cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
0
Helpful
3
Replies

ISE questions on Posturing

rbill1967
Level 1
Level 1

Questions on ISE, if I can get some definitive answers on how it works?

 

1. Grace period - when does it start?

     *  Can it be pushed manually onto a client?

2. Windows updates - when non-compliant shouldn't the update still run if allowed from an internal wsus server?

     *  If it doesn't what is blocking it from running on a client?

3.  Antivirus updates - same type of question like "windows", runs from an online site and allowed via ACLs.

     *  If it doesn't what is blocking it from not getting the updates?

 

Any thoughts or suggestions you can offer?

3 Replies 3

Hi @rbill1967 ,

 whenever you reach a Posture Status = NonCompliant at your Policy Sets, your Authorization Profiles (that you configured before at Policy > Policy Elements > Authorization > Authorization Profiles) must have a dACL (for ex.) that permit the Remediation Servers (internal WSUS Server, internal AV Servers, ...) and deny others Servers.

 At Work Centers > Posture > Client Provisioning > Resources > select your AnyConnectProfile, and double check your configuration.

 At Administration > System > Settings > Posture > General Settings > double check the Remediation Timer.

 

Hope this helps !!!

Yes, all of those settings were checked and rechecked with Cisco support and vendor who assisted in the original setup.   Even had them recheck and revalidate those changes and requirements.  Unfortunately, it does not help the current situation.

Hi @rbill1967 ,

 please:

1. verify if a NonCompliant Endpoint is able to ping the Internal WSUS Server.

2. generate a PCAP during a NonCompliant Endpoint update vs Compliant Endpoint update and check if anything is blocked

 

Hope this helps !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: