Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


What exactly triggers evaulation of Client Provisioning Policies?

QUESTION: What do I need to do to reliably push a new AnyConnect configuration to windows machines that have a continuously up Ethernet connection?



I'm having trouble understanding what exactly triggers evaluation of client provisioning rules. (ISE 2.2, Anyconnect 4.5)


I want to push a new compliance module and a modification of the posture configuration to all Windows machines. I have created a new Client Provisioning Policy to push these changes, it currently applies only to my pilot group.


All pilot group users use laptops. Everyone who takes their laptop home nightly has gotten the new policy correctly. I have one user who never takes their laptop home, so the Ethernet connection stays up continuously. This laptop did not receive the updates. We pulled and re-inserted the Ethernet cable, and upon re-auth the posture module downloaded the new config.


We have periodic re-auth configured in our authorization profile. The continuously connected laptop does re-auth periodically as designed, but just hits the "posture compliant" authorization policy each time and the provisioning rules are never evaluated. I have Posture Lease configured for every 1 days. You would think that after a day has passed, on the next periodic re-auth the laptop would hit the "posture unknown" rule and download the updates. Is it somehow pushing the posture lease one day forward every time? Even if it is, why does bouncing the Ethernet connection bypass this? Maybe I need to configure a Posture Reassessment (PRA) configuration? Why is client provisioning tied to Posture compliance in the first place? They're not really the same thing, are they? All very confusing.



Cisco Employee

This looks expected. For ISE 2.2, ISE Client Provisioning policy get evaluated only when the web browser on an endpoint redirected to the ISE Client Provisioning portal or when the AnyConnect ISE posture module re-discovering the ISE PSN.

One workaround is to bounce the endpoint connection, if acceptable.


Bummer. Seems whack that I have to bounce the interface to push provisioning updates. I'm lucky that most of our users are on laptops that go home every night, much worse for folks with lots of PCs.


So it has nothing to do with posture status? (Compliant, noncompliant, unknown?)


Thanks for your reply.