cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

291
Views
0
Helpful
5
Replies
Highlighted
Contributor

Reporting - How to generate reports for compliant and non-compliant endpoints?

Hi Experts,

 

Last time I was able to generate a report number using the radius authentication report from Reporting.

But, it does not contain the number of devices that are compliant and non-compliant!

There is a report in ISE for, Posture Assessments by Endpoints, it does not contain the data regarding where the endpoints are coming from (like there is location in report for radius authentications).

We are interested in generating these reports, so that they will give a bigger picture of number of deivces that are on the right compliant, have AnyConnect installed at the right version.

Using this data then there will be go, no go, on the moving to closed mode.

 

So, what we are looking for is:

1. The list of compliant endpoints, which could be sorted according to location.

2. For the compliant/non-compliant endpoints, could we have a list as per posture conditions they are compliant?

Is this something that could be achieved using the ISE's built in reporting capability (as I can feel that its pretty much limited, but none-the-less)..

 

Any inputs and pointers appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

There are two reports.  The Posture by Endpoint report will show you the reports submitted by each client.  In audit mode they will say compliant, but if you look into the details of the report you can see each condition and which ones failed.

 

The report you want is the Posture by condition report and then you can filter by Failed to see which conditions are failing.

View solution in original post

5 REPLIES 5
Highlighted
Contributor

There is one more thing that I forgot to add.

Since all the posture rules are in audit mode, when I run the report, I see all the endpoints as compliant.

The rules are kept in audit mode, so that we could capture the list of failed, non-compliant endpoints and take action on them before moving on to enforced or mandatory mode.

So, even when a certain endpoints had failed a condition it will still be reported as compliant, unless I make that posture check as mandatory.

 

Highlighted

There are two reports.  The Posture by Endpoint report will show you the reports submitted by each client.  In audit mode they will say compliant, but if you look into the details of the report you can see each condition and which ones failed.

 

The report you want is the Posture by condition report and then you can filter by Failed to see which conditions are failing.

View solution in original post

Highlighted

Yes, I have been using that same report to get an idea of who are failing on what condition.

But, then as the condition that I had created had another conditions within, for example, 32 or 64 anti-virus check or anti-virus ver 12.x or 14.x

Now what is happening is that, I see an endpoint in failing as well as passed conditions, so I have to extract the report for failed and passed.

Then using excel filter out and compare them from both reports, then unique IDs, then I get are the ones who not at all compliant with any of the set conditions.

 

Only if ISE had this in-built it would have saved so much of manual labor!

Highlighted

Don't add multiple conditions together in a rule. I typically have single conditions in my posture rules, but that may not be feasible depending on what you are all checking for.


Highlighted

The reason I added multiple rules was because, posture rules were are not executed in the order they are created. Due to which AnyConnect used to get stuck at a condition (e.g. it would get stuck on checking anti-virus service, even when anti-virus was not installed on the endpoint).

To avoid this scenario, I added them in a single rule in the order that I preferred, thus eliminating this behavior.