You are here
SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video looks at posture assessment on Cisco ISE 1.3. We will continue from the wired EAP-TLS video and add configuration for Cisco NAC agent, and then later replace it with Cisco AnyConnect ISE posture module. Antivirus installation, and signature definition update checks using ClamWin Antivirus will be performed before allowing a domain user onto the network. Using wired Windows 7, we will step through the posture assessment process, starting with Posture Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access.
Part 2 of this video shows configuration on ISE with AnyConnect ISE posture module, and tests posture assessment without posture policy
Topic:
- Authorization Policies
- Posture Policies
- Client Provisioning Policies
-
Policy Elements
- Results (Authorization Profile, dACL, VLAN)
- Posture Agent Profile
- AnyConnect Agent Profile and Configuration
- Cisco NAC Agent (Windows)
- Cisco AnyConnect Client with ISE Posture Module (Windows)
- Posture Compliant/Non-Compliant/Unknown States
- ClamWin Antivirus
Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)
2 comments
web redirect versus local client
Do you ever find that when a user logs in the web redirect will hit before the Anyconnect client starts and does its own scan? Effectively having the Anyconnect client AND web page both doing a system scan. This has been happening to us on our Win7 and Win8 machines.
Also doesn't it seem like the product should be able to take an install and configuration from an image file for posture and not have to client provision at all to get ISE posture to work? I spoke to TAC about it and they said you have to do a web redirect via client provisioning in order to get ISE posture via Anyconnect to run. Surely there are other people who want to manually install Anyconnect by other means and have ISE just take the scan results from Anyconnect ISE posture with no web redirect.
Any chance you will update some of these older videos for 2.x?
thanks -b
web redirect versus local client
URL redirect is required for AnyConnect ISE posture agent to discover the server. At the same time it prevents users from having network access before posture assessment is completed. Having client download AnyConnect client and posture module via client provisioning portal is one way. You should be able to also have the entire package pushed out via your software distribution as well. Either way, client still need to be URL redirected to ISE.