What ISE Posture Module Provides
Posture Checks
The ISE Posture module uses the OPSWAT v3 library to perform posture checks. With an initial posture check, any endpoint that fails to satisfy all mandatory requirements is deemed non-compliant. The other endpoint authorization states are posture unknown or compliant (meeting mandatory requirements).
If an error occurs during the posture checking phase and AnyConnect is able to continue, the user is notified, but posture checking continues, if possible. If the error occurs during a mandatory posture check, the check is marked as failed. Network access is granted if all mandatory requirements are satisfied. If not, the user can restart the posture process.
Any Necessary Remediation
The remediation window runs in the background so that the updates on network activity do not pop up and interfere or cause disruption. You can click Details in the ISE Posture tile portion of the AnyConnect UI to see what has been detected and what updates are needed before you can join the network. If a required manual remediation is necessary, the remediation window opens, displaying the items that require action. This System Scan Summary window shows the progress of the updates, the time left of the allotted update time, the status of any requirements, and the system compliance state.
An administrator can configure a Network Usage Policy that displays at the end of the ISE Posture process. When accessing the policy, you see any required terms and conditions that the user must accept before access is granted to the access VLAN.
When only optional updates are left, you can choose to Skip to the next one or Skip All to disregard all remaining remediations. You can skip the optional remediations in the interest of time and still maintain network access.
After remediation (or after requirement checks when no remediation was needed), you may get an Acceptable Use Policy notification. It requires you to accept the policy for network access and limits access if you reject it. During this part of remediation, the Posture tile portion of the AnyConnect UI displays "System Scan: Network Acceptable Use Policy."
When remediation is complete, all of the checks listed as required updates appear with a Done status and a green checkbox. After remediation, the agent sends the posture result to ISE.
Note |
Because of architectural changes in Symantec products, ISE posture cannot support remediation from Symantec AV 12.1.x and onwards. |
Patch Management Checks and Remediation
The AnyConnect 4.x and Microsoft System Center Configuration Manager (SCCM) integration provides patch management checks and patch management remediation. It checks the state of critical patches missing on the endpoint to see if a software patch should be triggered. If no critical patches are missing on the Windows endpoint, the patch management check passes. Patch management remediation triggers only for administrator-level users and only if one or more critical patches are missing on the Windows endpoint.
Refer to Policy Conditions to learn how to set up policy conditions on ISE or Patch Management Remediation for further information on patch management remediation.
Reassessment of Endpoint Compliance
After the endpoint is deemed compliant and is granted network access, the endpoint can optionally be periodically reassessed based on what controls the administrator configured. The passive reassessment posture checks differ from the initial posture checks. If any fail, the user is given the option to remediate, if the administrator had the setting configured as such. The configuration settings control whether or not the user maintains trusted network access, even when one or more mandatory requirements have not been met. With initial posture assessment, failing to satisfy all mandatory requirements deems the endpoint non-compliant. This feature is set to disabled by default, and if enabled for a user role, it reassesses the posture every 1 to 24 hours.
The administrator can set the outcome to Continue, Logoff, or Remediate and can configure other options such as enforcement and grace time.
Automatic Compliance
With posture lease, the ISE server can skip posture completely and simply put the system into compliant state. With this functionality, users do not experience delays switching between networks when their system has recently been postured. The ISE Posture agent simply sends a status message to the UI shortly after the ISE server is discovered, indicating whether the system is compliant. In the ISE UI (in Settings > Posture > General Settings), you can specify an amount of time when an endpoint is considered posture compliant after an initial compliance check. The compliance status is expected to be preserved even when users switch from one communicating interface to another.
Note |
With a posture lease, if the session is valid on ISE, the endpoint is expected to go from posture unknown state to compliant state. |
VLAN Monitoring and Transitioning
Some sites use different VLANs or subnets to partition their network for corporate groups and levels of access. A change of authorization (CoA) from ISE specifies a VLAN change. Changes can also happen due to administrator actions, such as session termination. To support VLAN changes during wired connections, configure the following settings in the ISE Posture profile:
-
VLAN Detection Interval— Determines the frequency with which the agent detects a VLAN transition and whether monitoring is disabled. VLAN monitoring is enabled when this interval is set to something besides 0. Set this value to at least 5 for macOS.
VLAN monitoring is implemented on both Windows and macOS, although it is only necessary on macOS for the detection of unexpected VLAN changes. If a VPN is connected or an acise (the main AnyConnect ISE process) is not running, it disables automatically. The valid range is 0 to 900 seconds.
-
Enable Agent IP Refresh—When unchecked, ISE sends the Network Transition Delay value to the agent. When checked, ISE sends DHCP release and renew values to the agent, and the agent does an IP refresh to retrieve the latest IP address.
- DHCP Release Delay and DHCP Renew Delay— Used in correlation with an IP refresh and the Enable Agent IP Refresh setting. When you check the Enable Agent IP Refresh checkbox and this value is not 0, the agent waits for the release delay number of seconds, refreshes the IP addresses, and waits for the renew delay number of seconds. If a VPN is connected, IP refresh is automatically disabled. If 4 consecutive probes are dropped, it triggers a DHCP refresh.
-
Network Transition Delay— Used when VLAN monitoring is disabled or enabled by the agent (in the Enable Agent IP Refresh checkbox). This delay adds a buffer when a VLAN is not used, giving the agent an appropriate amount of time to wait for an accurate status from the server. ISE sends this value to the agent. If you also have the Network Transition Delay value set in the global settings on the ISE UI, the value in the ISE Posture Profile Editor overwrites it.
Note |
The ASA does not support VLAN changes, so these settings do not apply when the client is connected to ISE through an ASA. |
Troubleshooting
If the endpoint device cannot access the network after posture is complete, check the following:
-
Is the VLAN change configured on the ISE UI?
-
If yes, is DHCP release delay and renew delay set in the profile?
-
If both settings are 0, is Network Transition Delay set in the profile?
-