cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

329
Views
0
Helpful
6
Replies
Highlighted
Beginner

Monitor only for Posture - ISE 2.4p11

We have a customer who want to use ISE posture with AnyConnect to report on device compliance on the local network.

 

We've installed AnyConnect 4.8.02042 Core & ISE Posture, successfully  working with ISE to perform posture scans.

 

The issue is that this customer wants (at least initially) to report on compliance status without enforcing any remediation; where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.

 

I notice that in the detail report for "Posture by Endpoints" there is an "Enforcement Type" Field which always appears as "Mandatory"; is there a way to configure a policy without mandatory enforcement? I can't find anything documented for this setting.

 

tia

6 REPLIES 6
Highlighted
Beginner

Re: Monitor only for Posture - ISE 2.4p11

Spoiler
Cross posted in AnyConnect community
Highlighted
VIP Collaborator

Re: Monitor only for Posture - ISE 2.4p11

where I'm stuck is finding a way to stop AnyConnect popping up an action window when a device fails a posture check.
-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.
is there a way to configure a policy without mandatory enforcement?
-AKAIK this is not an option. IMO one way to accomplish something similar would be to ensure that authz policy for non-compliant, unknown, and compliant are all the same. What I mean by same is ensure the authz profile dumps hosts into their "normal" respective network.
Then once you get a baseline you can tweak your solution and go from there. HTH!
Highlighted
Beginner

Re: Monitor only for Posture - ISE 2.4p11

Thanks for the reply, you mentioned:

-Try setting up the ISE posture agent profile to support stealth mode. When this is enabled it runs as a service with no user interface.

>> When I set stealth mode in the profile the posture policies aren't checked; I get a "compliant" status from AnyConnect, but if I check the deatils the "posture policy" section says "no data"

 

I've now set the requirements on the posture policy to audit mode, which suppresses the more alarming pop ups; unfortunately it also makes it harder to see non-compliance in the posture reports, but I've managed to create a filtered report which almost fixes this.

 

This requirement is purely for posture visibility, there's no AuthZ policy tied to posture, so nothing to change on that side.

 

Customer is going ahead with deployment, but I'd like to understand why stealth mode seems broken.

 

Highlighted
VIP Collaborator

Re: Monitor only for Posture - ISE 2.4p11

I suggest engaging TAC to further assist. Without more visibility it is difficult to assist.
Highlighted
Beginner

Re: Monitor only for Posture - ISE 2.4p11

Just to add; I can suppress the remediation pop up by using audit mode, but not the system scan pop ups.

 

If I try & use stealth mode node of my posture policies seem to run ("no data" in posture report detail window)

 

Any id

Highlighted
VIP Collaborator

Re: Monitor only for Posture - ISE 2.4p11

Can you share additional information? Screenshots? Note that if other modules are installed you will see the user interface. See here for more details: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273