View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0279 - ISE 2.2 Posture Assessment with AnyConnect Client (Part 1)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0279 - Video Download $21.00
Purchase SEC0279 - Video Download $21.00
The video looks at posture assessment with AnyConnect on Cisco ISE 2.2. The main focus will be new posture checks introduced in recent ISE version, App Collection, Windows Firewall and Anti-Malware. Using wired Windows 10, we will step through the posture assessment process, starting with AnyConnect download, and, test auto-remediation to bring the machine to a compliant state. The video closes with ability to control applications with App Control.
 
Part 1 of this video covers Client Provisioning Policy and Posture Profile configuration
 
Topic:
  • Posture Workcenter
  • Authorization Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Client Provisioning Policies
  • Client Provisioning Portal
  • AnyConnect Posture Profile and Configuration
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • Posture Policies
    • App Collection
    • Windows Firewall
    • Windows Defender Anti-Malware
  • Posture Remediation
  • Application Control

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

9 comments

Thank you so much.

Hi labminutes,

I have some questions about Posture Assessment, please help me answers it.

1. As i see in your videos, client connect to network and will be redirect to web portal to download AnyConnect Agent for Posture Assessment. So, can i download AnyConnect Agent and install for client through AD's GPO before client connect to network. And then, when they connect to network, AnyConnect will automaticly do Posture Assessment. Can i do that ?

2. With software in support list of Cisco like Symantec EndPoint Protection, i can check it install/running and latest version. With softwares not in support list of Cisco ISE, i can check them by file conditions, process conditions but can't check are they latest version or not. Do you have any idea for this ?

Many thanks,
Quang

1. Absolutely. Posture Module can be pre-deployed along with AnyConnect client with Posture profile using your software distribution system so the client is ready to run posture assessment first time it connects to the network

2. Correct. If the AV/AS vendor is not supported, there is no way to perform latest update check.

Thanks labminutes for answer my question, Can you explain how can we pre-deployed AnyConnect client ? Cause when we download AnyConnect from Cisco webpage, it doesn't have needed module or point to ISE ip address as a NAC Server like we download directly from ISE ?

This is usually through your software distribution system. For module-specific install, please refer to Cisco doc.

I have Posture from VPN with Any connect. I need to limit VPN access to Company laptops only,
no personal laptop should be allowed.
Can i match on "Domain computers" AD group as authorization condition ?? or what is the best way to only allow VPN access to domain-joined laptops.

BR

No you cannot since there is no concept of machine auth in VPN. Best way is to use cert to authenticate VPN client as only domain computer would have a cert. Other option is to do posture check on things that only domain computer would have like a registry key

Hi Metha, the ise posturing video has really helped me......you deployed the DACL on the switch in the first place.......is there a video on how that part was implemented ?i am getting confused if that DACL was specific to that switch only?....I didnt want ISE posturing to be enabled on my entire wired prod network .

Posture lease has no effect when connecting to wired network, it works perfectly with wireless connection. Any idea why posture lease/expiry not working when connecting wired network.
Any switch configuration is required.
from ISE endpoint attribute, it shows expiry is for 2 days but again when connecting to wired it has no effect.