Solved: User is getting posture scan on non posture policy set

Steven Williams · ‎04-03-2019

I have setup two policy sets in ISE and used two different ASAs and labeled them differently also within device type. That way each policy can be used per ASA. I have configured posture on the secondary policy tied to my test ASA and it is working but now a user hitting my other policy that I did not touch for posture is getting scanned? Is there something else triggering this?

Mike.Cifelli · ‎04-04-2019

Yes. That would work as well. You have a few different options. Just make sure you configure it under client provisioning as noted above. That should give you the result you desire.

View solution in original post

Mike.Cifelli · ‎04-03-2019

In your policy for posture assessment utilize the condition tunnel-group-name. Call out the one you want scanned so that the other non-test tunnel-group-name will bypass that check and not hit the policy for posture assessment.

Steven Williams · ‎04-04-2019

Use the condition in where thought? The top level? The authentication Policy? or Authorization?

Mike.Cifelli · ‎04-04-2019

Policy->Client Provisioning

In 'other conditions' setup Cisco-VPN3000:CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS YOUR TEST_ASA_NAME that you want scanned.

Your other tunnel group will not match and therefore not be scanned. You can get the tunnel group name from ASA or in your xml profile on your host. If extracting from host xml profile it can be found under:
<HostEntry> section
You will want to match the name in ISE to your <UserGroup> name from the profile.

Steven Williams · ‎04-04-2019

I assume I can just use Device Type -> Cisco -> Test_Firewall since I have two firewall names defined. Then it will only look for users that connect to that device?

Mike.Cifelli · ‎04-04-2019

Yes. That would work as well. You have a few different options. Just make sure you configure it under client provisioning as noted above. That should give you the result you desire.