Prevent Posture via policy?

WILLIAM BAUER · ‎01-11-2025

We have a situation where some overly helpful staff have installed the posture module on clients that don't yet need it. Because we are phasing it into a legacy network, it's difficult to isolate them and to fully explain our situation, but the problem is that these machines are sending in posture reports and receiving a popup to install security software if they are noncompliant. If they close the popup, everything works fine because they are not yet subject to our NAC policies.

I know this isn't an ideal setup, but is there a way via ISE policy to ignore their machine posture reports and prevent the popup, or do I need to push an ACL to them blocking TCP port(s) 8905 and possibly 8443 to the ISE nodes--or other ports?

We can't remotely remove the posture module on these systems. I need either to prevent this behavior via ISE policy or ACL pushed by the policy. I'd prefer not to use the ACL solution unless absolutely necessary.

Thanks for any help!

WILLIAM BAUER · ‎01-11-2025

And we're on ISE 3.1, soon to be 3.3.

ahollifield · ‎01-13-2025

I'm not aware of a way to "block" a posture flow if the agent reaches out. I would take the dACL route until you can get the Posture module fully removed.

ammahend · ‎01-19-2025

For the new device posture status will be unknown, you can always setup a policy where if the posture is unknown, result is permit access or something else you want. you can try that.

-hope this helps-

Aref Alsouqi · ‎01-20-2025

Is that on all clients or only some? if only some, how about creating a new AD group and put them into that group and then create "exception" policies on ISE for their posture? if this is required on all clients then I think you can just disable the posture actions in the posture policy.