Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1535
Views
0
Helpful
6
Replies

Cisco ISE 2.3 Posture - start a service

AigarsKSYN
Level 1
Level 1

‎01-24-2019 08:25 AM - edited ‎02-21-2020 09:33 PM

Hi All,

 

Have deployed Cisco ISE 2.3 and I am trying to do some Posture with Anyconnect. However I am having issues with requirement to start a service on users computer. It appears as if the application I am trying to launch runs in user context and thus might not have necessary permissions to start the service.

 

I have created Condition for Service to check if "acwebsecagent" is running (Cisco Cloud Web Security service)

Then I created Launch Program Remediation - which starts cmd.exe with Program Parameters /c sc start acwebsecagent

 

Any advice would be appreciated.

Labels:
0 Helpful
6 Replies 6

Surendra
Cisco Employee
Cisco Employee

‎01-24-2019 11:29 AM

Can you show us the requirement you have configured and the remediation configured for the same? I mean the way you were trying to do this before without the launch program remediation.
0 Helpful

AigarsKSYN
Level 1
Level 1
In response to Surendra

‎01-24-2019 11:49 PM

Hi Surendra, thanks for your reply.

 

Sure, here are the details below:

Requirements.pngConditions.pngRemediation.png

 

It might be useful to know, application which get launched as part of the ISE Posture, are they meant to run in user context of the computer?

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to AigarsKSYN

‎01-25-2019 02:32 AM

This looks like the policy you have configured now. Can i have the policy that you have configured before for the service to run and did not work ?

So basically certain services require elevated privileges to run and it could be run and it they require manual intervention to start them. This service that you are trying to run could be one such a service.
0 Helpful

AigarsKSYN
Level 1
Level 1
In response to Surendra

‎01-25-2019 04:57 PM

Sorry for the confusion, I did not state that it worked before.

 

So apart from checking and doing basic remedies, Anyconnect is not able to start a service if it requires admin permissions. (Even when Anyconnect service is running on PC at system level) Even more odd part is that I explicitly run this Posture process on user which is already admin of the local machine. It appears as it just did not work as it could have been Windows UAC which did not prompt for the elevation request.

 

I did include other commands with CMD in my tests, like creating a folder, just to confirm that application launch and command switches worked, and it did.

 

So if we say, Anyconnect is not able to start services like, this what is the general solution people use to achieve this, as having user just not compliant and been off the Compliant network is not quite an option, and having to raise a case with helpdesk, would also not count forward real remediation process.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to AigarsKSYN

‎01-25-2019 04:59 PM

This post would live better in the Anyconnect community
0 Helpful

AigarsKSYN
Level 1
Level 1
In response to Jason Kunst

‎01-29-2019 02:21 AM

Ok, thanks will give it a try

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents