When AnyConnect ISE Posture is working and blocking network access as expected, you see "System Scan: Searching for policy server" in the ISE Posture tile of the AnyConnect UI. In the Windows Task Manager or macOS system log, you can see that the process is running. If the service is not running, you see "System Scan: Service is unavailable" in the ISE Posture tile of the System Scan UI.

A network change starts the discovery phase. With AnyConnect ISE Posture, if the default route of the primary interface is changed, it brings the agent back to the discovery process. For example, when Wi-Fi and the primary LAN are connected, the agent restarts discovery. Likewise, if Wi-Fi and the primary LAN are connected but then Wi-Fi becomes disconnected, the agent will not restart discovery.

You may also see the following status messages after "System Scan" in the ISE Posture tile of the AnyConnect UI:

• Limited or no connectivity—No discovery is occurring because you have no connection. The AnyConnect ISE Posture agent may be performing discovery on the wrong endpoint on the network.

• System scan not required on current Wi-Fi—No discovery is occurring because an unsecured Wi-Fi was detected. The AnyConnect ISE Posture agent only starts discovery on the LAN, on the wireless if 802.1X authentication is used, and on the VPN. The Wi-Fi may be unsecured, or you disabled the feature by setting OperateOnNonDot1XWireless to 1 in the agent profile.

• Unauthorized policy server—The host does not match the server name rule of the ISE network so there is limited or no network access.

• The AnyConnect Downloader is performing update...—The downloader is invoked and compares the package versions, downloads the AnyConnect configuration, and performs the necessary upgrades.

• Scanning System...—Scanning for antivirus and antispyware security products has started. If the network is changed during this process, the agent recycles the process of generating the log file, and the status goes back to "No policy server detected."

• Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent.

• Untrusted Policy Server Cancelled by the user—When you unblock the connection to untrusted servers in the AnyConnect UI with the System Scan Preferences tab, you receive the AnyConnect Downloader's Security Warning in a popup window. When you click Cancel Connection on this warning page, the ISE Posture tile changes to this status.

• Network Acceptable Use Policy—The access to the network requires that you view and accept the Acceptable Use Policy. Declining the policy may result in limited network access.

• Updating Network Settings—In the ISE UI in Settings > Posture > General Settings, you can specify how many seconds of delay should occur between network transitions.

• Not Compliant. Update time expired.—The time set for remediation has expired.

• Compliant. Network access allowed.—The remediation is complete. The AnyConnect > Scan Summary also shows the status as complete.

• No policy server detected—The ISE network is not found. After 30 seconds, the agent slows down probing. The default network access takes effect.

You may see remediation or user notification popups during the course of script remediation, unless you are running in Linux, which has limited UI. For script remediation to be successful, the fingerprints must be present in AnyConnectLocalPolicy.xml. If you add a fingerprint, it is validated even in a normal posture flow, irrespective of whether script condition or remediation is configured on ISE. You may encounter the following messaging regarding script remediation:

• Remediation cannot be attempted because the script has an invalid hash—Appears in the System Scan Details when there is a hash mismatch of the downloaded script or if the policy sign verification failed.

• The script you are trying to run exits with an error—Appears in the System Scan Details when the script exists with a non-zero exit code. On Windows, it might also be that the execution policy that was configurd does not allow for script execution.

• Remediation was unsuccessful because the script timed out—Appears in the System Scan Details when the script takes longer than the remediation timer to exit. If the script doesn't exit within the remaining remediation timer, AnyConnect stops the script and marks the remediation as failed.

• Remediation cannot be done because you are connected to an untrusted server—Appears in the AnyConnect Details when the endpoint is connected to an untrusted ISE server. Either the server certificate is not marked as trusted in the certificate store or you have no fingerprints configured in AnyConnectLocalPolicy.xml. The fingerprints in the certificate presented by ISE must match the ones configured in AnyConnectLocalPolicy.xml.

You can create and upload a posture condition script for posture checks on an endpoint. The following platforms and script types are supported. The configuration details of adding a script condition are in the Cisco Identity Services Engine Administrator Guide.

• Windows: PowerShell script (.ps1)

• macOS: Shell script (.sh)

• Linux: Shell script (.sh)

Remediation scripts configured to run as administrator/root on macOS and Linux are launched in a separate root environment. User session environmental variables like $HOME and the user-specific $PATH are not inherited; therefore, they should not be used in the script.

AnyConnect ISE Posture module does not support multi homing because its behavior for such scenarios is undefined. For example, when media changes from wired to wireless and them back to wired, the user may see a posture status of compliant from the ISE posture module even though the endpoint is actually in redirect on the wired connection.

For ISE Posture, events are written to the native operating system event logs (Windows Event Log Viewer or macOS system log).

For VPN Posture, any errors and warnings go to syslogs (for non-Windows) and to the event viewer (for Windows). All available messages go to the log files.

The VPN Posture module components provide log outputs based on your operating system, privilege level, and launching mechanism:

• cstub.log—Captures logging when AnyConnect web launch is used.

• libcsd.log—Created by the AnyConnect thread that uses the VPN Posture API. Debugging entries are made in this log depending on the logging level configuration.

• cscan.log—Created by the scanning executable (cscan.exe) and is the main log for VPN Posture. Debugging entries are made in this log depending on the logging level configuration.

For ISE Posture, events are contained in their own subfolder of the installed AnyConnect version, making them easy to isolate from the rest of the AnyConnect events. Each viewer allows the searching of keywords and filtering. The Web Agent events write to the standard application log.

For troubleshooting purposes, the ISE Posture requirement policy and assessment reports are logged, but to a separate, obfuscated file on the endpoint rather than to the event logs. Some log file sizes, such as aciseposture, can be configured by the administrator in the profile; however, the UI log size is predefined.

Whenever a process terminates abnormally, a mini dump file is generated, just as other AnyConnect modules provide.

For VPN Posture, the files are located in the users' home folder in the following directory:

• (Non-Windows)—.cisco/hostscan/log

• (Windows)— C:\Users\<user_name>\AppData\Local\Cisco HostScan\log\cscan.log

An administrator can choose to use the standalone editor to create the posture profile and then upload it to ISE. Otherwise, the embedded posture profile editor is configured in the ISE UI under Policy Elements. When the AnyConnect configuration editor is launched in ISE, it creates the AnyConnect configuration complete with AnyConnect software and its associated modules, profiles, OPSWAT, and any customization. The standalone profile editor for ISE Posture contains the following parameters:

• Agent Behavior

  • Enable signature check—If checked, enables signature checking of executables before the agent runs them.

  • Log file size—The maximum Compliance Module logs file size. The valid values are 5 to 200 Mb.

  • Remediation timer—The time the user has for remediation before being tagged as non-compliant. The valid values are 1 to 300 minutes.

  • Automated DART Count—Determine how many automated DART bundles to collect during failure scenarios.

  • Enable agent log trace—Enables the debug log on the agent.

  • Operate on non-802.1X wireless networks—If checked, enables the agent to operate on non-802.1X wireless networks.

  • Enable posture non-redirection flow—If unchecked, posture non-redirection flow is disabled. Make sure that all the NADs support redirection before you disable.

  • Enable Stealth Mode—Choose whether to enable Stealth Mode which allows posture to run as a service without user intervention.

  • Enable Stealth With Notification—If stealth mode notifications are set to enabled, the end user still gets notification messages when AnyConnect stealth mode is in noncompliant state, has limited network access, has an unreachable server, and so on.

  • Enable Rescan Button—If you want to restart posture (or discovery) after a failure, after manual remediation, or when posture gets stuck (and so on), enable this button so that a Scan Again selection appears in the System Scan tile. You can show or hide the option in the ISE posture profile. When you click Scan Again, the discovery starts, and the entire posture flow is initiated.

    Note	Scan Again is only visible on the tile when the EnableRescan tag is set to 1 in the posture profile. If set to 0, the Scan Again button appears only in the conditions when it used to appear (prior to this option).

    Note	If profile changes occur on the ISE side, the AnyConnect tile reflects the change the next time discovery starts.

  • Disable UAC Popup—Decide whether the Windows User Account Control (UAC) popup appears during policy validation. With the default value (unchecked), the end user continues to be prompted for administrator privileges when connecting. If you enable, end users will not see a Windows User Account Control (UAC) prompt during policy validation. By turning off the UAC prompt, VPN Posture uses a system process for privilege escalation instead of “Run as administrator.” Validate your posture policies on the device where users have local admin rights before disabling the UAC prompt.

  • Backoff Timer Limit—Enter the time up to which AnyConnect sends probes for ISE discovery. Because the probes add more traffic, you should choose a value that is not disruptive to your network.

  • Periodic Probe Interval—Specify a discovery probing interval after the Backoff Timer Limit is crossed. AnyConnect sends the periodic probes with the given interval continuously until a valid ISE server is found. The default is 30 minutes, and after initial rounds of probing, probes are sent in continuous 30 minute intervals. Setting the value to 0 disables periodic probing.

• IP Address Change

  For the optimal user experience, set the values below to our recommendations.

  • VLAN detection interval—Interval at which the agent checks for VLAN changes before refreshing the client IP address. The valid range is 0 to 900 seconds, and the recommended value is 5 seconds. If set to 0, the VLAN detection feature is disabled. When set from 1 to 900, the agent sends an Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP) query every x seconds.

  • Ping or ARP—The method for detecting IP address changes. The choices are Ping (0) to poll using ICMP, Arp (1) to poll using ARP, and Ping then Arp (2) to poll using ICMP first, then ARP if ICMP fails. The recommended setting is to poll using ARP because the default gateway might be configured to block ICMP packets.

  • Maximum timeout for ping—The ping timeout from 1 to 10 seconds.

  • Enable agent IP refresh—Check to enable VLAN change detection.

  • DHCP renew delay—The number of seconds the agent waits after an IP refresh. Configure this value when you have Enable Agent IP Refresh enabled. If this value is not 0, the agent will do an IP refresh during this expected transition. If a VPN is detected during the refresh, the refresh will be disabled. The valid values are 0 to 60 seconds, and the recommended value is 5 seconds. Set this parameter to 0 to disable the feature.

  • DHCP release delay— The number of seconds the agent delays doing an IP refresh. Configure this value when you have Enable Agent IP Refresh enabled. If this value is not 0, the agent will do an IP refresh during this expected transition. If a VPN is detected during the refresh, the refresh will be disabled. The valid values are 0 to 60 seconds, and the recommended value is 5 seconds. Set this parameter to 0 to disable this feature.

  • Network transition delay—The timeframe (in seconds) for which the agent suspends network monitoring so that it can wait for a planned IP change. The recommended value is 5 seconds.

• Posture Protocol

  • Discovery host—Used for Policy Service Node discovery in redirection-based networks. Uses IP or FQDN to determine which server the Network Access Device can perform the redirection to. For standalone profile editors, enter a single host only.

  • Server name rules—A list of wild-carded, comma-separated names that defines the servers to which the agent can connect (such as example1.cisco.com or *.cisco.com).

  • Call Home List—Enter IPs or FQDNs that you want to use for load balancing, monitoring and troubleshooting lookup, or for DNS mapped to the default Policy Service Node (PSN) in that node (if in a multiple scenario). When this is configured, the first probe for monitoring and troubleshooting lookup is sent to call home. You must configure this while migrating from a redirection to a non-redirection network.

  • PRA retransmission time—When a passive reassessment communication failure occurs, this agent retry period is specified. The valid range is 60 to 3600 seconds.

  • Retransmission Delay—Specify the time in seconds to wait before retrying, after a failure occurs performing an HTTP task (GET or POST). The valid range is from 5 to 300 seconds, and the default is 60, accepting only integer values.

  • Retransmission Limit—Specify the number of retries allowed for a message, after a failure occurs performing an HTTP task (GET or POST). The valid range is from 0 to 10, and the default value is 4, accepting only integer values.

VPN Posture, formerly HostScan, and ISE Posture modules both use the OPSWAT framework to secure endpoints.

This framework, that involves both the client and the headend, assists in the assessment of third-party applications on the endpoint. Support charts are provided for each posture method, as recognized by the OPSWAT version used. They contain product and version information for the list of applications.

When there is a mismatch in the version number between the headend (Secure Firewall ASA or ISE) and the endpoint (VPN Posture or ISE posture), the OPSWAT compliance module gets upgraded or downgraded to match the version on the headend. These upgrades/downgrades are mandatory and happen automatically without end user intervention, as soon as a connection to the headend is established.

VPN Posture OPSWAT Support

The HostScan Support Charts correspond to the HostScan package version and provide what works with a Secure Firewall ASA headend.

HostScan is versioned to coordinate with AnyConnect major and maintenance releases. You specify the version when you configure the HostScan package in ASDM at Configuration > Remote Access VPN > Secure Desktop Manager > HostScan Image.

VPN Posture guidelines:

• The version of OPSWAT used in the client and the headend must match.

• All versions of HostScan up through and including 4.3.x use OPSWAT v2. HostScan 4.6x and later use OPSWAT v4. OPSWAT v3 is not supported in any version of HostScan.

ISE Posture OPSWAT Support

AnyConnect Agent Compliance Modules are for the ISE Posture Module.

ISE Agent Compliance Modules version reflects the base OPSWAT version. In ISE posture, the OPSWAT binaries are packaged into a separate installer. You can manually load the OPSWAT library to the ISE headend from the local file system, or configure ISE to obtain it directly using the ISE Update Feed URL.

When using AnyConnect with ISE 2.1 (or later), you can choose to use either OPSWAT v3 or v4 for the ISE Compliance Module. The configuration for antimalware is on the ISE UI at Work Centers > Posture > Posture Elements > Conditions > Antimalware.