cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

152
Views
5
Helpful
2
Replies
Contributor

Upgrade from Cisco NAC Agent to AnyConnect

Hi Experts,

While upgrading and replacing, hit a bottle-neck, we were not able to identify the endpoints that are installed with AnyConnect and the ones that are still having Cisco NAC agent.
So, that this identification could be used in policies.
Was able to locate an attribute named, PostureAgentVersion, but when I check the policies, I am not able to search or locate it.

Firstly, could this attribute, PostureAgentVersion, used in policies?
Secondly is there any way that could be utilized to do this segregation?

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

Re: Upgrade from Cisco NAC Agent to AnyConnect

You could use nac agent to check for aciseposture.exe service check.  If true, you could move that user to AD group for AC CPP.

View solution in original post

Cisco Employee

Re: Upgrade from Cisco NAC Agent to AnyConnect

Service check is your option as mentioned before. You can try application check as well.

 

What version of ISE, NAC agent and Anyconnect are you using.

 

Till ISE 2.2, ISE is compatible with certain versions of NAC agent.

Check the ISE compatibility guide.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696

 

Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.

 

Thanks

Krishnan

 

View solution in original post

2 REPLIES 2
Beginner

Re: Upgrade from Cisco NAC Agent to AnyConnect

You could use nac agent to check for aciseposture.exe service check.  If true, you could move that user to AD group for AC CPP.

View solution in original post

Cisco Employee

Re: Upgrade from Cisco NAC Agent to AnyConnect

Service check is your option as mentioned before. You can try application check as well.

 

What version of ISE, NAC agent and Anyconnect are you using.

 

Till ISE 2.2, ISE is compatible with certain versions of NAC agent.

Check the ISE compatibility guide.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696

 

Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.

 

Thanks

Krishnan

 

View solution in original post