cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4285
Views
5
Helpful
13
Replies

ISE Posture remediation issue with Antivirus and Windows

Pranav Gade
Level 1
Level 1

 

Hi All,

 

I am running with Cisco ISE 1.2.1 with certificate authentication (EAP-TLS) which is working perfectly fine for me. Please find current setup and configuration

We are facing issue with posturing in Antivirus and Windows Update. 

Antivirus - We are running with Microsoft forefront so have configured the condition for antivirus installation and definition for vendor Microsoft

Windows - we are running with SCCM for windows updated and we have configured Pr_Wsusrule

Authorization Policy – 

  1. If user Not complaint & AD user & EAP-TLS ---------à it should apply Profile with remediation acl
  2. If User Complaint & AD user & EAP-TLS ---------à it should get full access

Issue -

Currently authentication is working fine but after authentication if machine is not complaint (for e.g we checked with removing some windows update) it’s not falling to remediation state and directly becoming complaint so my question as follows

1 – Is SCCM windows update server is compatible with ISE 1.2.1

2 – Is Microsoft Antivirus is compatible with ISE 1.2.1

3 – If both are compatible then still it’s not falling to remediation 

 

Can anybody tell me the solution for the same.

 

Thanks in advance 

Regards

 

 

13 Replies 13

Abdallah Anouar
Level 1
Level 1

You can look at the "Posture Detail Assessment" (Reports ->Endpoints and Users ) to check if they were detected by agent.

Hi anouarabd,

Thanks for reply I have checked  "Posture Detail Assessment" and meeting all posture which we configured ( Antivirus + Windows).

 

We have  removed some windows updated in domain machine still its  not going to remedeation and falling in complaint endpoints itself.

 

Regards

If you can post your posture policies and a screenshot of what you found on "Posture Detail Assessment" (mainly "Posture Policy Details").

Hi anouarabd,

 

Please find attached Screen shots

To know which policy was matched , please check the section "Posture Policy Details" on "Posture Detail Assessment"

Hi anouarabd,

 

As I checked its matching to same configured Posture Policy.

Hi,

according to me, your windows update check policy is at bottom in posture policy. 

ISE checkes policy from top to first match; here your AV Policy is getting hit and endpoints are getting Posture complient state. 

You can move your windows update check policy at top and then try

Thanks

Aditya

jan.nielsen
Level 7
Level 7

As far is i know SCCM is not the same as WSUS which is supported in ISE, so that probably wont work.However SCCM might have been introduced in ISE 1.4, there are some changes to the posture features introduced there.

 

Hi jan.nielsen,

 

Thanks for reply.. Can you share me any document regarding ISE compatibility with SCCM/WSUS

 

Regards

It should be in the supported devices document, that is on cisco.com, just search for ise <your version> supported devices

HI jan.nielsen,

 

I have tried to check but its not mentioning anything regrading compatibility with WSUS/SCCM

 

Regards

Venkatesh Attuluri
Cisco Employee
Cisco Employee

ISE 1.4 supports SCCM integration

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010010.html

 

adityaM1234
Level 1
Level 1

Hi,

according to me, your Windows update check policy is at bottom

ISE checks policy from top to first match. In this case your AV policy is getting hit hence endpoints are getting complient state 

My suggestion is, move the windows update check  policy at top and then try

It is better to combine multiple conditions in one requirement and then assign that requirement in your posture policy

 

Thanks,

Aditya