01-07-2020 03:51 AM
Hello All
using ISE 2.2- client = anyconnect 4.6
getting ready to deploy posture checking :
when testing - forcing failures / successes - we where using a restart of the
cisco anyconnect secure mobility ISE posture agent - services, in order to repeat testing - get the host scanning again
As we're not expecting end users to do this - we used ISE Posture Profile Editor on the selected host and entered the recommended entry of
<EnableRescanButton>1</EnableRescanButton>
to the xml file
in order to perform a rescan ....this runs fine once.! after which I believe the following is occurring -
the client has made contact with ISE - which enforces it's configured setting in
AnyConnect Configuration >Profile Selection >* ISE posture setting
in the Posture Agent Profile Settings we have defined i cannot see a field to enforce rescan ?..... is this s/w version related / if so, is there a work around - or have I just missed a trick here ?
your continued support is greatly appreciated
Solved! Go to Solution.
01-08-2020 03:09 AM
ok ladies & gentlemen
please stand down ...as we've managed to work it out ...
Ironically we had tried this previously , however, not in the correct way ....due to restricted access of the testing client we couldn't copy the *iseposture*.xml off the host after editing - so we rudimentarily copied the .xml into notepad ++ and saved a .xml - tried to use that as a -
AnyConnect Configuration > AnyConnent Posture Agent Profile
when we did this the hash value was accepted ...however, we saw an error message when we tried to bind that to our posture agent profile ( must have been because of the c'n''p - saving a txt as an .xml)
anyways - luckily the testing client could browser to the ISE - so we imported the /agent/ as a /customer created package/ from local disk - assigned this to our relevant / AnyConnent Posture Agent Profile/ and bingo -
the rescan button stays intact post ISE comms
thanks to all for looking / responding
01-07-2020 06:10 AM
01-08-2020 02:13 AM
Thanks Mike
took a look where you suggested
- however, the lowest interval on reassessment is 1hr in these setting ? This period for a failed compliant / rescan is obviously too long for us
In our senario - we wish to see if the client fails compliance - they can try again at the clients will - ideally using the rescan button ( in POC we've been restarting the service - not an option for users)
please refer to attached as an overview of what we're experiencing
01-08-2020 03:09 AM
ok ladies & gentlemen
please stand down ...as we've managed to work it out ...
Ironically we had tried this previously , however, not in the correct way ....due to restricted access of the testing client we couldn't copy the *iseposture*.xml off the host after editing - so we rudimentarily copied the .xml into notepad ++ and saved a .xml - tried to use that as a -
AnyConnect Configuration > AnyConnent Posture Agent Profile
when we did this the hash value was accepted ...however, we saw an error message when we tried to bind that to our posture agent profile ( must have been because of the c'n''p - saving a txt as an .xml)
anyways - luckily the testing client could browser to the ISE - so we imported the /agent/ as a /customer created package/ from local disk - assigned this to our relevant / AnyConnent Posture Agent Profile/ and bingo -
the rescan button stays intact post ISE comms
thanks to all for looking / responding
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide