Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2375
Views
0
Helpful
3
Replies

ISE Posture status stuck in Unknown status.

Anthony O'Reilly
Level 3
Level 3

‎11-03-2021 09:40 AM

Hi,

 

I have a customer on ISE 3.0 that Authenticates, Authorized and performs two compliant checks on the client.

 

The AnyConnect version for ISE Posturing is: 4.8.03036. ( I know this is an old version)

The Compliance module is: 4.3.1453.6145

 

The ISE posturing checks for Anti-Malware and Windows Patch Management.

 

The Anti-Malware check works perfectly, it  scans, passes this posture check or updates if needed.

 

For Windows Patch Management, it checks to see if the client has the SCCM client installed and if it has the latest Critical patches installed.

 

Today, we were able to rollback a critical Microsoft patch on the client.

 

The AnyConnect ISE posturing module connects to ISE and runs a scan for Anti-Malware and Patch Management.

The first scan works for Anti-Malware but the second scan for Patch Management stalls, it continues to stall beyond the 10mins remediation timer on the Posturing Profile.

 

How do I get the clients to go from Unknown to Non-Compliant if it fails within the remediation time? My client remains on Unknown indefinitely even when the SCCM patched the machine an hour later. 

 

Can I get the AnyConnect client to trigger a scan if it is in an Unknown or Non-Compliant status for 5 minutes?

 

Thanks

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-03-2021 11:03 AM

How do I get the clients to go from Unknown to Non-Compliant if it fails within the remediation time? My client remains on Unknown indefinitely even when the SCCM patched the machine an hour later. 

-If the user cancels the pop up it should then immediately move them into Non-Complaint state.  Is this not the case?

Can I get the AnyConnect client to trigger a scan if it is in an Unknown or Non-Compliant status for 5 minutes?

-You have the ability via ISEPostureCFG.xml profile to enable "Scan Again" button.  With this, it would allow users to manually force a re-scan upon clicking the button which will manually initiate the probe again.

0 Helpful

Anthony O'Reilly
Level 3
Level 3
In response to Mike.Cifelli

‎11-03-2021 01:43 PM

Hi Mike,

 

I have the scan again on the ISE posture module but I was wondering if it could do it automatically if the client is non-compliant. 

 

I will come back to you on the other query.

 

Thanks

Anthony.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Anthony O'Reilly

‎11-07-2021 07:19 PM

We could assign a reauth timer with terminate so the sessions will re-initiate.

Screen Shot 2021-11-07 at 7.18.02 PM.png

0 Helpful
Customers Also Viewed These Support Documents