cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3937
Views
10
Helpful
4
Replies

Posture lease and Cache Last Known Posture Compliant Status

dgaikwad
Contributor
Contributor

Hi Experts,
I need some further clarifications on the above two settings that are under Administration System Settings Posture General Settings...
As per my understanding in the documentation, Posture Lease is used for a specified period of time, when we do not to run posture checks everytime an endpoint detects a network change or when a user logs in and logs off the network, correct?
So in a nutshell ISE will keep last known posture status for, let's say 24 hours and will perform next posture check when user logs in after 24 hours...
Then, if that is posture lease is used, then in what scenario or use would Cache Last Known Posture Compliant Status be used?
What would be implication if I keep Posture Lease for 1 day (24 hours) and keep Cache Last Known Posture Compliant Status for 30 hours? Will ISE then run the next posture check after 24 hours or 30 hours?

Any pointers?

4 Replies 4

Manjunath Sheregar
Cisco Employee
Cisco Employee

Hi

Answer to this query is not documented anywhere, i think you should raise a case with TAC so that they can test it internally and present an answer.

 

Hi @dgaikwad and @Manjunath Sheregar ,

 remember that:

"... When the posture lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the posture lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same compliance state since the same session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset..."

"... Last Known Posture Compliant Status: This setting only applies if you have checked Cache Last Known Posture Compliant Status. Cisco ISE caches the result of posture assessment for the amount of time specified in this field. Valid values are from 1 to 30 days, or from 1 to 720 hours (1 hour to 30 days), or from 1 to 43200 minutes (1 minute to 30 days)..."

 

Example:

Posture Lease is 24h

Posture Compliance Status is 30h

Last Compliance Status is Compliant

then:

before 24h:
. if the user logs off and logs on, since the Posture Lease and the Last Compliance Status is Compliant, then the user is provided access without Posture being run on the Endpoint.
after 24h:
. if the user logs off and logs on, since the Posture Lease has expired, a Posture Assessment is performed.

 

Hope this helps !!!

Peter Koltl
Rising star
Rising star

I interviewed the lecturer about this on Cisco Live and these are my notes:

Perform posture assessment every .. days

A lease. Does not remember last state. Skips check within the lease time (That is why PRA should be used too.)   

Cache Last Known Posture Compliant Status   

Remembers last Compliant or NonCompliant status.    

Lease off, Cache on: allows to connect as compliant but start posture check after connecting

Lease on, Cache off: posture not checked and allowed immediately as compliant (should combine with PRA)

 

 

Unfortunately, I still did not understand after the explanation. )-:

The other 2 combinations were not discussed.

Hi @Peter Koltl ,

 you are able to find these options at Administration > System > Settings > Posture > General Settings:

 a Posture Lease can't be "Off", the options are:

1. Perform Posture Assessment every time a User connects to the network

2. Perform Posture Assessment every 1-365 days. (this configuration ONLY applies to AnyConnect Agent)

 

 a Cache Last Known Posture Compliant Status can be "Off" or "On".

 

Hope this helps !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers