04-12-2015 12:39 PM - edited 03-10-2019 10:37 PM
Hi Experts ,
I have doubt about Anyconnect installation :
We want to go for web-deployment from headend device i.e. ISE for posture assessment however I have come across document where its been mentioned the installation process with all three modules :
1) VPN
2)NAM
3) Posture module
I have only concern to have posture check on wireless corporate users so do i need to configure all the modules in client provisioning ?
there is no existing client set-up with Anyconnect . no ASA as NAD for my case . I have WLC acting as NAD .
so after client gets 802.1x auth , client has to redirect to posture check using Anyconnect . and its new deployment where client is not having this agent software.
Please do guide me with right direction for Anyconnect deployment for only posture check and how clients can get this agent downloaded automatically is my main concern.
Solved! Go to Solution.
04-12-2015 01:03 PM
For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.
The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.
I hope this helps!
Thank you for rating helpful posts!
04-12-2015 01:03 PM
For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.
The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.
I hope this helps!
Thank you for rating helpful posts!
04-13-2015 04:09 AM
I'd add to Neno's answer that if you want to do EAP chaining (i.e. to authenticate both the machine and user) then the native supplicant is not sufficient and you would also then use the NAM module.
Otherwise, just the ISE Posture module suffices in your use case.
04-13-2015 06:16 AM
Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.
I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.
Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.
04-13-2015 07:03 AM
One other thing to note - there's actually a bug (non-published) that makes it necessary to build a VPN profile to DISABLE the VPN tile even when it's deselected from the installation script.
(This was covered in partner New Product Introduction training for ISE 1.3.)
04-21-2015 10:04 AM
Thanks for that note Marvin!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide