Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1850
Views
0
Helpful
6
Replies

Monitor only for Posture - ISE 2.4p11

JON SHORTEN
Level 1
Level 1

‎02-07-2020 05:54 AM - edited ‎02-21-2020 11:13 AM

We have a customer who want to use ISE posture with AnyConnect to report on device compliance on the local network.

 

We've installed AnyConnect 4.8.02042 Core & ISE Posture, successfully  working with ISE to perform posture scans.

 

The issue is that this customer wants (at least initially) to report on compliance status without enforcing any remediation; where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.

 

I notice that in the detail report for "Posture by Endpoints" there is an "Enforcement Type" Field which always appears as "Mandatory"; is there a way to configure a policy without mandatory enforcement? I can't find anything documented for this setting.

 

tia

Labels:
0 Helpful
6 Replies 6

JON SHORTEN
Level 1
Level 1

‎02-07-2020 05:55 AM

Spoiler
Cross posted in AnyConnect community
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-07-2020 06:50 AM

where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.
-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.
is there a way to configure a policy without mandatory enforcement?
-AKAIK this is not an option. IMO one way to accomplish something similar would be to ensure that authz policy for non-compliant, unknown, and compliant are all the same. What I mean by same is ensure the authz profile dumps hosts into their "normal" respective network.
Then once you get a baseline you can tweak your solution and go from there. HTH!
0 Helpful

JON SHORTEN
Level 1
Level 1
In response to Mike.Cifelli

‎02-07-2020 08:03 AM

Thanks for the reply, you mentioned:

-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.

>> When I set stealth mode in the profile the posture policies aren't checked; I get a "compliant" status from AnyConnect, but if I check the deatils the "posture policy" section says "no data"

 

I've now set the requirements on the posture policy to audit mode, which suppresses the more alarming pop ups; unfortunately it also makes it harder to see non-compliance in the posture reports, but I've managed to create a filtered report which almost fixes this.

 

This requirement is purely for posture visibility, there's no AuthZ policy tied to posture, so nothing to change on that side.

 

Customer is going ahead with deployment, but I'd like to understand why stealth mode seems broken.

 

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to JON SHORTEN

‎02-07-2020 08:16 AM

I suggest engaging TAC to further assist. Without more visibility it is difficult to assist.
0 Helpful

JON SHORTEN
Level 1
Level 1

‎02-07-2020 07:07 AM

Just to add; I can suppress the remediation pop up by using audit mode, but not the system scan pop ups.

 

If I try & use stealth mode node of my posture policies seem to run ("no data" in posture report detail window)

 

Any id

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to JON SHORTEN

‎02-07-2020 07:30 AM

Can you share additional information? Screenshots? Note that if other modules are installed you will see the user interface. See here for more details: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
0 Helpful
Customers Also Viewed These Support Documents