cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8468
Views
15
Helpful
14
Replies

Posture lease and Cache Last Known Posture Compliant Status

dgaikwad
Level 5
Level 5

Hi Experts,
I need some further clarifications on the above two settings that are under Administration System Settings Posture General Settings...
As per my understanding in the documentation, Posture Lease is used for a specified period of time, when we do not to run posture checks everytime an endpoint detects a network change or when a user logs in and logs off the network, correct?
So in a nutshell ISE will keep last known posture status for, let's say 24 hours and will perform next posture check when user logs in after 24 hours...
Then, if that is posture lease is used, then in what scenario or use would Cache Last Known Posture Compliant Status be used?
What would be implication if I keep Posture Lease for 1 day (24 hours) and keep Cache Last Known Posture Compliant Status for 30 hours? Will ISE then run the next posture check after 24 hours or 30 hours?

Any pointers?

14 Replies 14

Manjunath Sheregar
Cisco Employee
Cisco Employee

Hi

Answer to this query is not documented anywhere, i think you should raise a case with TAC so that they can test it internally and present an answer.

 

Hi @dgaikwad and @Manjunath Sheregar ,

 remember that:

"... When the posture lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the posture lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same compliance state since the same session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset..."

"... Last Known Posture Compliant Status: This setting only applies if you have checked Cache Last Known Posture Compliant Status. Cisco ISE caches the result of posture assessment for the amount of time specified in this field. Valid values are from 1 to 30 days, or from 1 to 720 hours (1 hour to 30 days), or from 1 to 43200 minutes (1 minute to 30 days)..."

 

Example:

Posture Lease is 24h

Posture Compliance Status is 30h

Last Compliance Status is Compliant

then:

before 24h:
. if the user logs off and logs on, since the Posture Lease and the Last Compliance Status is Compliant, then the user is provided access without Posture being run on the Endpoint.
after 24h:
. if the user logs off and logs on, since the Posture Lease has expired, a Posture Assessment is performed.

 

Hope this helps !!!

Peter Koltl
Level 7
Level 7

I interviewed the lecturer about this on Cisco Live and these are my notes:

Perform posture assessment every .. days

A lease. Does not remember last state. Skips check within the lease time (That is why PRA should be used too.)   

Cache Last Known Posture Compliant Status   

Remembers last Compliant or NonCompliant status.    

Lease off, Cache on: allows to connect as compliant but start posture check after connecting

Lease on, Cache off: posture not checked and allowed immediately as compliant (should combine with PRA)

 

 

Unfortunately, I still did not understand after the explanation. )-:

The other 2 combinations were not discussed.

Hi @Peter Koltl ,

 you are able to find these options at Administration > System > Settings > Posture > General Settings:

 a Posture Lease can't be "Off", the options are:

1. Perform Posture Assessment every time a User connects to the network

2. Perform Posture Assessment every 1-365 days. (this configuration ONLY applies to AnyConnect Agent)

 

 a Cache Last Known Posture Compliant Status can be "Off" or "On".

 

Hope this helps !!!

rmeans
Level 3
Level 3

The above explanations are helpful.  Thank you.  I have more questions.

I think I am interested in daily scans.  Much of my organization works Monday-Friday.  8a to 5p.  Staff are remote one day and in the office the next.

Setting perform posture assessment every 1 day - seems like the correct setting.

Why would I enable cache last known?  Is there a recommended length of time?

If someone starts their day at 8:15a and the next day at 7:50a, will the perform posture every day scan?

Hi @rmeans,

Q.: I think I am interested in daily scans

A.: Posture Assessment every day is a good option !!!

 

Q.: Why would I enable cache last known? Is there a recommended length of time?

A.: If you enable the Cache Last Known Posture Compliant StatusISE caches the result of Posture Assessment for the amount of time specified in this field, in other words, if the Users log off and log on multiples times during the Cache Last Known Posture Compliant Status amount of time then the User is provided access without Posture being run on the Endpoint ... pros: faster, cons: "less secure" (since you are trusting on the "last compliance status") ... recommended Length of Time: IMO less than a day (for ex.: you can use 4 hours - "till lunch time", or 8 hours - "during working hours").

 

Q.: If someone starts their day at 8:15a and the next day at 7:50a, will the perform posture every day scan?

A.: Although Posture Lease is in Days, you have to think in Hours, for ex:

"... The user logs on to the endpoint and gets it Posture Compliant with the posture lease set to one day.

Four hours later the user logs off from the endpoint (the posture lease now has 20 hours left)."

Note: remember that you can use the Last Known Posture Compliant State = 8 hours and Default Posture Status = NonCompliant with the Perform Posture Assessment Every = 1 day to reach your goals !!!

 

Hope this helps !!!

romankielbowicz
Level 1
Level 1

Hello @Marcelo Morais 

I am still a bit confused on this. Here are my current settings:

TEAP with EAP-TLS, we have separate authorization policies for machine (no posturing) and user authentication (yes posturing)

Default compliant state is set to Non-Compliant

Posture Lease is set for 1 day

Cache Last Known Posture Compliant Status is enabled for 8 hours

Here is the scenario:

When a user initially signs in on a Friday, posture assessment is performed and compliant, the user leaves at the end of the day without logging out.

What will happen to the posture status over the weekend when the user isn't there? Will it remain compliant until the user returns on Monday? Also, let's say over the weekend the user's computer got disconnected briefly from the wireless network but was able to reconnect, what happens then?

Thank you!

 

 

Hi @romankielbowicz 

 On Friday at 08AM the User logs on to the Endpoint and gets it Posture Compliance with the Posture Lease set to 24 Hours.

 On Saturday at 08AM the Posture Lease expires, but Cisco ISE does not automatically trigger a Re-Authentication or a Posture Reassessment for the Endpoint. The Endpoint will stay in the same Compliance State since the same Session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset.

 

Hope this helps !!!

@Marcelo Morais In what circumstance would the compliance state change from compliant to unknown if the same session ID is still being used?

Unknown (policy set config) and pending (live logs) are the same.  I see laptops go to the unknown/pending state when connecting to the network.  Followed by either compliant or non-compliant.  I haven't seen a device go from complaint to unknown/pending.

rmeans
Level 3
Level 3

My organization continues to work on posture settings.  We have had posture assessment set to 1 day and a 4-hour cache for some time.

 

I am interested in changing perform assessment to every time and either disabling cache or setting to 1-4 hrs.

 

Anyone doing this?  Any concerns?

 

My goals.

I noticed that not everyone does a posture assessment first thing in the morning.  Staff might work remote or late the day before.  Their posture lease continues to the next day.  When monitoring live logs, not everyone has a posture status (pending or complaint).

 

Next, I believe the more frequent posture assessments will mean more frequent entries in the Posture End Point Assessment reports.  I find valuable info in the reports.  More frequent entries will help identify issues more quickly.

 

My authorization policies allow the same level of network access for pending and compliant.  The laptop CPU will have increased load.  ISE might have an increased load.  But the end user’s applications (email) shouldn’t be impacted.

Any reason why you have the same network access on pending and compliant? Do you pre-deploy CSC/Anyconnect or do you use the provisioning portal? If the endpoint is in a pending state, wouldn’t you want to only allow access to ISE for client provisioning using redirection or use redirectionless probes for ISE discovery? I can tell you from personal experience that doing posture assessment every time a user connects to a network is not a bad option but becomes troublesome on a Meraki wireless network where clients roam from AP to AP.

rmeans
Level 3
Level 3

Originally, we had a restrictive policy with pending and a more open policy for compliant.  It has taken months; we believe the restrictive policy is preventing the normal boot up and login process from completing successfully.  We discovered applications would fail (even later in the day).  Testing is ongoing, but we believe the restrictive policy is at fault.

We are using TEAP with a device and user cert.  It takes up to 30 seconds from user login to posture completes.  During the 30 seconds the laptop is doing a lot.  We have not successfully defined everything the laptop needs for a successful boot up.

We have been trying to update AnyConnect to Secure Client.  We use the ISE provision portal.  All laptops have AnyC with posture mod installed and working.  The provisioning portal conditions trigger by area in the network (the 5th floor switch).  Staff should be able to boot up on the 5th floor and get the SecClient update.

If I posture assess every time but have a 1 hr cache.  Would that help wireless?

I think that might depend on the kind of wireless infrastructure you have. Do you use Meraki APs or Cisco APs?