cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2154
Views
0
Helpful
6
Replies

Monitor only for Posture - ISE 2.4p11

JON SHORTEN
Level 1
Level 1

We have a customer who want to use ISE posture with AnyConnect to report on device compliance on the local network.

 

We've installed AnyConnect 4.8.02042 Core & ISE Posture, successfully  working with ISE to perform posture scans.

 

The issue is that this customer wants (at least initially) to report on compliance status without enforcing any remediation; where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.

 

I notice that in the detail report for "Posture by Endpoints" there is an "Enforcement Type" Field which always appears as "Mandatory"; is there a way to configure a policy without mandatory enforcement? I can't find anything documented for this setting.

 

tia

6 Replies 6

JON SHORTEN
Level 1
Level 1
Spoiler
Cross posted in AnyConnect community

Mike.Cifelli
VIP Alumni
VIP Alumni
where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.
-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.
is there a way to configure a policy without mandatory enforcement?
-AKAIK this is not an option. IMO one way to accomplish something similar would be to ensure that authz policy for non-compliant, unknown, and compliant are all the same. What I mean by same is ensure the authz profile dumps hosts into their "normal" respective network.
Then once you get a baseline you can tweak your solution and go from there. HTH!

Thanks for the reply, you mentioned:

-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.

>> When I set stealth mode in the profile the posture policies aren't checked; I get a "compliant" status from AnyConnect, but if I check the deatils the "posture policy" section says "no data"

 

I've now set the requirements on the posture policy to audit mode, which suppresses the more alarming pop ups; unfortunately it also makes it harder to see non-compliance in the posture reports, but I've managed to create a filtered report which almost fixes this.

 

This requirement is purely for posture visibility, there's no AuthZ policy tied to posture, so nothing to change on that side.

 

Customer is going ahead with deployment, but I'd like to understand why stealth mode seems broken.

 

I suggest engaging TAC to further assist. Without more visibility it is difficult to assist.

JON SHORTEN
Level 1
Level 1

Just to add; I can suppress the remediation pop up by using audit mode, but not the system scan pop ups.

 

If I try & use stealth mode node of my posture policies seem to run ("no data" in posture report detail window)

 

Any id

Can you share additional information? Screenshots? Note that if other modules are installed you will see the user interface. See here for more details: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273