Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
2
Replies

Temporal Agent posture questions

Madura Malwatte
Level 4
Level 4

‎05-16-2019 06:02 AM - edited ‎05-16-2019 06:02 AM

ISE 2.3 patch 5

I am trying to clarify a few things with Temporal Agent. This is for wireless dual byod. Some answers were provided here but its not really clear - https://community.cisco.com/t5/identity-services-engine-ise/byod-posture-temporal-agent-how-to-become-compliant-after-non/td-p/3793880

1. Once posture check is done via temporal agent, when will a user be required to do posture again? Is there a timer or does the web browser windows need to be closed and have no activity for a certain time? Or is it solely dependent on the wireless controller idle timeout?

2. Is there a way to force browser to pop up with redirect (once connected on the secure ssid) instead of having the user manually enter a url before the redirect happens? 

3. In some instances when a url is entered in the browser window, the redirect for posture check does not happen. Instead it looks like nothing happens. I can reload the same page multiple times and nothing. Other url's work fine first go. Has anyone noticed this before, is it purely browser related?

 

Screen Shot 2019-05-14 at 3.32.35 pm.jpgScreen Shot 2019-05-14 at 3.41.51 pm.jpg

4. Once a device is enrolled, is it indefinite? Until of course the device is deleted or un-enrolled?

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎05-16-2019 02:27 PM

On 1, the posture compliance status is per network session, so it depends how a network session is terminated. IIRC Cisco WLC by default has a 30-minute session timeout and it terminates the session after that interval. It also has idle timeout so that the session is terminated if there is no network connectivity; e.g. the endpoint moved outside of the coverage area.

On 2, some client OS has a captive portal or wall-garden and uses a mini-browser. Unfortunately, such browsers tend to limited in supporting javascript or multi-page navigation. If your deployment is using client operating systems with good support, then you may test them out.

On 3, that is due to HTTPS pages. Redirecting on HTTPS has some drawbacks: (1) it might impact performance (2) we will get hostname mismatch errors during the redirect. If you would like to try, see Configure HTTPS Redirect over Web-auth - Cisco

On 4, correct.

0 Helpful

Madura Malwatte
Level 4
Level 4
In response to hslai

‎05-19-2019 08:16 AM

Thanks for the response.

1. I will check our WLC session and idle timeout settings and see if it behaves accordingly. 

2. Actually we had to disabled captive portal for mac osx mojave byod as it wasn't working properly and throwing some errors. I guess its a no then.

3. Strange, because I have tested sites like bbc.com and yahoo.com which are https and these urls have triggered redirect on some occasions. Regarding https redirect I read this discussion and it doesn't seem to be recommended?

4. Ok.

 

 

0 Helpful
Customers Also Viewed These Support Documents