Audit: 

Audit requirements are specified for internal purposes and the agent does not prompt any message or input from end users, regardless of the pass or fail status during policy evaluation.

For example, you are in the process of creating a mandatory policy condition to check if end users have the latest version of the antivirus program. If you want to find out the non-compliant end users before actually enforcing it as a policy condition, you can specify it as an audit requirement.

IMO doing an audit and keeping an eye on it for internal reporting purposes would give you insight on who is compliant and who is not prior to enforcing the check at 21 day mark.

Also, check this out for additional help: ISE Posture Prescriptive Deployment Guide - Cisco Community


Content for Community-Ad