View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0279 - ISE 2.2 Posture Assessment with AnyConnect Client (Part 1)

SEC0279 - ISE 2.2 Posture Assessment with AnyConnect Client (Part 1)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
Video Download: 
Title: SEC0279 - Video Download $21.00
Purchase SEC0279 - Video Download $21.00
The video looks at posture assessment with AnyConnect on Cisco ISE 2.2. The main focus will be new posture checks introduced in recent ISE version, App Collection, Windows Firewall and Anti-Malware. Using wired Windows 10, we will step through the posture assessment process, starting with AnyConnect download, and, test auto-remediation to bring the machine to a compliant state. The video closes with ability to control applications with App Control.
 
Part 1 of this video covers Client Provisioning Policy and Posture Profile configuration
 
Topic:
  • Posture Workcenter
  • Authorization Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Client Provisioning Policies
  • Client Provisioning Portal
  • AnyConnect Posture Profile and Configuration
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • Posture Policies
    • App Collection
    • Windows Firewall
    • Windows Defender Anti-Malware
  • Posture Remediation
  • Application Control
Tag: 
ISE
ise 2.2
wired
posture
anyconnect
posture module

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

9 comments

Submitted by ssaab on Mon, 07/09/2018 - 07:36

Thank you so much.

Submitted by lnhquang1993 on Mon, 05/27/2019 - 18:10

Hi labminutes,

I have some questions about Posture Assessment, please help me answers it.

1. As i see in your videos, client connect to network and will be redirect to web portal to download AnyConnect Agent for Posture Assessment. So, can i download AnyConnect Agent and install for client through AD's GPO before client connect to network. And then, when they connect to network, AnyConnect will automaticly do Posture Assessment. Can i do that ?

2. With software in support list of Cisco like Symantec EndPoint Protection, i can check it install/running and latest version. With softwares not in support list of Cisco ISE, i can check them by file conditions, process conditions but can't check are they latest version or not. Do you have any idea for this ?

Many thanks,
Quang

Submitted by admin on Tue, 05/28/2019 - 05:12

1. Absolutely. Posture Module can be pre-deployed along with AnyConnect client with Posture profile using your software distribution system so the client is ready to run posture assessment first time it connects to the network

2. Correct. If the AV/AS vendor is not supported, there is no way to perform latest update check.

Submitted by lnhquang1993 on Sat, 06/01/2019 - 20:27

Thanks labminutes for answer my question, Can you explain how can we pre-deployed AnyConnect client ? Cause when we download AnyConnect from Cisco webpage, it doesn't have needed module or point to ISE ip address as a NAC Server like we download directly from ISE ?

Submitted by admin on Thu, 06/20/2019 - 21:16

This is usually through your software distribution system. For module-specific install, please refer to Cisco doc.

Submitted by sherief on Wed, 04/08/2020 - 09:38

I have Posture from VPN with Any connect. I need to limit VPN access to Company laptops only,
no personal laptop should be allowed.
Can i match on "Domain computers" AD group as authorization condition ?? or what is the best way to only allow VPN access to domain-joined laptops.

BR

Submitted by admin on Tue, 04/21/2020 - 20:20

No you cannot since there is no concept of machine auth in VPN. Best way is to use cert to authenticate VPN client as only domain computer would have a cert. Other option is to do posture check on things that only domain computer would have like a registry key

Submitted by arane1 on Thu, 04/23/2020 - 18:13

Hi Metha, the ise posturing video has really helped me......you deployed the DACL on the switch in the first place.......is there a video on how that part was implemented ?i am getting confused if that DACL was specific to that switch only?....I didnt want ISE posturing to be enabled on my entire wired prod network .

Submitted by arunn78 on Tue, 03/30/2021 - 02:00

Posture lease has no effect when connecting to wired network, it works perfectly with wireless connection. Any idea why posture lease/expiry not working when connecting wired network.
Any switch configuration is required.
from ISE endpoint attribute, it shows expiry is for 2 days but again when connecting to wired it has no effect.

Poll

Vote for the Next Video Series