View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 2)

SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video looks at posture assessment on Cisco ISE 1.3. We will continue from the wired EAP-TLS video and add configuration for Cisco NAC agent, and then later replace it with Cisco AnyConnect ISE posture module. Antivirus installation, and signature definition update checks using ClamWin Antivirus will be performed before allowing a domain user onto the network. Using wired Windows 7, we will step through the posture assessment process, starting with Posture Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access. 
 
Part 2 of this video shows configuration on ISE with AnyConnect ISE posture module, and tests posture assessment without posture policy
 
Topic:
  • Authorization Policies
  • Posture Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Posture Agent Profile
  • AnyConnect Agent Profile and Configuration
  • Cisco NAC Agent (Windows)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus

Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)

Tag: 
ISE
ise 1.3
wired
posture
nac agent
anyconnect
posture module

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

2 comments

Submitted by Bahlkris on Tue, 06/28/2016 - 13:34

Do you ever find that when a user logs in the web redirect will hit before the Anyconnect client starts and does its own scan? Effectively having the Anyconnect client AND web page both doing a system scan. This has been happening to us on our Win7 and Win8 machines.

Also doesn't it seem like the product should be able to take an install and configuration from an image file for posture and not have to client provision at all to get ISE posture to work? I spoke to TAC about it and they said you have to do a web redirect via client provisioning in order to get ISE posture via Anyconnect to run. Surely there are other people who want to manually install Anyconnect by other means and have ISE just take the scan results from Anyconnect ISE posture with no web redirect.

Any chance you will update some of these older videos for 2.x?
thanks -b

Submitted by admin on Wed, 06/29/2016 - 21:38

URL redirect is required for AnyConnect ISE posture agent to discover the server. At the same time it prevents users from having network access before posture assessment is completed. Having client download AnyConnect client and posture module via client provisioning portal is one way. You should be able to also have the entire package pushed out via your software distribution as well. Either way, client still need to be URL redirected to ISE.