cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7106
Views
10
Helpful
6
Replies

Posture lease and Cache Last Known Posture Compliant Status

dgaikwad
Level 5
Level 5

Hi Experts,
I need some further clarifications on the above two settings that are under Administration System Settings Posture General Settings...
As per my understanding in the documentation, Posture Lease is used for a specified period of time, when we do not to run posture checks everytime an endpoint detects a network change or when a user logs in and logs off the network, correct?
So in a nutshell ISE will keep last known posture status for, let's say 24 hours and will perform next posture check when user logs in after 24 hours...
Then, if that is posture lease is used, then in what scenario or use would Cache Last Known Posture Compliant Status be used?
What would be implication if I keep Posture Lease for 1 day (24 hours) and keep Cache Last Known Posture Compliant Status for 30 hours? Will ISE then run the next posture check after 24 hours or 30 hours?

Any pointers?

6 Replies 6

Manjunath Sheregar
Cisco Employee
Cisco Employee

Hi

Answer to this query is not documented anywhere, i think you should raise a case with TAC so that they can test it internally and present an answer.

 

Hi @dgaikwad and @Manjunath Sheregar ,

 remember that:

"... When the posture lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the posture lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same compliance state since the same session is being used. When the Endpoint re-authenticates, Posture will be run and the Posture Lease time will be reset..."

"... Last Known Posture Compliant Status: This setting only applies if you have checked Cache Last Known Posture Compliant Status. Cisco ISE caches the result of posture assessment for the amount of time specified in this field. Valid values are from 1 to 30 days, or from 1 to 720 hours (1 hour to 30 days), or from 1 to 43200 minutes (1 minute to 30 days)..."

 

Example:

Posture Lease is 24h

Posture Compliance Status is 30h

Last Compliance Status is Compliant

then:

before 24h:
. if the user logs off and logs on, since the Posture Lease and the Last Compliance Status is Compliant, then the user is provided access without Posture being run on the Endpoint.
after 24h:
. if the user logs off and logs on, since the Posture Lease has expired, a Posture Assessment is performed.

 

Hope this helps !!!

Peter Koltl
Level 7
Level 7

I interviewed the lecturer about this on Cisco Live and these are my notes:

Perform posture assessment every .. days

A lease. Does not remember last state. Skips check within the lease time (That is why PRA should be used too.)   

Cache Last Known Posture Compliant Status   

Remembers last Compliant or NonCompliant status.    

Lease off, Cache on: allows to connect as compliant but start posture check after connecting

Lease on, Cache off: posture not checked and allowed immediately as compliant (should combine with PRA)

 

 

Unfortunately, I still did not understand after the explanation. )-:

The other 2 combinations were not discussed.

Hi @Peter Koltl ,

 you are able to find these options at Administration > System > Settings > Posture > General Settings:

 a Posture Lease can't be "Off", the options are:

1. Perform Posture Assessment every time a User connects to the network

2. Perform Posture Assessment every 1-365 days. (this configuration ONLY applies to AnyConnect Agent)

 

 a Cache Last Known Posture Compliant Status can be "Off" or "On".

 

Hope this helps !!!

rmeans
Level 3
Level 3

The above explanations are helpful.  Thank you.  I have more questions.

I think I am interested in daily scans.  Much of my organization works Monday-Friday.  8a to 5p.  Staff are remote one day and in the office the next.

Setting perform posture assessment every 1 day - seems like the correct setting.

Why would I enable cache last known?  Is there a recommended length of time?

If someone starts their day at 8:15a and the next day at 7:50a, will the perform posture every day scan?

Hi @rmeans,

Q.: I think I am interested in daily scans

A.: Posture Assessment every day is a good option !!!

 

Q.: Why would I enable cache last known? Is there a recommended length of time?

A.: If you enable the Cache Last Known Posture Compliant StatusISE caches the result of Posture Assessment for the amount of time specified in this field, in other words, if the Users log off and log on multiples times during the Cache Last Known Posture Compliant Status amount of time then the User is provided access without Posture being run on the Endpoint ... pros: faster, cons: "less secure" (since you are trusting on the "last compliance status") ... recommended Length of Time: IMO less than a day (for ex.: you can use 4 hours - "till lunch time", or 8 hours - "during working hours").

 

Q.: If someone starts their day at 8:15a and the next day at 7:50a, will the perform posture every day scan?

A.: Although Posture Lease is in Days, you have to think in Hours, for ex:

"... The user logs on to the endpoint and gets it Posture Compliant with the posture lease set to one day.

Four hours later the user logs off from the endpoint (the posture lease now has 20 hours left)."

Note: remember that you can use the Last Known Posture Compliant State = 8 hours and Default Posture Status = NonCompliant with the Perform Posture Assessment Every = 1 day to reach your goals !!!

 

Hope this helps !!!