Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
1
Helpful
3
Replies

Remove Posture Status before lease expiration

Go to solution
Steve Talbert
Level 1
Level 1

‎02-13-2019 10:04 AM

We are running ISE 2.2 with patch 6 currently.

 

I am wondering how to remove the posture status of an endpoint, so I can test changes to posture policy.  The clients in question are Mac OSX both High Sierra and Mojave.  Specifically, I am trying to test client provisioning to push new versions of AnyConnect, but they aren't installing since the device is coming in with a successful posture check, and the posture lease hasn't expired.

 

I tried to remove the endpoint from ISE, which I would have assumed would reset this, but I think ISE might be getting confused, as these MACs are the newer touchbar types, and the device endpoint ID in the logs is using the MAC address for the touchbar rather than the NIC and they are all the same, so I have multiple entries with the same EndpointID, but different usernames, and they are all different devices.  There is also a device entry under the actual MAC address, which is the one I removed, but it is still registing with a successful posture check, despite the posture module not being installed on the endpoint.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Steve Talbert

‎02-13-2019 02:13 PM

Under Administration->identity management->identities
Create an endpoint identity group, add your mac that you are testing. Then go to settings as defined earlier and for PRA setup reassessment that includes/maps to that group. Play with the settings. This should trigger a reassessment for that specific host even if lease is not expired. HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-13-2019 12:52 PM

Are your Posture leases set to 1 day? You can set them I believe between 1 to 365 days, or you can set the posture lease to perform posture assessment every time you connect to your network, which from my experience works great.  Administration->System->Settings->Posture->General Settings

 

You can also setup reassessments based on local layer 2 ISE endpoint identity groups.  Create a new group and add your MAC.  This may help with your MAC issue.  The reassessment can be setup in the same location where you configure your leases. 

 

HTH! 

Go to solution
Steve Talbert
Level 1
Level 1
In response to Mike.Cifelli

‎02-13-2019 12:55 PM

Unfortunately, I can't change the lease timer as this is a production system. 

 

I'm not sure I fully follow what you mean about the separate endpoint groups to run reassement against.  I would be interested in hearing more about that.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Steve Talbert

‎02-13-2019 02:13 PM

Under Administration->identity management->identities
Create an endpoint identity group, add your mac that you are testing. Then go to settings as defined earlier and for PRA setup reassessment that includes/maps to that group. Play with the settings. This should trigger a reassessment for that specific host even if lease is not expired. HTH
0 Helpful
Customers Also Viewed These Support Documents