Posture Architecture and Flow

Policy Manager supports two types of posture checking: posture policies and audit servers.

Posture Policy

Policy Manager supports four pre-configured posture plug-ins for Windows, one plug-in for Linux, and one plug-in for macOS, against which administrators can configure rules that test for specific attributes of client health and correlate the results to return application posture tokens for processing by enforcement policies.


A service can be configured without any posture policy.

Audit Servers

Audit servers provide posture checking for unmanageable devices, such as devices lacking adequate posture agents or supplicants. In the case of such clients, the audit server’s post-audit rules map clients to roles.

Policy Manager supports two types of audit servers:

NMAP audit server: Primarily used to derive roles from post-audit rules.

NESSUS audit server: Primarily used for vulnerability scans (and, optionally, post-audit rules).

Figure 1  Posture Evaluation Process

Assessing Client Consistency

ClearPass Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to:

Operating system version/type

Registry keys/services present (or absent)

Antivirus or firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. configuration

Patch level of software components

Peer-to-Peer (P2P) application checks

Services to be running or not running

Processes to be running or not running

Application Token

Each configured health check returns an application token representing health:

Healthy. Client is compliant: there are no restrictions on network access.

Checkup. Client is compliant; however, there is an update available. This can be used to proactively remediate to healthy state.

Transient. Client evaluation is in progress; typically associated with auditing a client. The network access granted is interim.

Quarantine. Client is out of compliance; restrict network access so the client only has access to the remediation servers.

Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted.

Unknown. The posture token of the client is unknown.

System Token

Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the enforcement policy.