What ISE Posture Module Provides
Posture Checks
The ISE Posture module uses the OPSWAT v3 or v4 library to perform posture checks. With an initial posture check, any endpoint that fails to satisfy all mandatory requirements is deemed non-compliant. The other endpoint authorization states are posture unknown or compliant (meeting mandatory requirements).
Note |
With the macOS 64-bit migration, AnyConnect 4.6 ISE posture module is not compatible with older OPSWAT v3 compliance modules. |
If an error occurs during the posture checking phase and AnyConnect is able to continue, the user is notified, but posture checking continues, if possible. If the error occurs during a mandatory posture check, the check is marked as failed. Network access is granted if all mandatory requirements are satisfied. If not, the user can restart the posture process.
Any Necessary Remediation
The remediation window runs in the background so that the updates on network activity do not pop up and interfere or cause disruption. You can click Details in the ISE Posture tile portion of the AnyConnect UI to see what has been detected and what updates are needed before you can join the network. If a required manual remediation is necessary, the remediation window opens, displaying the items that require action. This System Scan Summary window shows the progress of the updates, the time left of the allotted update time, the status of any requirements, and the system compliance state.
An administrator can configure a Network Usage Policy that displays at the end of the ISE Posture process. When accessing the policy, you see any required terms and conditions that the user must accept before access is granted to the access VLAN.
When only optional updates are left, you can choose to Skip to the next one or Skip All to disregard all remaining remediations. You can skip the optional remediations in the interest of time and still maintain network access.
After remediation (or after requirement checks when no remediation was needed), you may get an Acceptable Use Policy notification. It requires you to accept the policy for network access and limits access if you reject it. During this part of remediation, the Posture tile portion of the AnyConnect UI displays "System Scan: Network Acceptable Use Policy."
When remediation is complete, all of the checks listed as required updates appear with a Done status and a green checkbox. After remediation, the agent sends the posture result to ISE.
Note |
Because of architectural changes in Symantec products, ISE posture cannot support remediation from Symantec AV 12.1.x and onwards. |
Patch Management Checks and Remediation
The AnyConnect 4.x and Microsoft System Center Configuration Manager (SCCM) integration provides patch management checks and patch management remediation. It checks the state of critical patches missing on the endpoint to see if a software patch should be triggered. If no critical patches are missing on the Windows endpoint, the patch management check passes. Patch management remediation triggers only for administrator-level users and only if one or more critical patches are missing on the Windows endpoint.
When a SCCM client installs a patch whose installation occurs before a reboot, the SCCM client reports the installation status (installed or not installed) of the patch as soon as the machine reboots. However, when a SCCM client installs a patch whose installation starts after a reboot, the SCCM client does not report the status of the patch immediately.
The AnyConnect compliance module cannot force the SCCM client to provide any status at this point. The amount of time that a posture module client takes to complete native API requests is a function of different dynamic OS parameters (such as CPU load, amount of pending patches, no restarts after patch installation, and so on) and network factors (such as connectivity and latency between posture module client and server). You may have to wait for the SCCM client to respond, but some lab results with known patches have been about ten minutes.
A similar behavior is also observed with Windows Server Update Services (WSUS) search APIs taking more time to respond, sometimes twenty to thirty minutes. Windows Update checks for missing patches of all Microsoft products (such as Microsoft Office), not only for Windows OS.
Refer to Policy Conditions to learn how to set up policy conditions on ISE or Patch Management Remediation for further information on patch management remediation.
Reassessment of Endpoint Compliance
After the endpoint is deemed compliant and is granted network access, the endpoint can optionally be periodically reassessed based on what controls the administrator configured. The passive reassessment posture checks differ from the initial posture checks. If any fail, the user is given the option to remediate, if the administrator had the setting configured as such. The configuration settings control whether or not the user maintains trusted network access, even when one or more mandatory requirements have not been met. With initial posture assessment, failing to satisfy all mandatory requirements deems the endpoint non-compliant. This feature is set to disabled by default, and if enabled for a user role, it reassesses the posture every 1 to 24 hours.
The administrator can set the outcome to Continue, Logoff, or Remediate and can configure other options such as enforcement and grace time.
Grace Period for Noncompliant Devices
You can set up a grace period in the Cisco ISE UI. With this configured, an endpoint that becomes non-compliant, but was compliant in a previous posture status, can be granted access to the network. Cisco ISE looks for the previously known good state in its cache and provides grace time for the device. When the grace period expires, AnyConnect performs the posture check again, this time with no remediation, and determines the endpoint state as compliant or non-compliant based on the results of the check.
Note |
Periodic reassessment (PRA) is not applicable when a user is in a grace period. |
The grace period is set under the AnyConnect Posture profile on the ISE UI in
Valid values are specified in days, hours, or minutes. By default, this setting is disabled.The AnyConnect UI pops up a caution when an endpoint is noncompliant and explains when it is in the grace period. The AnyConnect System Scan tile highlights all of the posture failures, and you can hit the Scan Again button to maintain full network access by forcing a rerun of the posture policies.
Note |
ISE posture does not allow AUP policy on grace period. Grace period is not applicable for the following flows: temporal agent, hardware inventory, and application monitoring. |
Cisco Temporal Agent
The Cisco Temporal Agent is designed for Windows or macOS environments to share compliance status when a user accesses a trusted network. The configuration for the Cisco Temporal Agent is done on the ISE UI. The Cisco Temporal Agent extractable .exe (for Windows) or dmg (for macOS) is downloaded to the endpoint whenever it attempts to access the internet. The users must run the downloaded executable or dmg for the compliance check: no administrator privileges are required.
The UI is then automatically launched and starts the check to determine if the endpoint is compliant or not. After completing the compliance checks, based on how the policies are configured on the ISE UI, ISE can take any necessary action.
In Windows, the executable is self extractable and all of the necessary dll and other files for compliance check are put into the temporary folder with this extraction. All of the extracted files and executables are deleted after the completion of the compliance check. For complete removal of the files and executables, the user must quit the UI.
Refer to Cisco Temporal Agent Workflows in the Cisco Identity Services Engine Administrator Guide, Release 2.3 for detailed configuration steps on the ISE UI.
Limitations of Cisco Temporal Agent-
A VLAN-controlled posture environment for temporal agent is not supported in macOS because the refresh adapter (DHCP renewal) process cannot occur without root privileges. The temporal agent can run as a user process only. An ACL-controlled posture environment is supported because it does not require refreshing the IP of the endpoint.
-
If a network interface happens during remediation, the user must quit the current UI and redo the whole procedure.
-
In macOS, the dmg file will not be deleted.
-
After launching the temporal agent installer, it may hide behind the browser when running on the endpoint. To proceed with collecting health on the temporal agent application, the end user should minimize the browser. Mostly Windows 10 users have this issue because UAC mode is set to high on those clients, to accept the third-party application that is running with high security conditions.
-
You cannot use temporal agent when stealth mode is enabled on the endpoint.
-
The following conditions are unsupported by the Cisco Temporal Agent:
-
Service Condition-macOS—System Daemon check
-
Service Condition-macOS—Daemon or User Agent check
-
PM—Up to Date check
-
PM—Enabled check
-
DE—Encryption Location based check
-
Posture Policy Enhancements for Optional Mode
You can perform remediation for failed requirement checks in Optional Mode, regardless of whether mandatory checks passed or failed. A message about remediation is presented on the AnyConnect ISE Posture UI, and you can see what failed and what requires remediation action.
-
Manual Remediation of Optional Mode─The System Scan Summary screen shows any Optional Mode status that may require remediation if a condition failed. You can manually click Start to remediate or click Skip. Even if the remediation fails, the endpoint would still be compliant since these are only optional requirements. The System Summary shows if they are skipped, failed, or successful.
-
Automatic Remediation of Optional Mode─You can monitor the System Scan tile as it notes when it is applying optional updates. You will not be asked to start remediation because it happens automatically. If any automatic remediation fails, you get a message that remediation could not be attempted. Further, you have a choice to skip the remediation action, if desired.
Visibility into Hardware Inventory
An Endpoints > Hardware tab has been added under Context Visibility on the ISE UI. It helps you collect, analyze, and report endpoint hardware information within a short time. You can gather information such as finding endpoints with low memory capacity or finding the BIOS model/version in an endpoint. Based on the findings, you can increase the memory capacity, upgrade the BIOS version, or assess the requirements before you plan the purchase of an asset. The Manufacturers Utilization dashlet displays hardware inventory details for endpoints with Windows or macOS, and the Endpoint Utilizations dashlet displays the CPU, Memory, and Disk utilization for endpoints. Refer to The Hardware Tab of the Cisco Identity Services Engine Administrator Guide, Release 2.3 for detailed information.
Stealth Mode
An administrator can configure ISE Posture while the AnyConnect UI tile is hidden from the end user client. No popups are shown, and any scenarios which require user intervention will take the default action. This feature is available on Windows and macOS operating systems.
Refer to the Configure Posture Policies section in the Cisco Identity Services Engine Administrator Guide where you specify stealth mode in the clientless state as disabled or enabled.
On the ISE UI, you can set stealth mode to have notifications enabled so that end users still see error notifications.
After you map the profile in the ISE Posture Profile Editor and then map the AnyConnect configuration to the Client Provisioning page in ISE, AnyConnect can read the posture profile, set it to the intended mode, and send information related to the selected mode to ISE during initial posture request. Based on the mode and other factors, such as identity group, OS, and compliance module, Cisco ISE matches to the right policy.
Refer to the stealth mode deployment and its impact in the Cisco Identity Services Engine Administrator Guide.
ISE Posture does not allow you to set the following functions in stealth mode:
-
Any manual remediation
-
Link remediation
-
File remediation
-
WSUS show UI remediation
-
Activate GUI remediation
-
AUP policy
Posture Policy Enforcement
To improve the overall visibility of the software installed on your endpoints, we have provided these posture enhancements:
-
You can check the state of an endpoint firewall product to see if it is running. If desired, you can enable the firewall and enforce policies during initial posture and periodic reassessment (PRA). To set, see the Firewall Condition Settings section in the Cisco Identity Services Engine Configuration Guide.
-
Similarly, you can run a query of applications that are installed on an endpoint. If an unwanted application is running or installed, you can stop the application or uninstall the unwanted application. To set, see the Application Remediation section in the Cisco Identity Services Engine Configuration Guide section in the ISE UI.
UDID Integration
When AnyConnect is installed on a device, it will have its own unique identifier (UDID) shared among all modules in AnyConnect. This UDID is an identifier for the endpoint and is saved as an endpoint attribute, which ensures posture control on a specific endpoint rather than on a MAC address. You can then query endpoints based on the UDID, which is a constant that won't change regardless of how the endpoint connects, or upon upgrade or uninstallation. The Context Visibility page on the ISE UI
can then display one entry instead of multiple entries for endpoints with multiple NICs.Application Monitoring
The posture client can continuously monitor different endpoint attributes so that dynamic changes are observed and reported back to the policy server. Depending on how the posture policy is configured, you can monitor different attributes such as what applications are installed and running for antispyware, antivirus, antimalware, firewall, and so on. Refer to the Continuous Endpoint Attribute Monitoring section in the Cisco Identity Services Engine Administrator Guide for details about the application condition settings.
USB Storage Device Detection
When a USB mass storage device is attached to a Windows endpoint, a posture client is able to detect it and either block or allow the device depending on the posture policy block. With the USB detection, the agent continuously monitors the endpoint as long as it remains in the same ISE-controlled network. If a USB device matching the criteria is connected within this time period, the specified remediation action is performed. The incident is also reported to the policy server.
USB storage detection relies on the OPSWAT v4 compliance module. You must configure the USB check in the periodic reassessment policy (PRA) on the ISE UI at
.Note |
The checks and remediation are performed sequentially, so setting the PRA grace time to a minimal number for other checks prevents delays in handling USB checks. The grace time is set on the ISE UI in . |
Refer to USB Mass Storage Check Workflow for steps on configuring the detection of USB storage on the ISE UI.
Automatic Compliance
With posture lease, the ISE server can skip posture completely and simply put the system into compliant state. With this functionality, users do not experience delays switching between networks when their system has recently been postured. The ISE Posture agent simply sends a status message to the UI shortly after the ISE server is discovered, indicating whether the system is compliant. In the ISE UI (in Settings > Posture > General Settings), you can specify an amount of time when an endpoint is considered posture compliant after an initial compliance check. The compliance status is expected to be preserved even when users switch from one communicating interface to another.
Note |
With a posture lease, if the session is valid on ISE, the endpoint is expected to go from posture unknown state to compliant state. |
VLAN Monitoring and Transitioning
Some sites use different VLANs or subnets to partition their network for corporate groups and levels of access. A change of authorization (CoA) from ISE specifies a VLAN change. Changes can also happen due to administrator actions, such as session termination. To support VLAN changes during wired connections, configure the following settings in the ISE Posture profile:
-
VLAN Detection Interval— Determines the frequency with which the agent detects a VLAN transition and whether monitoring is disabled. VLAN monitoring is enabled when this interval is set to something besides 0. Set this value to at least 5 for macOS.
VLAN monitoring is implemented on both Windows and macOS, although it is only necessary on macOS for the detection of unexpected VLAN changes. If a VPN is connected or an acise (the main AnyConnect ISE process) is not running, it disables automatically. The valid range is 0 to 900 seconds.
-
Enable Agent IP Refresh—When unchecked, ISE sends the Network Transition Delay value to the agent. When checked, ISE sends DHCP release and renew values to the agent, and the agent does an IP refresh to retrieve the latest IP address.
- DHCP Release Delay and DHCP Renew Delay— Used in correlation with an IP refresh and the Enable Agent IP Refresh setting. When you check the Enable Agent IP Refresh checkbox and this value is not 0, the agent waits for the release delay number of seconds, refreshes the IP addresses, and waits for the renew delay number of seconds. If a VPN is connected, IP refresh is automatically disabled. If 4 consecutive probes are dropped, it triggers a DHCP refresh.
-
Network Transition Delay— Used when VLAN monitoring is disabled or enabled by the agent (in the Enable Agent IP Refresh checkbox). This delay adds a buffer when a VLAN is not used, giving the agent an appropriate amount of time to wait for an accurate status from the server. ISE sends this value to the agent. If you also have the Network Transition Delay value set in the global settings on the ISE UI, the value in the ISE Posture Profile Editor overwrites it.
Note |
The ASA does not support VLAN changes, so these settings do not apply when the client is connected to ISE through an ASA. |
Troubleshooting
If the endpoint device cannot access the network after posture is complete, check the following:
-
Is the VLAN change configured on the ISE UI?
-
If yes, is DHCP release delay and renew delay set in the profile?
-
If both settings are 0, is Network Transition Delay set in the profile?
-