Posture Architecture and Flow
Policy Manager supports two types of posture checking: posture policies and audit servers.
Policy Manager supports four preconfigured posture plug-ins for Windows, one plug-in for Linux, and one plug-in for macOS. Administrators can configure rules against these policies that test for specific attributes of client health and correlate the results to return application posture tokens for processing by enforcement policies.
A service can be configured without any posture policy.
Audit servers provide posture checking for unmanageable devices, such as devices lacking adequate posture agents or supplicants. In the case of such clients, the audit server’s post-audit rules map clients to roles.
Policy Manager supports two types of audit servers:
: Primarily used to derive roles from post-audit rules.
: Primarily used for vulnerability scans (and, optionally, post-audit rules).
Figure 1 Posture Evaluation Process
Assessing Client Consistency
ClearPass Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to:
Operating system version/type
Registry keys/services present (or absent)
Antivirus or firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. configuration
Patch level of software components
Peer-to-Peer (P2P) application checks
Services to be running or not running
Processes to be running or not running
Each configured health check returns an application token representing health:
Healthy. Client is compliant: there are no restrictions on network access.
Checkup. Client is compliant; however, there is an update available. This can be used proactively to remediate to a healthy state.
Transient. Client evaluation is in progress; typically associated with auditing a client. The network access granted is interim.
Quarantine. Client is out of compliance; restrict network access so the client only has access to the remediation servers.
Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted.
Unknown. The posture token of the client is unknown.
Upon completion of the configured posture checks, Policy Manager evaluates all application tokens and calculates a , equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the enforcement policy.