Posture not working

Srinivasan Nagarajan · ‎01-06-2022

Hi Experts,

We're running ISE on patch 2.6 and we've configured remote access VPN using ISE posture. Recently upgraded our Anyconnect from 4.8.02045 to 4.10.03104 via Pre-deploy ZIP file using SCCM but the agent isn't able to detect the definition version and the installed date on the end-users PC. This is working fine as expected on the Anyconnect 4.8. I've checked the compatibility matrix of Windows defender which requires a minimum compliance module version of 4.2 and we've installed newer version to support this as well.

Not sure what we've missed it. Any idea? Thanks in advance.

Windows Defender: 4.X

Cisco ISE: 2.6

compliance Module: 4.3.1728.6145

Anyconnect: 4.8.02045 (working)

Anyconnect: 4.10.2086 or 4.10.03104 (not working)

Cisco ASA: 9.8.4

Mike.Cifelli · ‎01-06-2022

A few things:

-Have you ran a DART bundle and looked at the logs? Anything in particular that you could share that may better assist the community in helping you tshoot?

-What does the posture module display on failure?

-Do you have the respective necessary files here still: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

-What about your ISE CPP and posture policies? Anything there that may be preventing the bypass of posturing?

Srinivasan Nagarajan · ‎01-06-2022

Hi @Mike.Cifelli

Thanks for your reply. DART bundle has been requested from the end-users PC.

Users are able to connect to VPN successfully but windows defender definition date and version isn't populating on the posture module on 4.10 which is working fine on 4.8

Recently AC has been upgraded to 4.10 via SCCM. Users are running on AC 4.10 on the client machines but in Cisco ASA and Cisco ISE Anyconnect configuration yet to point it to 4.10 (still configured as 4.8 as ASA is the head-end device which doesn't allow the staging upgrade).

Is this something that is creating issues as I know only system scan or compliance module is responsible for performing the posture assessment?

Mike.Cifelli · ‎01-06-2022

Users are able to connect to VPN successfully but windows defender definition date and version isn't populating on the posture module on 4.10 which is working fine on 4.8

-I would double check how the posture requirement is set for your windows defender definition rule. I would also look at the posture policy that the requirement is assigned to as well. Maybe the 4.10 clients are not matching. Also, for reference here is the compatibility link: Cisco Identity Services Engine - Compatibility Information - Cisco

(still configured as 4.8 as ASA is the head-end device which doesn't allow the staging upgrade).

Is this something that is creating issues as I know only system scan or compliance module is responsible for performing the posture assessment?

-Just so you are aware the ASA has the ability to auto upgrade clients upon new VPN connections via webdeploy. This method is actually quite simple and effective.

-All in all I am thinking your new 4.10 clients for whatever reason are not matching policies, but hard to call without digging deeper. At least a couple of things for you to look into

Srinivasan Nagarajan · ‎01-06-2022

Hi @Mike.Cifelli

Apologies for the confusion if I missed to explain you the exact issue.

My understanding is that System Scan module would be able to pro-actively collect the products running on the users PC and this can be checked by navigating to Anyconnect -> Settings -> System Scan -> Security Products. This doesn't require any posture policy to collect this info.

Here it'd show the Windows Defender Anti-Malware (AM) version installed, the latest definition version and the definition date which doesn't seems to be auto-populating on AC 4.10 but working perfectly on AC 4.8.

Hope that helps.

Srinivasan Nagarajan · ‎01-07-2022

Hi @Mike.Cifelli

In addition to the above, would like to seek your expertise on the below. AC 4.10 is running on a Test PC and still, the ASA/ISE is configured with AC4.8.

Please note, this is a Test PC (4.10) and still the ASA/ISE is running on 4.8. We've not rolled-out AC4.10 to everyone as it'd break the posture.

Peter Koltl · ‎01-08-2022

Did the predeploy package contain an isecompliance-4.3.xxxxx-predeploy MSI file?

Is a Compliance Module installed on the client? (Check in Windows installed programs list)

If not, the CM should be downloaded on first connect (if Client provisioning policy is correct).

The definition version is not populated until the first posture check (with is CM present)

4.10 does not work with some old CM versions, especially under 4.3.1680

Srinivasan Nagarajan · ‎01-08-2022

Hi @Peter Koltl

Thanks for the reply.

We've already installed/upgraded the compliance module to (4.3).

Also, can you please brief on the below?

"The definition version is not populated until the first posture check (with is CM present)"

Compliance module (4.3) installed and it works fine with AC 4.8 in detecting the Anti-Malware: Windows Defender. But when AC 4.10.3 is installed with the same compliance module (4.3), it’s not able to detect and pre-populate the AM Definition date.

And, we're already posturing the users against the 'Application' and 'Service check' which is done successfully.

Due to the above said behavior, we've not configured the definition checks and the client suggested fixing it before configuring it even in the 'Audit' mode.

Earlier in Cisco support forums, some concerns have been raised on the Anyconnect in detecting the AV/AM: Windows Defender and the BUG ID:CSCvy92443 which is showing as 'fixed'. I'm not sure if that's still the case for 4.10.3. Any assistance would be much appreciated.