View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0279 - ISE 2.2 Posture Assessment with AnyConnect Client (Part 4)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0279 - Video Download $21.00
Purchase SEC0279 - Video Download $21.00
The video looks at posture assessment with AnyConnect on Cisco ISE 2.2. The main focus will be new posture checks introduced in recent ISE version, App Collection, Windows Firewall and Anti-Malware. Using wired Windows 10, we will step through the posture assessment process, starting with AnyConnect download, and, test auto-remediation to bring the machine to a compliant state. The video closes with ability to control applications with App Control.
Part 4 of this video covers final testing with remediation, and App Control
  • Posture Workcenter
  • Authorization Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Client Provisioning Policies
  • Client Provisioning Portal
  • AnyConnect Posture Profile and Configuration
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • Posture Policies
    • App Collection
    • Windows Firewall
    • Windows Defender Anti-Malware
  • Posture Remediation
  • Application Control

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


We are planning to use the AnyConnect by tagging the user IDs to AD Security Groups that would have access only to specific applications. And also to tag those AD groups to the VPN XML profiles to create the required Secure Virtual Access (SVA). On top of it, we are also planning to restrict access at an IP level for the VPN clients on the ASA only to specific applications

Please provide with your valuable suggestion and guidelines of how to implement this setup.

You would have an AAA server like ISE integrated with AD and upon successful user auth, ISE look up AD group membership and return appropriate Group Policy and DACL to ASA. Under Group Policy, you can have it mapped to Client Profile XML. If you are ok restricting by protocol/port, using ACL is fine. If you want true application inspection, you need L4-7 FW like Firepower/FTD.