topic Re: ISE posture VPN anyconnect module without using provisioning portal in Network Access Control

ISE posture VPN anyconnect module without using provisioning portal

tomalexis — Fri, 16 Apr 2021 04:28:51 GMT

Howdy

I am trying to figure out the best option to install the ISE posture module for existing VPN anyconnect users ONLY.

REading the docs and samples, all of them show installing the profile / pkg on ISE.

But I feel thats more cumbersome especially without admin privileges etc ?

Wouldnt it be a lot easier if the ISE posture module was pushed down from ASA/headend with profile, and then only posture results are sent to ISE ?

Is there any plan for ISE to just push down the posture module when the redirect happens without any user intervention - kind of like how the ISE posture module gets installed from ASA ?

Re: ISE posture VPN anyconnect module without using provisioning portal

Mike.Cifelli — Fri, 16 Apr 2021 12:28:03 GMT

Adding my opinions:

Wouldnt it be a lot easier if the ISE posture module was pushed down from ASA/headend with profile, and then only posture results are sent to ISE ?

-You still have to have things built out in ISE for this solution to work. The main pieces being the actual posture policies/requirements (what to assess) on the remote endpoints.

Is there any plan for ISE to just push down the posture module when the redirect happens without any user intervention - kind of like how the ISE posture module gets installed from ASA ?

-If clients have already been previously provisioned then the ISE webdeploy upgrade process is pretty much seamless IMO. For those un-provisioned clients there is some user intervention required.

Lastly, once you get a hang of relying on ISE CPP and posture configuration I truthfully like it & would recommend it. From my experience the easiest deployment of all the required modules for this solution to work is the compliance module across any network type (vpn, wired, or wireless). I would strongly suggest taking a peek at the following resources to understand structure & workflow.

ISE Posture Prescriptive Deployment Guide - Cisco Community

ISE Posture - Cisco Community

Cisco ISE Posture Configuration Part 1 - Posture Conditions - YouTube

Video: Security | Lab Minutes

HTH!

Re: ISE posture VPN anyconnect module without using provisioning portal

tomalexis — Sun, 18 Apr 2021 09:45:24 GMT

thx Mike. i have already tried in the past and aware of the ISE config requirements.. I am not sure if there are any recent enhancement.

My feeling is that since posture agent required admin privileges etc, especially in the case of exiting anyconnect VPN users, doing CPP is cumbersome and may be difficult without admin privileges.

I would personally think the following are much more cleaner:

1) Install via anyconnect as module and requires no admin privileges

2) install using SMS, altiris etc to a machine thats already VPN connected.

I would imagine that CPP would make more sense in case of BYOD or non-company owned machines.

i know with ISE 3.0 there is agentless module, but it looks like that also need admin privileges to run.

I just wanted to know how others are deploying posture using CPP to download the posture module even for anyconnect VPN users ? or using the ISE posture vpn module from ASA/FTD headend ?