Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the compliance, also known as posture, of endpoints, before allowing them to connect to your network. A posture agent, such as the AnyConnect ISE Posture Agent, runs on the endpoint. Client Provisioning ensures that the endpoints receive the appropriate Posture Agent.
The ISE Posture Agent for Cisco ISE does not support Windows Fast User Switching when using the native supplicant, because there is no clear disconnect of the previous user. When a new user is sent, the Agent is hung on the old user process and session ID, so a new posture session cannot start. As per the Microsoft Security policies, it is recommended to disable Fast User Switching.
In ISE, session control is done on multiple nodes.
On an MnT node, sessions are removed:
On a PSN node, sessions are removed:
If posture without redirection is used in multinode deployment, and sessions are not properly managed, it may impact the posture functionality.
Components of Posture Services
Cisco ISE posture service primarily includes the posture administration services and the posture run-time services.
Posture Administration Services
If you have not registered the Cisco ISE Apex license in Cisco ISE, then the posture administration services option is not available in the Cisco ISE administration portal.
Administration services provide the back-end support for posture-specific custom conditions and remediation actions that are associated with the requirements and authorization policies that are configured for posture service.
Posture Run-Time Services
The posture run-time services encapsulate all the interactions that happen between the client agent and the Cisco ISE server for posture assessment and remediation of clients.
Posture run-time services begin with the Discovery Phase. An endpoint session is created after the endpoint passes 802.1x authentication. The client agent then attempts to connect to a Cisco ISE node by sending discovery packets through different methods in the following order:
via HTTP to Port 80 on a Cisco ISE server (if configured)
via HTTPS to Port 8905 on a Cisco ISE server (if configured)
via HTTP to Port 80 on the default gateway
via HTTPS to Port 8905 to each previously contact server
via HTTP to Port 80 on enroll.cisco.com
The Posture Phase begins when the Acceptable User Policy (if any) is accepted. The Cisco ISE node issues a posture token for the Posture Domain to the client agent. The posture token allows the endpoint to reconnect to the network without going through the posture process again. It contains information such as the Agent GUID, the Acceptable User Policy status, and endpoint operating system information.
The messages used in the Posture Phase are in the NEA PB/PA format (RFC5792).
Posture and Client-Provisioning Policies Workflow
In Stage 1 of posture discovery, all discovery probes execute at the same time by the Posture agent. The timeout value is 5 seconds. Stage two contains two discovery probes, which allows the posture module to establish a connection to the PSN. This connection to the PSN supports authentication in environments where redirection is not supported. During stage two, all probes are sequential. If stage 2 fails, the posture agent tries stage 1 again. This cycle continues for 30 seconds, after which you see "No policy server detected". This state continues until a discovery probe triggers.
Posture Service Licenses
Cisco ISE provides you with three types of licenses, the Base license, the Plus license, and the Apex license. If you have not installed the Apex license on the Primary PAN, then the posture requests will not be served in Cisco ISE. The posture service of Cisco ISE can run on a single node or on multiple nodes.
Posture Service Deployment
You can deploy Cisco ISE in a standalone environment (on a single node) or in a distributed environment (on multiple nodes).
In a standalone Cisco ISE deployment, you can configure a single node for all the administration services, the monitoring and troubleshooting services, and the policy run-time services.
In a distributed Cisco ISE deployment, you can configure each node as a Cisco ISE node for administration services, monitoring and troubleshooting services, and policy run-time services. A node that runs the administration services is the primary node in that Cisco ISE deployment. The other nodes that run other services are the secondary nodes which can be configured for backup services for one another.
Enable Posture Session Service in Cisco ISE
Before you begin
- You must enable session services in Cisco ISE and install the advanced license package to serve all the posture requests received from the clients.
If you have more than one node that is registered in a distributed deployment, all the nodes that you have registered appear in the Deployment Nodes page, apart from the primary node. You can configure each node as a Cisco ISE node (Administration, Policy Service, and Monitoring personas).
The posture service only runs on Cisco ISE nodes that assume the Policy Service persona and does not run on Cisco ISE nodes that assume the administration and monitoring personas in a distributed deployment.
Choose a Cisco ISE node from the Deployment Nodes window.
Under the General Settings tab, check the Policy Service check box,
If the Policy Service check box is unchecked, both the session services and the profiling service check boxes are disabled.
Check the Enable Session Services check box, for the Policy Service persona to run the Network Access, Posture, Guest, and Client Provisioning session services. To stop the session services, uncheck the check box.
Run the Posture Assessment Report
You can run the Posture Detail Assessment report to generate a detailed status of compliance of the clients against the posture policies that are used during posture assessment.
From the Time Range drop-down list, choose the specific time period.
Click Run to view the summary of all the end points that were active during the selected time period.