cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
5
Helpful
5
Replies

Anyconnect module - Is it mandatory to install/configure all three VPN,NAM & Posture module in ISE 1.3 for posture assessment

vinodjad1234
Explorer
Explorer

Hi Experts ,

 

I have doubt about Anyconnect installation :

 

We want to go for web-deployment from headend device i.e. ISE for posture assessment however I have come across document where its been mentioned the installation process with all three modules :

1) VPN

2)NAM

3) Posture module

 

I have only concern to have posture check on wireless corporate users so do i need to configure all the modules in client provisioning ?

there is no existing client set-up with Anyconnect . no ASA as NAD for my case . I have WLC acting as NAD .

so after client gets 802.1x auth , client has to redirect to posture check using Anyconnect . and its new deployment where client is not having this agent software.

 

Please do guide me with  right direction for Anyconnect deployment for only posture check and how clients can get this agent downloaded automatically is my main concern.

 

 

 

 

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.

The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.

I hope this helps!

 

Thank you for rating helpful posts! 

View solution in original post

5 Replies 5

nspasov
Cisco Employee
Cisco Employee

For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.

The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.

I hope this helps!

 

Thank you for rating helpful posts! 

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I'd add to Neno's answer that if you want to do EAP chaining (i.e. to authenticate both the machine and user) then the native supplicant is not sufficient and you would also then use the NAM module.

Otherwise, just the ISE Posture module suffices in your use case.

phosawyer
Beginner
Beginner

Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.

I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.

Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.

One other thing to note - there's actually a bug (non-published) that makes it necessary to build a VPN profile to DISABLE the VPN tile even when it's deselected from the installation script.

(This was covered in partner New Product Introduction training for ISE 1.3.)

Thanks for that note Marvin! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers