Posture Assessment and Compliance
Posture Assessment and Compliance
Introduction
Ensuring that every endpoint connecting to your network meets a baseline security standard is one of the most critical responsibilities in enterprise security. Cisco ISE posture assessment provides exactly this capability — it evaluates endpoints for compliance with your organization's security policies before granting full network access. Endpoints that fail the assessment are placed into a restricted state where they can remediate their deficiencies before being re-evaluated.
In this lesson, you will learn how ISE posture assessment works end to end, from initial authentication through compliance checking and remediation. We will cover the posture lifecycle, the two main flow types (redirect and non-redirect), the different agent options available for posture checks, the role of MDM/UEM integration, and best practices for deploying posture in both wired and wireless environments. By the end, you will understand how to design and implement a posture compliance solution that enforces security policy across your network.
Key Concepts
The Posture Lifecycle
ISE posture assessment follows a structured lifecycle with clearly defined steps:
| Step | Phase | Description |
|---|---|---|
| Step 0 | Manual Installation | Pre-install agents or rely on provisioning |
| Step 1 | Authentication | Endpoint authenticates via RADIUS |
| Step 2 | Client Provisioning | ISE provisions the posture agent to the endpoint |
| Step 3 | Posture | Agent performs compliance checks on the endpoint |
| Step 4 | Remediation | Non-compliant endpoints are given time to fix issues |
| Step 5 | CoA (Change of Authorization) | ISE issues a CoA to update the endpoint's access level |
| Step 6 | Final Authorization | Endpoint receives its final authorization policy based on compliance result |
The lifecycle involves several ISE components working together: policy enforcement handles the access decision, endpoints/agents perform the actual checks, posture updates keep compliance definitions current, and remediation servers host the patches or software needed to bring endpoints into compliance.
Posture Flow Types
ISE supports two distinct posture flow types: redirect-based and non-redirect-based. Understanding the difference is essential for proper deployment.
| Attribute | Redirect | Non-Redirect |
|---|---|---|
| Initial Authentication/Authorization | Redirect ACL and URL | ACL/VLAN |
| Client Provisioning Portal (CPP) | Displayed after browsing to any site | Displayed after browsing to the CPP FQDN |
| PSN Discovery | HTTP probes redirect to ISE; previously connected PSNs used as fallback | Uses the "Call Home" list |
| Supported NADs | Cisco Switches, WLCs, and ASAs | Any Cisco or non-Cisco NAD |
| ISEPostureCFG.xml | Endpoints do not need the file pre-deployed | Endpoints need ISEPostureCFG.xml pre-deployed |
The redirect-based flow is the traditional approach where the network access device intercepts HTTP traffic and redirects the endpoint to ISE. The non-redirect-based flow eliminates the redirection requirement entirely, making it compatible with any NAD — including third-party devices that do not support URL redirection.
Posture Agent Types
ISE offers multiple agent options for performing posture assessment. Each provides different levels of capability depending on your security and operational requirements:
- Cisco Secure Client — The full-featured agent supporting all posture checks, remediation, and reassessment on both Windows and macOS
- Secure Client Stealth — A version of Secure Client that operates invisibly to the end user with partial remediation support
- Temporal Agent — A lightweight, on-demand agent that requires no permanent installation; supports partial remediation
- Agentless — Performs posture checks without installing any software on the endpoint; no remediation or reassessment capability
| Capability | Secure Client (Win) | Secure Client (Mac) | Stealth | Temporal Agent | Agentless |
|---|---|---|---|---|---|
| Anti-Malware Checks | Yes | Yes | Yes | Yes | Yes |
| Firewall Installation Checks | Yes | Yes | No | Yes | Yes |
| Application Inventory | Yes | Yes | No | Yes | Yes |
| Hardware Inventory | Yes | Yes | No | Yes | Yes |
| Process Checks | Yes | Yes | Yes | Yes | Yes |
| Dictionary Conditions | Yes | Yes | Yes | Yes | Yes |
| Application Checks | Yes | Yes | No | Yes | Yes |
| USB Checks | Yes | No | No | Yes | No |
| Registry Checks | Yes | N/A | N/A | Yes | N/A |
| Reassessment | Yes | Yes | Yes | Yes | No |
| Remediation | Auto/Manual | Auto/Manual | Partial | Partial Auto | No |
The agent types represent a spectrum of trade-offs. Secure Client provides the most security and protection, temporal agents prioritize user experience by minimizing installation time, and agentless checks focus on visibility with the least operational effort.
Compliance Module
The compliance module is a critical component in posture assessment. It provides the ability to assess an endpoint's compliance status. The compliance module uses the OESIS framework from OPSWAT for detection and remediation of security issues. This module must be downloaded from the software center and uploaded to ISE as part of client provisioning resources.
How It Works
Redirect-Based Posture Flow
The redirect-based posture flow is the most commonly deployed model. Here is how it works step by step:
-
Authentication and Authorization — The endpoint connects to the network and authenticates via RADIUS. ISE returns an Access-Accept with a Redirect ACL and a Redirect URL as part of the authorization policy. This only occurs in redirect-based flows.
-
Client Provisioning Portal — When the user opens a web browser, the NAD intercepts the HTTP request and redirects it to the ISE Client Provisioning Portal on port 8443. The connection is protected by the portal certificate. ISE performs a session lookup and selects the appropriate client provisioning policy.
-
Agent Download — The user downloads the Network Setup Assistant, which in turn provisions Cisco Secure Client onto the endpoint.
-
PSN Discovery and Compliance Check — Secure Client discovers the ISE Policy Service Node. An SSL exchange occurs on port 8905/8443. The agent performs the compliance check against the posture policy.
-
Session Lookup and Final Authorization — ISE performs a session lookup, evaluates the posture result, and selects the appropriate authorization policy. If compliant, the endpoint receives full network access. If not, the remediation timer begins.
Non-Redirect-Based Posture Flow
In a non-redirect flow, there is no redirection support from the NAD. Instead:
- The endpoint authenticates and receives an ACL or VLAN assignment.
- The endpoint must already have the ISEPostureCFG.xml configuration file pre-deployed.
- The agent uses the Call Home list to discover the PSN rather than relying on HTTP redirect probes.
- The user must manually browse to the Client Provisioning Portal FQDN to trigger provisioning.
This approach works with any NAD, including non-Cisco devices, making it the preferred method in multi-vendor environments.
Posture Lease
Posture lease is a feature that allows ISE to store an endpoint's posture status (Compliant) for up to 365 days. When an endpoint is in posture lease, ISE assigns the authorization policy with a "Compliant" status immediately — without reaching out to the endpoint to re-check compliance.
An important detail: Secure Client is not aware of the lease. To display the proper posture status, PSN discovery is still performed. This discovery is a valid case where redirection does not happen even in a redirect-based environment.
Global Settings
ISE posture global settings control several important behaviors:
- Posture for non-agent devices — Determines what happens when a client does not support posture assessment
- Remediation timer — Sets the time allowed for the user to remediate compliance failures
- Posture lease — Configures how long ISE caches a compliant status
- Agentless plugin — Controls agentless posture behavior
Configuration Example
Redirect Best Practices — Wired
For wired deployments using redirect-based posture, the following switch configuration elements are critical:
! Enable HTTP server on the switch (default port 80)
ip http server
! Enable IP Device Tracking (critical for ACL application)
ip device tracking
! Ensure an SVI exists in the client subnet
interface Vlan10
ip address 10.10.10.1 255.255.255.0
Important: IP Device Tracking (IPDT) must be enabled. It is a critical component for applying ACLs, and it is required for multi-domain and multi-auth deployments. Without IPDT, redirect ACLs will not function correctly.
Best Practice: An SVI in the client subnet should be configured on the switch. Without it, traffic flow between the client and the switch must be planned very carefully to ensure redirection works.
Redirect Best Practices — Wireless
For wireless deployments, the WLC must be configured with these settings:
! Enable AAA override on the WLAN
config wlan aaa-override enable <wlan-id>
! Set NAC type to ISE NAC
config wlan nac radius <wlan-id>
Important: AAA override must be enabled to allow the WLC to apply the Redirect ACL and Redirect URL to the client. Without the NAC setting configured to RADIUS NAC/ISE, CoA will not be supported for the WLAN, preventing the application of redirect attributes.
Client Provisioning Resources
Client provisioning requires configuring several resources in ISE:
- Secure Client packages — Some agents must be downloaded from the software center and uploaded manually to ISE
- Secure Client Profile — Defines agent behavior and settings
- Compliance Module — The OPSWAT-based module for endpoint compliance assessment
- Client Provisioning Policy — Ties the resources together and determines which endpoints receive which agent
Real-World Application
MDM/UEM Integration
In enterprise environments, organizations typically deploy a UEM (Unified Endpoint Management) or MDM (Mobile Device Management) service alongside ISE. ISE integrates with MDM servers to query device compliance status and incorporate that information into authorization decisions.
The MDM integration uses API-based queries. ISE supports two API versions:
MDM V2 API queries devices based on MAC address via the Calling-Station-ID from the RADIUS Access-Request. The MDM server returns attributes including:
| Attribute | Description |
|---|---|
| DeviceComplianceStatus | Whether the device meets MDM policy |
| DiskEncryptionStatus | Encryption state of the device |
| JailBroken | Whether the device is jailbroken/rooted |
| PinLockStatus | Whether a PIN/passcode is configured |
| DeviceRegistrationStatus | MDM enrollment state |
| DaysSinceLastCheckin | Time since last MDM check-in |
| Manufacturer / Model / OsVersion | Device hardware and software details |
A known limitation of the V2 API is its dependency on MAC addresses. This causes issues with MAC randomization, docking stations, dongles, and endpoints roaming between wired and wireless networks where the MAC may not match.
MDM V3 API (available in ISE 3.1 and later) resolves this by supporting queries based on GUID, UDID, device ID, or MAC address. The identifier is extracted from the certificate CN or SAN field. The suggested format for the identifier in the CN/SAN is:
ID:<UEM-Vendor-Name>:GUID:<ID>
For example: ID:Intune:GUID:1234567890
This flexible identification method eliminates the MAC dependency issues that affected V2 deployments.
TC-NAC Integration
Beyond posture and MDM, ISE also supports TC-NAC (Threat-Centric Network Access Control) for enhanced compliance. TC-NAC integrates threat and vulnerability data into access decisions, providing an additional layer of security beyond traditional posture checks.
Design Considerations
- Use redirect-based posture when your NADs are all Cisco devices that support URL redirection
- Use non-redirect-based posture in multi-vendor environments or when redirection is not feasible
- Deploy posture lease to reduce repeated compliance checks for endpoints that reconnect frequently — lease duration can be set up to 365 days
- Choose the appropriate agent type based on your balance of security requirements versus user experience
- Integrate with your organization's MDM/UEM platform and prefer the V3 API (ISE 3.1+) to avoid MAC-based query limitations
Summary
- Posture assessment follows a six-step lifecycle: authentication, client provisioning, posture check, remediation, CoA, and final authorization
- ISE supports redirect and non-redirect posture flows — redirect requires Cisco NADs while non-redirect works with any vendor
- Agent options range from full Secure Client (maximum security) through temporal and agentless (maximum convenience), each with different check and remediation capabilities
- Posture lease caches compliant status for up to 365 days, allowing immediate authorization without re-checking the endpoint
- MDM V3 API (ISE 3.1+) eliminates MAC address dependencies by using certificate-based identifiers (GUID/UDID), solving issues with MAC randomization and roaming
In the next lesson, we will explore advanced authorization policies and how posture results integrate with ISE policy sets to deliver differentiated network access.