Back
Lesson 1 of 6

Posture Assessment Overview

Objective

Understand the ISE posture assessment workflow: how posture checks are initiated, how ISE evaluates compliance, and the difference between compliant and non‑compliant endpoints. This lesson explains the theory and then walks through verification steps you can run in a lab to observe posture behavior. In production, posture assessment is used to ensure endpoints meet security policy (AV installed, AV up to date, OS patches applied) before granting full network access — for example, remediating an endpoint that connects from a guest VLAN before it is allowed into corporate resources.

Topology & Device Table

Network Topology Diagram

Key Concepts (theory before hands-on)

  • Posture assessment flow (high level)

    • When an endpoint connects (for example, via AnyConnect to an ASA), the NAD (ASA) redirects posture‑related traffic to the ISE Posture service. ISE initiates checks (client agent or agentless) and returns a decision (Compliant / Non‑Compliant / Not assessed). Think of ISE as a gate-keeper that inspects endpoint health and returns authorization results that the NAD enforces.

  • Agent vs Agentless & AnyConnect considerations

    • Agents (AnyConnect posture modules, stealth agents, temporal agents) run on the endpoint and provide the most granular checks (OS, installed AV, running processes, remediation). Agentless assessment is lighter and may only identify visible posture attributes. In production, agents allow remediation actions; agentless is used when agent deployment is not possible.

  • Communication ports and correctness matter

    • Posture checks require specific ports between NAD and ISE. A common failure is TCP/8443 being blocked; without it posture modules cannot be pulled and assessments cannot complete. The NAD must be able to reach ISE on the posture service port (commonly 8443 for posture resources).

  • Version parity & updates

    • The posture module version on ISE and the posture resources on the NAD/AnyConnect should be compatible. If ISE has a newer posture package than the ASA can serve, clients may fail to update; ISE supports defer update, but user-initiated updates can break posture if versions mismatch.

  • Protocol behavior: how ISE reports decisions

    • After assessment, ISE writes posture reports and a decision to the Live Logs and the Detailed Authentication / Posture Assessment Report. NAD enforces the returned authorization profile (access allowed, restricted VLAN, redirect for remediation).

Analogy: Think of ISE posture like a customs inspector at an airport — the NAD brings the passenger (endpoint) to the inspector (ISE), the inspector checks documents (AV installed, up to date), then stamps the passport (Compliant/Non‑Compliant). The NAD enforces the outcome (allow into the terminal vs hold for remediation).

Step-by-step configuration (and verification)

We will keep configs minimal: basic IP addressing so devices can communicate, then verify posture connectivity and where to look for posture reports. Each step includes the commands, what they do, why they matter, and verification with expected output.

Step 1: Configure basic IP on ASA outside interface

What we are doing: Bring up the ASA outside interface so the NAD can route to the ISE server and clients. This is required because posture communication (e.g., port 8443) must traverse the network between the ASA and ISE.

enable
configure terminal
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
exit
write memory

What just happened:

  • interface GigabitEthernet0/0 enters interface configuration mode.
  • nameif outside assigns the logical name "outside" used by ASA policies.
  • security-level 0 sets the security level for that interface.
  • ip address 10.1.1.1 255.255.255.0 assigns the interface IP so it can reach the ISE and clients on the same network.
  • no shutdown brings the physical interface up.
  • write memory persists the configuration.

Real-world note: NADs often have multiple interfaces; ensure the interface used to reach ISE is on the correct routing domain and firewalls between NAD and ISE allow posture ports.

Verify:

show interface ip brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.1.1.1        YES manual up                    up

Step 2: Configure the Switch SVI (VLAN 10) for client access

What we are doing: Create VLAN 10 SVI so clients and ISE are in the same L2/L3 segment for the lab. Clients use this gateway for their default route to reach ISE/NAD.

enable
configure terminal
vlan 10
 name DATA
interface Vlan10
 ip address 10.1.1.2 255.255.255.0
 no shutdown
exit
interface GigabitEthernet1/0/1
 switchport access vlan 10
 no shutdown
exit
write memory

What just happened:

  • vlan 10 creates VLAN 10.
  • interface Vlan10 creates an SVI and assigns 10.1.1.2/24 to provide L3 reachability for VLAN 10.
  • The physical port is placed into VLAN 10 as an access port so the client can reach the SVI.

Real-world note: In production, SVIs often live on distribution switches or layer‑3 devices; ensure routing is in place between ISE and NAD if they are on separate subnets.

Verify:

show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 10.1.1.2        YES manual up                    up
GigabitEthernet1/0/1   unassigned      YES manual up                    up

Step 3: Configure ISE server networking (example Linux-style commands)

What we are doing: Assign the ISE PSN a management IP so it is reachable by the NAD and the client. ISE typically runs on an appliance or VM; network must be configured to accept posture requests.

# On ISE VM or appliance console (example Linux commands)
ip addr add 10.1.1.10/24 dev eth0
ip link set dev eth0 up
ip route add default via 10.1.1.1

What just happened:

  • ip addr add sets the ISE IP; ip route add ensures ISE can reach other networks via the ASA gateway if needed. ISE is now reachable by the NAD (ASA) and clients for posture checks.

Real-world note: ISE is typically accessed via a GUI for full configuration (policy sets, posture policies). Networking must be correct before you configure posture in the GUI.

Verify:

# On ISE console
ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:aa:bb:cc brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.10/24 scope global eth0
       valid_lft forever preferred_lft forever

Step 4: Verify NAD (ASA) can reach ISE on posture port TCP/8443

What we are doing: Test TCP connectivity from the ASA (NAD) to ISE on port 8443. This port is commonly used for posture resources and module distribution; if it is blocked, posture assessments will fail or remain in "Pending" on ISE.

enable
ping 10.1.1.10
telnet 10.1.1.10 8443

What just happened:

  • ping verifies basic IP reachability.
  • telnet 10.1.1.10 8443 attempts a TCP handshake to port 8443. A successful telnet connection indicates the port is reachable and not blocked by firewalls or access‑lists.

Real-world note: Many posture failures in production are caused by third‑party firewalls blocking TCP/8443 between NAD and ISE. Check network ACLs and host firewalls.

Verify:

# Expected ping output
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

# Expected telnet output (successful connect)
Trying 10.1.1.10...
Connected to 10.1.1.10.
Escape character is '^]'.

If telnet fails you may see:

Trying 10.1.1.10...
% Connection timed out

Step 5: Trigger a posture check from the client and locate the Posture Assessment Report on ISE

What we are doing: Initiate a posture scan from the client (AnyConnect or browser redirect) and then examine ISE Live Logs / Posture Assessment reports to see decisions (Compliant / Non‑Compliant). This demonstrates the full workflow and where to troubleshoot.

Client-side example (Windows PowerShell / curl to posture portal; this simulates HTTP hit to posture portal):

# On client (Windows PowerShell)
curl -v https://10.1.1.10:8443/

ISE-side (search for posture reports in logs — example command to list recent log entries):

# On ISE CLI (appliance)
show logging | include Posture

What just happened:

  • The client attempted to contact the posture endpoint on ISE. If an AnyConnect posture module is in use, the client will download posture resources from ISE via the NAD/ASA.
  • ISE logs will contain entries for posture evaluation including the last posture scan time and the decision (Compliant / Non‑Compliant).

Real-world note: Use the Detailed Authentication report and Live Logs in ISE GUI to get the authorization profile name, PSN that performed the auth, and the list of matched posture policies. These GUI reports are often the fastest way to diagnose posture failures.

Verify:

# Expected client curl output (truncated, shows TLS handshake and HTTP response)
* Connected to 10.1.1.10 (10.1.1.10) port 8443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> GET / HTTP/1.1
> Host: 10.1.1.10:8443
> User-Agent: curl/7.55.1
> Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 1234
< Connection: close
{...HTML body...}
* Closing connection 0

# On ISE CLI expected log snippet indicating posture decision
show logging | include Posture
2024-04-01 12:34:56 Posture Assessment Report: Endpoint 10.1.1.100 scanned at 2024-04-01T12:34:55Z. Decision: COMPLIANT. Matched posture policy: AV-UpToDate.
2024-04-01 12:34:56 Posture Assessment Details: Passed conditions: {Symantec X INSTALLED, Symantec X UP_TO_DATE}; Failed conditions: {}

If the posture remains pending, you may see:

2024-04-01 12:34:56 Posture Assessment Report: Endpoint 10.1.1.100 scanned at 2024-04-01T12:34:55Z. Decision: PENDING. Reason: No posture reports received; check TCP/8443 connectivity.

Verification Checklist

  • Check 1: ASA outside interface is up and has IP 10.1.1.1 — verify with show interface ip brief on ASA.
  • Check 2: ASA can reach ISE on TCP/8443 — verify with ping 10.1.1.10 and telnet 10.1.1.10 8443 from ASA.
  • Check 3: ISE received a posture scan and logged a decision — verify with ISE Live Logs or show logging | include Posture showing last posture scan time and decision.
  • Check 4: Client initiated posture check and was either marked COMPLIANT or NON‑COMPLIANT — verify client curl output and ISE Posture Assessment Report.

Common Mistakes

SymptomCauseFix
Posture remains in "Pending" on ISETCP/8443 blocked between NAD and ISE (third‑party firewall or ACL)Open TCP/8443 between NAD and ISE; verify with telnet from NAD to ISE
Client fails to download posture resourcesAnyConnect posture package mismatch between ISE and ASA (ASA older)Ensure posture module versions are compatible; update ASA/AnyConnect or configure defer update appropriately
No packets seen in packet captures between NAD and ISESwitch port misconfiguration or VLAN mismatch; packets not leaving switchCheck switch SVI and access port VLAN assignments; verify interfaces are up and not shutdown
Authentication shows wrong authorization profile nameWrong policy or policy set in ISE, or NAD returned redirect attributes incorrectlyCheck Detailed Authentication report and the authorization profile name; adjust ISE authorization policy accordingly

Key Takeaways

  • Posture assessment is a critical security control that determines whether an endpoint is allowed full network access — ISE evaluates health and returns decisions that NADs enforce. Remember the customs-inspector analogy.
  • Port connectivity (especially TCP/8443 for posture resources) between NAD and ISE is essential; common production failures are caused by network ACLs or perimeter firewalls blocking this traffic.
  • Agent vs agentless: agents allow deeper checks and remediation; agentless is lighter but limited. Use agents when remediation actions are required in production.
  • Version parity matters: ensure posture modules on ISE and posture resources on the NAD (or AnyConnect) are compatible to avoid failed updates and assessment errors.

Warning: In complex enterprise deployments, posture is only one pillar of ISE. When troubleshooting posture, collect the detailed authentication report, note the PSN that performed the authentication, and examine the Posture Assessment Report timestamp and matched posture policy conditions to form an accurate diagnosis.

This completes Lesson 1: Posture Assessment Overview. In the next lesson we will configure a basic posture policy and map posture results to authorization profiles so endpoints are placed into remediation VLANs when non‑compliant.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security