Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
897
Views
5
Helpful
2
Replies

Upgrade from Cisco NAC Agent to AnyConnect

Go to solution
dgaikwad
Level 5
Level 5

‎08-28-2019 12:21 AM

Hi Experts,

While upgrading and replacing, hit a bottle-neck, we were not able to identify the endpoints that are installed with AnyConnect and the ones that are still having Cisco NAC agent.
So, that this identification could be used in policies.
Was able to locate an attribute named, PostureAgentVersion, but when I check the policies, I am not able to search or locate it.

Firstly, could this attribute, PostureAgentVersion, used in policies?
Secondly is there any way that could be utilized to do this segregation?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Brian Taylor
Level 1
Level 1

‎09-04-2019 09:28 AM - edited ‎09-04-2019 09:29 AM

You could use nac agent to check for aciseposture.exe service check.  If true, you could move that user to AD group for AC CPP.

View solution in original post

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-04-2019 02:23 PM - edited ‎09-04-2019 02:24 PM

Service check is your option as mentioned before. You can try application check as well.

 

What version of ISE, NAC agent and Anyconnect are you using.

 

Till ISE 2.2, ISE is compatible with certain versions of NAC agent.

Check the ISE compatibility guide.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696

 

Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.

 

Thanks

Krishnan

 

View solution in original post

2 Replies 2

Go to solution
Brian Taylor
Level 1
Level 1

‎09-04-2019 09:28 AM - edited ‎09-04-2019 09:29 AM

You could use nac agent to check for aciseposture.exe service check.  If true, you could move that user to AD group for AC CPP.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-04-2019 02:23 PM - edited ‎09-04-2019 02:24 PM

Service check is your option as mentioned before. You can try application check as well.

 

What version of ISE, NAC agent and Anyconnect are you using.

 

Till ISE 2.2, ISE is compatible with certain versions of NAC agent.

Check the ISE compatibility guide.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696

 

Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.

 

Thanks

Krishnan

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents