In this session, we'll be configuring ISE posture settings in preparation for

compliance-based access. Start by going in to Work Centers and Posture and the
Overview portion of the menu. And we can see that for the most part, we've done,
again, preparation steps with one exception, which would be posture updates.
And the Posture Update Service is the ISE primary policy administration node being
allowed to interact with Cisco's update service to be able to gain updates for
predefined checks, posture rules, support charts for antivirus and antispyware
versioning, et cetera. In this case, we will turn it on to automatically check at a
periodic interval. And again, this will be based on UTC time. And we'll save that
configuration change, which we see was updated successfully. And then we'll request
a manual update now. And this will proceed on the initial attempt for about 20
minutes it will take to complete. And then we can see down below the information on
last successful update and versions related to those updates.
OK. Now we'll go back into Work Centers, Posture Settings, and Posture General
Settings. And here are settings that the Posture Service will set in and of itself,
where it would be a general baseline settings where they have not been overridden
by a Posture Agent Profile that has been created in the client provisioning aspect
of posturing and compliance checking. So in this case, where these timers haven't
been defined at the endpoint side, the Posture Service will set for itself.
The first value is through remediation timer, and this is the timer that the
endpoint will be allowed to remediate. And this involves both the current
compliance status. While it's in remediation, it will be unknown. And then, as it
transitions out of unknown where it hasn't remediated yet, it will go back to a Not
Compliant state. And this will allow, of course, transitions between the
authorizations that are necessary to allow remediation to occur. So we'll extend
this as an effective default to 20 minutes.
And this is a similar aspect as the endpoint and the posture agent on the endpoint
side or transitioning between a Compliant and a Not Compliant state and the
authorization profiles required to provide necessary access. This will be the time
that the server side will expect or anticipate where the agent hasn't done it in
and of itself. And we'll leave that at its current default.
The default Posture Status is for endpoints that do not have a Posture Agent
installed or anything interacting on an agent's side with the Posture Service. So
it is and assumption until a compliance assessment has occurred. The assumed
Posture Status will be Compliant in this case. And we'll leave that at its default.
And in this case, we will want to provide an Automatically Close Login Success
screen. So there is a Login Success screen that can be provided, and only if you
set the timer to something more than zero. We'll set this to 3 seconds.
The Continuous Monitoring Interval we'll leave at the default, and this occurs in
the expectation, again, from the agent's side that the agent will begin forwarding
hardware information and application condition information 5 minutes subsequent to
it having interaction with the Posture Service. And again, this is the assumption
from the Posture Service side when that will occur.
There is a new capability within ISE 2.4, allowing a stealth mode deployment of the
Posture Service or Posture Agent on the endpoint side. And in this case, as it
transitions to, say, a Not Compliant state, that this will prevent any kind of pop-
up messaging with respect to that state change. And then a Posture Lease, we'll
leave this at its default as well. In anticipation, we will perform-- or a Posture
Assessment will be performed every time a user slash endpoint connects to the
network. And of course we can modify that to some number of days.
And then informational primarily with respect to the last known state of the
Compliant status of a particular endpoint and without any interaction with the
Posture Service as we look at things like the context visibility endpoint screens
in various reports, that status will remain intact for up to 31 days if it hasn't
interacted with the Posture Service. And then after that time, it will revert to an
Unknown state. So we've made just a few modifications to the remediation timer and
providing a Close Login Success banner. And we'll save these general settings.
One of the other aspects that we'll be dealing with are for guest access on our
wired network. And we'll take advantage of our Guest Self Registration Portal and
add the capability to do a Posture Assessment as part of that Self Registration
Guest flow. So here, we're looking at our guest portals, and I'm going to edit the
Demo-Self-Reg portal and look at the guest flow as it's in place right now. And
we'll modify the settings for Guest Device Compliance, and we'll check the box to
now require Guest Device Compliance to be evaluated.
And it points out, as we can see, modified in the guest flow adjacent that this
will now add a client provisioning page to the guest flow. And ultimately, as
mentioned, we'll supply this for our wired guest or MAB-authenticated users. Save
this portal.
Now, we'll modify one additional setting within the Administration pages and under
Device Portal Management. And we'll modify overall settings for Device Portal
Management. And this is a nice option to add to overall flow and processing is a
retry URL, and this could be supplied to the Posture Agent on the endpoint side
that it should try this URL once it thinks it's got access. The effect is that this
would be in anticipation as it tries this URL that anticipation that it will get
redirected for some sort of onboarding portal, such as client provision-- in this
case, providing, effectively, a generic Internet destination that the agents will
retry in attempt to reach something, and again, in anticipation of getting
redirected.
OK. We've modified some settings with respect to the posturing service. We'll now
automatically retrieve posture updates from Cisco, which will include new rules and
versioning information with respect to things that we'll be wanting to create
posture policy around. We've also modified general posture settings related to
remediation timer and providing a post-login banner. Then, we've also now modified
the Demo Self-Registration portal to require guest compliance, and provided a retry
URL for agents as part of an onboarding process and portal interaction with ISE.