Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
2
Replies

What exactly triggers evaulation of Client Provisioning Policies?

Leroy Plock
Level 1
Level 1

‎02-15-2019 11:10 AM - edited ‎03-11-2019 01:55 AM

QUESTION: What do I need to do to reliably push a new AnyConnect configuration to windows machines that have a continuously up Ethernet connection?

 

Details:

I'm having trouble understanding what exactly triggers evaluation of client provisioning rules. (ISE 2.2, Anyconnect 4.5)

 

I want to push a new compliance module and a modification of the posture configuration to all Windows machines. I have created a new Client Provisioning Policy to push these changes, it currently applies only to my pilot group.

 

All pilot group users use laptops. Everyone who takes their laptop home nightly has gotten the new policy correctly. I have one user who never takes their laptop home, so the Ethernet connection stays up continuously. This laptop did not receive the updates. We pulled and re-inserted the Ethernet cable, and upon re-auth the posture module downloaded the new config.

 

We have periodic re-auth configured in our authorization profile. The continuously connected laptop does re-auth periodically as designed, but just hits the "posture compliant" authorization policy each time and the provisioning rules are never evaluated. I have Posture Lease configured for every 1 days. You would think that after a day has passed, on the next periodic re-auth the laptop would hit the "posture unknown" rule and download the updates. Is it somehow pushing the posture lease one day forward every time? Even if it is, why does bouncing the Ethernet connection bypass this? Maybe I need to configure a Posture Reassessment (PRA) configuration? Why is client provisioning tied to Posture compliance in the first place? They're not really the same thing, are they? All very confusing.

 

 

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎02-15-2019 07:19 PM

This looks expected. For ISE 2.2, ISE Client Provisioning policy get evaluated only when the web browser on an endpoint redirected to the ISE Client Provisioning portal or when the AnyConnect ISE posture module re-discovering the ISE PSN.

One workaround is to bounce the endpoint connection, if acceptable.

0 Helpful

Leroy Plock
Level 1
Level 1
In response to hslai

‎02-20-2019 12:58 PM

Bummer. Seems whack that I have to bounce the interface to push provisioning updates. I'm lucky that most of our users are on laptops that go home every night, much worse for folks with lots of PCs.

 

So it has nothing to do with posture status? (Compliant, noncompliant, unknown?)

 

Thanks for your reply.

0 Helpful
Customers Also Viewed These Support Documents