What ISE Posture Module Provides
Posture Checks
The ISE Posture module uses the OPSWAT v3 or v4 library to perform posture checks. With an initial posture check, any endpoint that fails to satisfy all mandatory requirements is deemed non-compliant. The other endpoint authorization states are posture unknown or compliant (meeting mandatory requirements).
If an error occurs during the posture checking phase and AnyConnect is able to continue, the user is notified, but posture checking continues, if possible. If the error occurs during a mandatory posture check, the check is marked as failed. Network access is granted if all mandatory requirements are satisfied. If not, the user can restart the posture process.
Any Necessary Remediation
The remediation window runs in the background so that the updates on network activity do not pop up and interfere or cause disruption. You can click Details in the ISE Posture tile portion of the AnyConnect UI to see what has been detected and what updates are needed before you can join the network. If a required manual remediation is necessary, the remediation window opens, displaying the items that require action. This System Scan Summary window shows the progress of the updates, the time left of the allotted update time, the status of any requirements, and the system compliance state.
An administrator can configure a Network Usage Policy that displays at the end of the ISE Posture process. When accessing the policy, you see any required terms and conditions that the user must accept before access is granted to the access VLAN.
When only optional updates are left, you can choose to Skip to the next one or Skip All to disregard all remaining remediations. You can skip the optional remediations in the interest of time and still maintain network access.
After remediation (or after requirement checks when no remediation was needed), you may get an Acceptable Use Policy notification. It requires you to accept the policy for network access and limits access if you reject it. During this part of remediation, the Posture tile portion of the AnyConnect UI displays "System Scan: Network Acceptable Use Policy."
When remediation is complete, all of the checks listed as required updates appear with a Done status and a green checkbox. After remediation, the agent sends the posture result to ISE.
Note |
Because of architectural changes in Symantec products, ISE posture cannot support remediation from Symantec AV 12.1.x and onwards. |
Patch Management Checks and Remediation
The AnyConnect 4.x and Microsoft System Center Configuration Manager (SCCM) integration provides patch management checks and patch management remediation. It checks the state of critical patches missing on the endpoint to see if a software patch should be triggered. If no critical patches are missing on the Windows endpoint, the patch management check passes. Patch management remediation triggers only for administrator-level users and only if one or more critical patches are missing on the Windows endpoint.
When a SCCM client installs a patch whose installation occurs before a reboot, the SCCM client reports the installation status (installed or not installed) of the patch as soon as the machine reboots. However, when a SCCM client installs a patch whose installation starts after a reboot, the SCCM client does not report the status of the patch immediately.
The AnyConnect compliance module cannot force the SCCM client to provide any status at this point. The amount of time that a posture module client takes to complete native API requests is a function of different dynamic OS parameters (such as CPU load, amount of pending patches, no restarts after patch installation, and so on) and network factors (such as connectivity and latency between posture module client and server). You may have to wait for the SCCM client to respond, but some lab results with known patches have been about ten minutes.
A similar behavior is also observed with Windows Server Update Services (WSUS) search APIs taking more time to respond, sometimes twenty to thirty minutes. Windows Update checks for missing patches of all Microsoft products (such as Microsoft Office), not only for Windows OS.
Refer to Policy Conditions to learn how to set up policy conditions on ISE or Patch Management Remediation for further information on patch management remediation.
Reassessment of Endpoint Compliance
After the endpoint is deemed compliant and is granted network access, the endpoint can optionally be periodically reassessed based on what controls the administrator configured. The passive reassessment posture checks differ from the initial posture checks. If any fail, the user is given the option to remediate, if the administrator had the setting configured as such. The configuration settings control whether or not the user maintains trusted network access, even when one or more mandatory requirements have not been met. With initial posture assessment, failing to satisfy all mandatory requirements deems the endpoint non-compliant. This feature is set to disabled by default, and if enabled for a user role, it reassesses the posture every 1 to 24 hours.
The administrator can set the outcome to Continue, Logoff, or Remediate and can configure other options such as enforcement and grace time.
Stealth Mode
An administrator can configure ISE Posture while the AnyConnect UI tile is hidden from the end user client. No popups are shown, and any scenarios which require user intervention will take the default action. This feature is available on Windows and macOS operating systems.
Refer to the Configure Posture Policies section in the Cisco Identity Services Engine Administrator Guide where you specify stealth mode in the clientless state as disabled or enabled.
After you map the profile in the ISE Posture Profile Editor and then map the AnyConnect configuration to the Client Provisioning page in ISE, AnyConnect can read the posture profile, set it to the intended mode, and send information related to the selected mode to ISE during initial posture request. Based on the mode and other factors, such as identity group, OS, and compliance module, Cisco ISE matches to the right policy.
Refer to the stealth mode deployment and its impact in the Cisco Identity Services Engine Administrator Guide.
ISE Posture does not allow you to set the following functions in stealth mode:
-
Any manual remediation
-
Link remediation
-
File remediation
-
WSUS show UI remediation
-
Activate GUI remediation
-
AUP policy
Posture Policy Enforcement
To improve the overall visibility of the software installed on your endpoints, we have provided these posture enhancements:
-
You can check the state of an endpoint firewall product to see if it is running. If desired, you can enable the firewall and enforce policies during initial posture and periodic reassessment (PRA). To set, see the Firewall Condition Settings section in the Cisco Identity Services Engine Configuration Guide.
-
Similarly, you can run a query of applications that are installed on an endpoint. If an unwanted application is running or installed, you can stop the application or uninstall the unwanted application. To set, see the Application Remediation section in the Cisco Identity Services Engine Configuration Guide section in the ISE UI.
UDID Integration
When AnyConnect is installed on a device, it will have its own unique identifier (UDID) shared among all modules in AnyConnect. This UDID is an identifier for the endpoint and is saved as an endpoint attribute, which ensures posture control on a specific endpoint rather than on a MAC address. You can then query endpoints based on the UDID, which is a constant that won't change regardless of how the endpoint connects, or upon upgrade or uninstallation. The Context Visibility page on the ISE UI
can then display one entry instead of multiple entries for endpoints with multiple NICs.Application Monitoring
The posture client can continuously monitor different endpoint attributes so that dynamic changes are observed and reported back to the policy server. Depending on how the posture policy is configured, you can monitor different attributes such as what applications are installed and running for antispyware, antivirus, antimalware, firewall, and so on. Refer to the Continuous Endpoint Attribute Monitoring section in the Cisco Identity Services Engine Administrator Guide for details about the application condition settings.
USB Storage Device Detection
When a USB mass storage device is attached to a Windows endpoint, a posture client is able to detect it and either block or allow the device depending on the posture policy block. With the USB detection, the agent continuously monitors the endpoint as long as it remains in the same ISE-controlled network. If a USB device matching the criteria is connected within this time period, the specified remediation action is performed. The incident is also reported to the policy server.
USB storage detection relies on the OPSWAT v4 compliance module. You must configure the USB check in the periodic reassessment policy (PRA) on the ISE UI at
.Note |
The checks and remediation are performed sequentially, so setting the PRA grace time to a minimal number for other checks prevents delays in handling USB checks. The grace time is set on the ISE UI in . |
Refer to USB Mass Storage Check Workflow for steps on configuring the detection of USB storage on the ISE UI.
Automatic Compliance
With posture lease, the ISE server can skip posture completely and simply put the system into compliant state. With this functionality, users do not experience delays switching between networks when their system has recently been postured. The ISE Posture agent simply sends a status message to the UI shortly after the ISE server is discovered, indicating whether the system is compliant. In the ISE UI (in Settings > Posture > General Settings), you can specify an amount of time when an endpoint is considered posture compliant after an initial compliance check. The compliance status is expected to be preserved even when users switch from one communicating interface to another.
Note |
With a posture lease, if the session is valid on ISE, the endpoint is expected to go from posture unknown state to compliant state. |
VLAN Monitoring and Transitioning
Some sites use different VLANs or subnets to partition their network for corporate groups and levels of access. A change of authorization (CoA) from ISE specifies a VLAN change. Changes can also happen due to administrator actions, such as session termination. To support VLAN changes during wired connections, configure the following settings in the ISE Posture profile:
-
VLAN Detection Interval— Determines the frequency with which the agent detects a VLAN transition and whether monitoring is disabled. VLAN monitoring is enabled when this interval is set to something besides 0. Set this value to at least 5 for macOS.
VLAN monitoring is implemented on both Windows and macOS, although it is only necessary on macOS for the detection of unexpected VLAN changes. If a VPN is connected or an acise (the main AnyConnect ISE process) is not running, it disables automatically. The valid range is 0 to 900 seconds.
-
Enable Agent IP Refresh—When unchecked, ISE sends the Network Transition Delay value to the agent. When checked, ISE sends DHCP release and renew values to the agent, and the agent does an IP refresh to retrieve the latest IP address.
- DHCP Release Delay and DHCP Renew Delay— Used in correlation with an IP refresh and the Enable Agent IP Refresh setting. When you check the Enable Agent IP Refresh checkbox and this value is not 0, the agent waits for the release delay number of seconds, refreshes the IP addresses, and waits for the renew delay number of seconds. If a VPN is connected, IP refresh is automatically disabled. If 4 consecutive probes are dropped, it triggers a DHCP refresh.
-
Network Transition Delay— Used when VLAN monitoring is disabled or enabled by the agent (in the Enable Agent IP Refresh checkbox). This delay adds a buffer when a VLAN is not used, giving the agent an appropriate amount of time to wait for an accurate status from the server. ISE sends this value to the agent. If you also have the Network Transition Delay value set in the global settings on the ISE UI, the value in the ISE Posture Profile Editor overwrites it.
Note |
The ASA does not support VLAN changes, so these settings do not apply when the client is connected to ISE through an ASA. |
Troubleshooting
If the endpoint device cannot access the network after posture is complete, check the following:
-
Is the VLAN change configured on the ISE UI?
-
If yes, is DHCP release delay and renew delay set in the profile?
-
If both settings are 0, is Network Transition Delay set in the profile?
-