
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2018 11:09 PM
Hi All,
I have a customer using ISE 2.1 P5 with anyconnect 4.5, who is doing Posture with a lease of 1 day and a PRA every 4 hours. The posture policy for PRA uses 'session: Agent-request- type equals reassessment'.
The issue I am facing here, is that the users systems seems to be going to the posture unknown state every 4 hours, and then moves back to posture compliant, even though we have a posture lease set for 1 day. Because of this, they lose connectivity for a brief moment, and sometimes, for unknown reasons, the posture unknown state does not change and they are left with the redirection ACL. I have attached screen shots showing the posture conditions, the posture setting, the PRA settings, and the authorization logs of one of the users.
Is it expected behaviour to have the PRA configuration affect my posture lease? your opinions would be of great help.
Thank You,
Ashwin
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2018 07:02 AM
Correct. Posture Lease does not apply to Passive Reassessment, only to initial posture. The expected behavior with Lease is that user is NOT subject to posture assessment on each new connection for duration of lease. If goal is to not subject users to additional assessment, then disable PRA and rely solely on Posture Lease.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2018 07:02 AM
Correct. Posture Lease does not apply to Passive Reassessment, only to initial posture. The expected behavior with Lease is that user is NOT subject to posture assessment on each new connection for duration of lease. If goal is to not subject users to additional assessment, then disable PRA and rely solely on Posture Lease.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2018 09:54 PM
So the requirement from my customer is to have one posture check every 4 hours, and have another set of 4 posture checks which have to be performed only once in a day (posture lease). This type of a setup would'nt be possible if i create the posture policy for the 4 posture requirements along with the condition 'session: Agent-request- type equals intial', and the PRA check as 'session: Agent-request- type equals reassessment'?
Thank you,
Ashwin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2018 09:10 AM
I think the initial problem with moving from compliant to unknown during PRA is a buggy issue. The only time you should move from compliant to unknown is if you had a new radius session. The PRA state would be compliant to non-compliant if user fails a mandatory check. Otherwise should stay compliant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2018 10:09 AM
You could have one posture policy which is applied at initial login and subject to Posture Lease and another posture policy which occurs at interval after login and is subject to Posture Reassessment.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2018 09:05 PM
That's how i created the policies: I have a separate one for PRA and another for initial assessment.
The issue however is that every 4 hours (configured in PRA), the lease breaks and the endpoint moves to non compliant as can be observed in the authorization policies below.
Im guessing this might be a bug like Jason mentioned.
