Posturing, ISE and ASA

Males · ‎04-14-2020

Hi

We are currently working on setting up the posture for a certain subset of our users. Now I have defined a policy to get my test user out of the loop, authenticate and authorize it. My coworker has been doing the tests with the test user's creds. However we now see that posture is checked every time he logs in, regardless of the conditions or whether he uses the test user or his own creds. Is that to be expected? Can't we hide it if it's not in use?

We are thinking of distributing the any connect bundle with the posture module---but are concerned that it's not such a good idea after all because the posture itself is meant to be used by only a subset of our users...

Thanks

Mae

Mike.Cifelli · ‎04-14-2020

However we now see that posture is checked every time he logs in, regardless of the conditions or whether he uses the test user or his own creds. Is that to be expected? Can't we hide it if it's not in use?
-Yes you can only trigger the CPP policy when certain conditions are met. In a non-matching policy case the ISE posture policy would reflect something along the lines of 'System Scan not required on current Wi-Fi' Or another message telling the end user that system scan is not required. My recommendation is to go into ISE and under your Client Provisioning Policies identify something under 'other conditions' that you can match specifically to trigger posture assessment on your respective subnets. Then your other subnets will not match and not go through posture assessment which is when they would see one of the 'not required' messages. An example of what I use for posture checks to only perform checks on certain VPN users is this following condition: Cisco-VPN3000: CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <name>. You just need to identify/test what conditions/attributes work best for your environment. HTH!

Males · ‎04-14-2020

Thank you Mike for your prompt reply.

I tried in my conditions to specify a user group not to check. Same ASA.

We do have the message that the posture is not needed on the wireless network (we are posturing on VPN anyways).

However when we try to log in, it still checks it.

I'd really like for it not to posture AT ALL if it's not the right group.

Mike.Cifelli · ‎04-14-2020

Can you share your CP Policy and conditions in detail? And any additional host information that may better assist with troubleshooting.

Males · ‎04-14-2020

Hi

Not sure of the details you're really interested in.

My posture config is just a test. It's enabled only if someone show up with the username XXXX.

Else you are in the old policy we had before we even had posture. So no posture checks are enabled.

Males · ‎04-14-2020

BTW it's posturing but not enforcing.

Through my tests today I was able to confirm that.

The concern is that the users may complain and it may generate unnecessary tickets.

Mike.Cifelli · ‎04-14-2020

The concern is that the users may complain and it may generate unnecessary tickets.
-Complain that the AnyConnect ISE Posture Module runs and reports things to the users? Have you considered looking at running in stealthmode? (AnyConnect can act as either clientless or standard mode. When stealth mode is enabled, it runs as a service without any user interface.). My recommendation would be to build out separate authz result profiles for each unique network scenario, & also setup different CP policies (under Policy->Client Provisioning) as well with separate conditions there. That way you will only perform posture checks as needed for your respective end result. If you would like further help please share what your CP Policies are setup like. Also, I suggest taking a look here to gain a better understanding of the solution:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
HTH!