Solved: Re: ISE posture policy

xili5 · ‎08-11-2017

Dear experts,

Please help on below two questions.

1. How anyconnect posture module to decide the checking order of rules I configure in posture rules on ISE. The actual checking order is not the same with what I configure. In my testing, windows server update services is always the first one to be checked. Because WSUS remediation always spends more time downloading and installing patches and cause remediation time expired. So other rules are not even checked.

2. I use the default remediation timer--4 minutes in my lab. But time of WSUS remediation which is one of three posture rules is longer than 4 minutes. So is there other specific timer for each remediation?

ISE Version: 2.2.0.470

Anyconnect Version: 4.4.02034

Compliance Module: 4.2.1134.0

hslai · ‎08-11-2017

On 1, two possibilities:

Each of posture requirements may have one or more conditions. With 2+ conditions, we may OR them by the selection of "Any selected conditions succeeds".
ISE posture policy is matched all. To have one requirement after another, we may add them into the same rule.

On 2, there is no remediation timer for individual remediation so please set a longer timer for overall remediations.

View solution in original post

hslai · ‎08-11-2017

On 1, two possibilities:

Each of posture requirements may have one or more conditions. With 2+ conditions, we may OR them by the selection of "Any selected conditions succeeds".
ISE posture policy is matched all. To have one requirement after another, we may add them into the same rule.

On 2, there is no remediation timer for individual remediation so please set a longer timer for overall remediations.