Back
Lesson 6 of 6

Continuous Posture Assessment

Objective

In this lesson you will configure continuous posture assessment on Cisco ISE: enable periodic reassessment, configure the posture lease behavior, and apply acceptable-use constraints that take effect during the posture lease. Continuous posture assessment ensures endpoints remain compliant not only at initial access but throughout the session — critical for laptops that move between trusted and untrusted networks or for long-lived VPN sessions.

In production, continuous posture is used when endpoints must be continuously validated (for example, in financial or healthcare environments). If an antivirus update becomes outdated or a required process stops, ISE can trigger remediation or quarantine mid-session rather than waiting for the next login.

Quick Recap

This lab continues from Lesson 1 topology. No new devices are added for this lesson; we will update posture settings on the ISE node and the AnyConnect/ASA posture delivery behavior already present in the topology.

Topology (from Lesson 1, unchanged — showing only relevant systems/IPs used in this lesson):

ASCII Topology

                 +-------------------+
                 |   ISE-Primary     |
                 |   hostname:       |
                 |   ise.lab.nhprep.com
                 |   Management IP:  |
                 |   10.1.1.10       |
                 +---------+---------+
                           |
                           | 10.1.1.0/24
                           |
                 +---------+---------+
                 |     ASA-VPN       |
                 |  hostname: asa.lab.nhprep.com
                 |  Inside IP: 10.1.1.1
                 +---------+---------+
                           |
                           | (VPN tunnel)
                           |
                 +---------+---------+
                 |   Endpoint (VPN)  |
                 |   IP: 10.1.10.100 |
                 |   Client: pc1.lab.nhprep.com
                 +-------------------+

Device Table

DeviceHostnameManagement IPNotes
ISE Primaryise.lab.nhprep.com10.1.1.10ISE PAN — posture services configured here
ASAasa.lab.nhprep.com10.1.1.1AnyConnect posture provisioning and VPN gateway
Endpointpc1.lab.nhprep.com10.1.10.100Remote client using AnyConnect

Tip: Use the username admin and password Lab@123 when prompted for ISE GUI access during this lab.

Key Concepts (Theory and Practical)

Before we configure, understand these core behaviors:

  • Posture Lease — Think of the posture lease as a rental agreement for an endpoint's compliance state. When a posture assessment succeeds, ISE grants a lease (time period) during which the endpoint is considered compliant. When the lease expires, ISE can trigger reassessment or change authorization. In production, leases balance between frequent checks (security) and performance/UX (fewer interruptions).

  • Periodic Reassessment (Continuous Posture) — During the lease, ISE can perform scheduled reassessments (periodic checks) to validate that posture has not regressed. For agent-based (AnyConnect) posture, reassessment packets are initiated by the posture client on the endpoint and the ISE posture service validates the checks. For agentless, ISE relies on last-known posture until re-evaluation is possible.

  • Agent vs Agentless Behavior — When an agent (AnyConnect or AC Stealth) is present, ISE can push remediation and request reassessments proactively. Agentless relies on network-based checks and may use posture lease and last-known-state semantics when the endpoint cannot be contacted.

  • Acceptable Use & Enforcement During Lease — While a lease is active, ISE can apply policies (e.g., allow network access but restrict internet, or place in a remediation VLAN). In production, acceptable-use enforcement ensures that partially compliant devices can have constrained network access (e.g., allow only remediation servers).

  • Version Coordination (AnyConnect vs ISE) — If ISE references an AnyConnect compliance module version not present on the ASA/portal, the agent may not be updatable over VPN. In production, coordinate AnyConnect and ASA images to ensure agent updates are possible.

Step-by-step configuration

Step 1: Configure Posture Global Settings (enable Posture Lease and Reassessment)

What we are doing: Enable posture lease behavior and set a periodic reassessment interval in ISE Global Settings. This determines how long a successful posture result is considered valid and how often ISE will request reassessment.

# ISE GUI navigation represented as commands (perform in ISE Web GUI)
# Log in to ISE GUI
# Administration -> Posture -> Settings -> Global Settings

# Configure:
# - Posture Lease: Enabled
# - Posture Lease Duration: 3600 seconds
# - Periodic Reassessment Interval: 900 seconds

# (These are GUI actions; confirm changes and click Save)

What just happened: Enabling the posture lease instructs ISE to attach a lease timestamp to each successful posture result. Setting the lease duration to 3600 seconds (1 hour) means endpoints remain "compliant" for one hour unless a reassessment detects noncompliance. A periodic reassessment interval of 900 seconds (15 minutes) tells the posture client or posture engine to initiate reassessments every 15 minutes during the lease.

Real-world note: Shorter reassessment intervals increase security (faster detection) but can cause endpoint battery/network churn. For roaming laptops a 10–30 minute interval is common.

Verify:

# Verify via ISE GUI: Administration -> Posture -> Settings -> Global Settings
# Expected GUI summary output (textual representation):
Posture Global Settings:
    Posture Lease: Enabled
    Posture Lease Duration (seconds): 3600
    Periodic Reassessment Interval (seconds): 900
    Use Agentless Posture Lease: Enabled
    Last Modified By: admin
    Last Modified On: 2026-04-02 10:15:00 UTC

Step 2: Configure AnyConnect Agent Provisioning Behavior (ensure agent supports reassessment)

What we are doing: Ensure the ASA has the AnyConnect package and is configured to allow the posture/agent to perform periodic reassessments. If the ASA lacks the expected AnyConnect package version, agent updates may fail and reassessment might not work.

# On ASA (CLI)
enable
show version

# Check AnyConnect package(s) available
show running-config webvpn
show webvpn anyconnect image

# If necessary, upload AnyConnect package and bind to group-policy
# Example commands to place an image (file upload done via ASDM or TFTP)
webvpn
 anyconnect image disk0:/anyconnect-win-4.x.x-k9.pkg 1
 exit

# Verify image is bound to group-policy
show running-config group-policy

What just happened: show version and show webvpn anyconnect image let you confirm the ASA supports the AnyConnect version that matches the compliance module used by ISE. Uploading the AnyConnect package to the ASA allows ISE-driven agent provisioning to succeed so that the agent can perform periodic reassessments. Binding the image to a group-policy ensures endpoints receive the agent when connecting.

Real-world note: In some deployments ISE will reference a newer AnyConnect compliance module than the ASA supports — the endpoint cannot update the agent while tunneled, and posture over VPN may fail. Coordinate AnyConnect package versions between ISE and ASA.

Verify:

# Output examples (complete expected output)
show webvpn anyconnect image
disk0:/anyconnect-win-4.10.01047-k9.pkg  sequence-number: 1
label: anyconnect-win-4.10
size: 24576000
description: AnyConnect Win pkg 4.10

Step 3: Create/Adjust Posture Policies to use Reassessment and Lease

What we are doing: Update the posture policy to permit reassessment actions and set what enforcement happens if reassessment fails (e.g., change authorization to quarantine profile).

# ISE GUI navigation represented as commands (perform in ISE Web GUI)
# Policy -> Posture -> Posture Policies -> Edit existing policy "Corporate-Posture-Policy"
# In the policy:
#   - Under "Posture Assessment" enable "Periodic Reassessment"
#   - Under "Enforcement" set "Non-Compliant Action" to "Change Authorization"
#   - Map Non-Compliant to authorization profile "Remediation-Only"
# Save changes

What just happened: The posture policy now explicitly allows ISE to trigger periodic reassessments during the lease. If a reassessment fails, ISE will change the session's authorization to the defined profile (e.g., "Remediation-Only") which can restrict access to remediation servers. This ensures continuous enforcement during a user session.

Real-world note: Use a staged enforcement strategy: initially limit internet and allow remediation portals, then escalate to complete isolation only if remediation cannot proceed.

Verify:

# Verify via ISE GUI Policy -> Posture -> Posture Policies
# Expected Policy summary (textual)
Posture Policy: Corporate-Posture-Policy
    Periodic Reassessment: Enabled
    Reassessment Interval inherited from Global Settings: 900 seconds
    Non-Compliant Action: Change Authorization
    Non-Compliant Authorization Profile: Remediation-Only
    Compliance Module: OPSWAT_OESIS_v3.2
    Last Modified By: admin
    Last Modified On: 2026-04-02 10:30:00 UTC

Step 4: Configure Posture Lease Behavior for Agentless Clients

What we are doing: Adjust agentless posture lease handling so that when an endpoint cannot be actively assessed, ISE will use last-known-state for a limited period and then require reassessment.

# ISE GUI (Administration -> Posture -> Settings -> Agentless)
# Configure:
#   - Use Last Known Posture State: Enabled
#   - Last Known State Validity: 1800 seconds
#   - Posture Lease for Agentless: Enabled

# Save changes

What just happened: For agentless endpoints, ISE will accept the last-known posture result for 1800 seconds (30 minutes). This avoids forcing the user to re-authenticate immediately if ISE cannot contact the endpoint, but it limits the window to reduce security exposure. After 30 minutes, ISE will require an updated posture check.

Real-world note: Agentless posture is useful for unmanaged devices or BYOD scenarios where installing an agent is impossible. However, it relies on network-based signals and should use shorter leases for high-security contexts.

Verify:

# Expected GUI confirmation
Agentless Posture Settings:
    Use Last Known State: Enabled
    Last Known State Validity (seconds): 1800
    Posture Lease for Agentless: Enabled

Step 5: Test Reassessment Flow from an Endpoint

What we are doing: From the endpoint, trigger a posture reassessment (or wait for periodic interval) and observe ISE enforced action if a check fails, validating the lease and reassessment behavior.

# On endpoint (AnyConnect posture client)
# Force reassessment using the client UI or wait 900 seconds (periodic)
# Example client action: AnyConnect -> Preferences -> Force Reassessment

# On ASA/ISE, monitor session state
# On ISE CLI (or GUI) check live sessions and posture state
# GUI: Operations -> RADIUS -> Live Logs -> Filter by client IP 10.1.10.100

# CLI-like textual expected output:
Live Log Entry:
    Time: 2026-04-02 10:45:00 UTC
    Client IP: 10.1.10.100
    Endpoint Hostname: pc1.lab.nhprep.com
    Posture Result: NON-COMPLIANT
    Action Taken: Authorization changed to Remediation-Only
    Posture Lease Expiry: 2026-04-02 11:15:00 UTC

What just happened: The endpoint either initiated the reassessment or ISE did so through the posture client. The check failed; ISE immediately changed the session's authorization to the remediation profile. This validates that periodic reassessment can detect regression and apply enforcement mid-session.

Real-world note: During an actual incident (e.g., AV process stopped), rapid reassessment and authorization change can prevent lateral movement by restricting the endpoint to remediation-only resources.

Verify:

# Expected Live Log lines (complete)
Live Log:
    SessionID: 7f3b-12a4-9cde
    Client IP: 10.1.10.100
    Username: user1@lab.nhprep.com
    Authentication Type: VPN
    Posture Status: Non-Compliant
    Enforcement Action: Change Authorization -> Remediation-Only
    Event Details:
        - Reassessment initiated by client at 2026-04-02 10:44:59 UTC
        - Compliance Module reported: Antivirus not running

Verification Checklist

  • Check 1: Posture Global Settings are enabled and show Lease Duration = 3600 and Reassessment Interval = 900. Verify via Administration -> Posture -> Settings -> Global Settings (see Step 1 verification).
  • Check 2: ASA hosts the required AnyConnect image and it is bound to group-policy. Verify with show webvpn anyconnect image (see Step 2 verification).
  • Check 3: Posture Policy has Periodic Reassessment enabled and Non-Compliant action is set to a remediation authorization profile. Verify via Policy -> Posture -> Posture Policies (see Step 3 verification).
  • Check 4: Agentless last-known-state validity is set to 1800 seconds. Verify via Administration -> Posture -> Settings -> Agentless (see Step 4 verification).
  • Check 5: A triggered reassessment for client 10.1.10.100 resulted in Non-Compliant and a Change Authorization action. Verify via Operations -> RADIUS -> Live Logs (see Step 5 verification).

Common Mistakes

SymptomCauseFix
Periodic reassessment does not occurPosture Global Settings have reassessment disabled or interval set to 0Enable periodic reassessment in Administration -> Posture -> Settings -> Global Settings and set a valid interval
Endpoint remains allowed despite reassessment failurePosture policy Enforcement action not configured for Non-CompliantEdit Posture Policy to set Non-Compliant Action to Change Authorization and map to remediation profile
AnyConnect agent not provisioned during VPNASA missing matching AnyConnect image for the compliance moduleUpload correct AnyConnect package to ASA and bind it to the group-policy used by VPN users
Agentless endpoints never re-evaluated after lease expiryAgentless last-known-state validity set too long or device unreachableReduce Last Known State Validity and ensure network paths to posture services are available
Reassessment causes excessive battery/network usageReassessment interval too shortIncrease Periodic Reassessment Interval to balance security and UX (e.g., 900–1800 seconds)

Key Takeaways

  • The posture lease defines how long an endpoint’s compliance state is trusted. Shorter leases increase security; longer leases reduce churn.
  • Periodic reassessment enables continuous enforcement during an active session. Configure an interval appropriate to device type and risk profile.
  • Ensure AnyConnect and ASA versions are coordinated so agent-based reassessment and agent updates work over VPN.
  • Use agentless last-known-state carefully — it provides usability for unmanaged devices but must have limited validity to reduce risk.
  • In production, prefer a staged enforcement model: allow remediation access first, escalate to quarantine only if remediation fails.

Warning: Overly aggressive reassessment intervals or too-strict enforcement without remediation options can disrupt users. Always test policies in a controlled environment with representative endpoints before wide rollout.

End of Lesson 6 — Continuous Posture Assessment.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security