ISE Posture Agent deployment

tiryan — Thu, 26 Sep 2019 21:28:42 GMT

This questions comes from a long time Identity Services Engine customer that is now enabling Posture and wants to deploy different versions of Anyconnect and posture modules from the same ASA.

The posture module is configured to be deployed via group policy in the ASA, but it only does so for the main AnyConnect version deployed in production. When someone connects to the ASA with a higher version of the main client, the posture modules aren’t being deployed by the ASA.

Can this be accomplished?
We can easily update the modules via ISE once the client has already been deployed but ISE doesn’t seem to have the ability to force the ASA to deploy the module when it is not present. ISE can also allow the client to download the entire AnyConnect+Module package (via client provisioning portal) but it gets a little troublesome because you cannot update the client while currently connected to the ASA and running the package often requires admin rights on the machine (which some of our clients do not have). The module deployment via the ASA overcomes these limitations in a pretty seamless fashion, the only issue is when users connect with a higher version of the AnyConnect client.

Re: ISE Posture Agent deployment

hslai — Sun, 29 Sep 2019 02:48:13 GMT

When using ISE with ASA, we need to put the same version of AnyConnect on them both.

Using VPN to push AnyConnect client upgrade might be of interest to you.

topic ISE Posture Agent deployment in Network Access Control

ISE Posture Agent deployment

Re: ISE Posture Agent deployment