Posture status compliant even when AnyConnect not installed

dgaikwad · ‎05-14-2020

Hi Experts,
ISE 2.6, stand alone configuration.
Scenario:
There are two endpoints that were installed with AnyConnect last week, then this week uninstalled AnyConnect to verify the posture assessment flow.
But, instead the endpoints get full access to the network even without going through the posture cycle.

Checked
There is no AnyConnect installed

Rebooted the endpoint multiple times after uninstalling AnyConnect
Moved between wired and wireless network
Connected another endpoint to the same interface where these are connected, those endpoints get redirection (if AnyConnect not installed or go through the posture checks if AnyConnect is installed)

Further
When checked the endpoints, I saw that the posture session status attribute shows that endpoint is compliant, thus even when I log out login back, it still termed as compliant.
Even tried deleting the endpoint mac address, but the posture status comes back as compliant when endpoint is connected.
But, if the session for this endpoint is terminated manually from the live session, then the posture works as its configured.

Its like, ISE is storing the posture status of those endpoints even when there is no AnyConnect to report posture status.

Any pointers, to as off why this would be happening?

Mike.Cifelli · ‎05-15-2020

I would take a look at the following:
-Any chance you setup the another ise posture profile to run in stealth mode (clientless as a service) that may somehow be getting referenced?
-Verify that your client provisioning policies are setup properly for how you wish to steer certain assets to be provisioned/postured. May not be a bad idea to disable all, run tests again, to ensure you no longer see 'compliant' status in log.
Connected another endpoint to the same interface where these are connected, those endpoints get redirection (if AnyConnect not installed or go through the posture checks if AnyConnect is installed)
-Take a look again at your authz policies. This sounds like an issue with your authz configuration.
If possible are you able to share CPP policies, radius authz policies, and posture profile/Anyconnect profile configuration? HTH!

dgaikwad · ‎05-17-2020

Sure, will get those policies for you.
But the question that is bothering me is that, even when there is no AnyConnect installed or running on the client, how is possible to make the endpoint as compliant?
And yes, there is only CPP configured at the moment and there are no other policies to intervene...

poongarg · ‎05-15-2020

-Check if the posture lease and Cache Last Known Posture Compliant Status (Grace Period) is configured under Administration>System>Settings>Posture> Posture General Settings

When the posture lease is active, Cisco ISE will use the last known posture state and will not reach out to the endpoint to check for compliance. But when the posture lease expires, Cisco ISE does not automatically trigger a re-authentication or a posture reassessment for the endpoint. The endpoint will stay in the same compliance state since the same session is being used. When the endpoint re-authenticates, posture will be run and the posture lease time will be reset.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010110.html#reference_0CB881C7DFAE41228EAE8F23F3360B17

Refer below Cisco live BRKSEC-3697.pdf

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3697.pdf

dgaikwad · ‎05-17-2020

Since, this is a new setup, I am sure that there is no PRA setup at the moment, as currently its under just the pilot run.
My second observation was that, even I deleted the endpoint from ISE, and reconnect it, the endpoint does not go for the posture check or redirect to the CPP (as configured, if posture status unknown, apply CPP redirect page).
The endpoint attributes still show me that its, posture status as compliant!

MALi-786 · ‎05-15-2020

Hi,

I think you need to check posture reassessment timer. If the time is set to higher than what you are trying it will always show compliant (if the machine was compliant 1st time)

You can change this to “every time user login”

I hope it will work.

thomas · ‎05-16-2020

Ultimately you are asking about the authorization of your posture policy and you didn't provide/show your policy nor did you provide any ISE LiveLog information about which Authorization Rules your endpoints matched. ISE has excellent log details per authentication that helps you with this. Please provide this critical information in the future.

Are you using the default posture authorization rules or did you delete/change them? What order are they in?

dgaikwad · ‎05-17-2020

I have configured the posture policy as follows:

The thing is that if connect any other endpoint, the endpoints go through the flow as configured here. That if there is no AnyConnect installed, get the CPP page, install AnyConnect and posture the endpoint get the final access.
If AnyConnect is already installed, then run the posture and get the final access.

The endpoint that I am struggling with, had AnyConnect installed using the above flow. The AnyConnect was uninstalled and endpoint rebooted, and then connected to the network (wired or wireless) both have the same behavior! The endpoint gets the access that is specified in the posture status as compliant!

This is the same endpoint even after deleting the its mad address from ISE, and reconnected to network, still ISE reports it as compliant, thus the endpoint always end up getting the final posture session compliant access.

The other thing is that, if I go to live sessions and terminate its session, then endpoint will start coming through the flow that I have configured as above...!! I hope this clears up the scenario?

pavagupt · ‎05-18-2020

That's interesting..

Check for "Posture Lease" and "Cache Last known posture compliance status" settings under Administration > system > settings > Posture > General settings.

usually ISE will give compliant status irrespective of new/old session if the posture lease is given for X days..

dgaikwad · ‎05-18-2020

Here is the settings, as far I can see that there is no posture lease configured for this environment...

The other observation is that, today when the same endpoint was connected back it went through the posture as configured, first hitting the CPP Page, then downloading AnyConnect and run posture and post compliance full access to the network.

Does this mean that the entry for this endpoint was "stuck" in sort of a cache on ISE?

pavagupt · ‎05-18-2020

i am not sure ..

usually when NO posture lease given, endpoint has to go through posture flow normally. "Cache last known posture compliant status" is only applicable when endpoint is going for non-compliant (previously compliant) to get the grace period as configured.

ISE gives an option to give grace period of compliance access to endpoints with the help of "Cache Last known Posture compliant status".

Snippet from documentation for "Cache Last Known Posture compliant status"

Grace Period for Noncompliant Devices—Cisco ISE provides an option to configure grace time for devices that become noncompliant. Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days). The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.

dgaikwad · ‎05-21-2020

As off now this is not the case, any other ideas how to approach this scenario?
Since, its just seen on one endpoint, not sure if this start happening for multiple endpoints when we move to full blown production deployment.