Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
2
Replies

Cisco ISE 2.7 - 3.3 (Posture)

Go to solution
Jay233
Level 1
Level 1

‎07-18-2024 04:57 AM

Hi All,

Trying to upgrade from 2.7 to 3.3 and hitting an issue regarding posture policy, on my legacy 2.7 ISE my posture policy is using AnyConnect under Posture Type. In the new 3.3 ISE I don't seem to be able to select AnyConnect? Only Agent, Agent Stealth, Agentless and Temporal Agent? So on the posture policy I tried Agent instead of AnyConnect.

Clients are using AnyConnect 4.x with a view of moving to Secure client, but need AnyConnect to work first before any client work is done. 

Not using the client provisioning /portal features and have updated the AnyConnect XML file to point to the new 3.3 ISE, my wired clients are being successfully auth'd as expected using 802.1x TLS but are in a state of posture pending?

Any help would be appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎07-20-2024 10:35 PM

Hi @Jay233 ,

 at Policy > Posture > Posture Policy windows > Posture Type column, the following Posture Types are available:

  • on ISE 2.7: AnyConnect, AnyConnect Stealth and Temporal Agent.
  • on ISE 3.3Agent, Agent Stealth, Temporal Agent, AMP Enable and Agentless Posture.

 at Policy > Policy Elements > Results > Client Provisioning > Resources.

  • on ISE 2.7: AnyConnectConfig
  • on ISE 3.3: AgentConfig

You deploy Agent to monitor and enforce Cisco ISE Posture Policies that require interaction with the Client (AnyConnect or Cisco Secure Client).

Remember that (at ISE Administrator Guide, Release 3.3 - Cisco Secure Client

"Cisco ISE 2.7 Patch 8 and above, Cisco ISE 3.0 Patch 7 and above, Cisco ISE 3.1 Patch 5 and above, Cisco ISE 3.2 Patch 1 and above, and Cisco ISE 3.3 and above releases support both AnyConnect and Cisco Secure Client for Windows, macOS, and Linux operating systems.

You can configure both AnyConnect and Cisco Secure Client for your endpoints on these operating systems but only one Policy will be considered at run time for an endpoint. In either case, if the endpoint does not connect to a Cisco ISE managed network device, it should block HTTP Probing from the endpoint to all Cisco ISE PSNs for TCP Port 8905 and Client Provisioning Portal port. The default Client Provisioning Portal port is TCP port 8443."

 

Hope this helps !!!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎07-20-2024 10:35 PM

Hi @Jay233 ,

 at Policy > Posture > Posture Policy windows > Posture Type column, the following Posture Types are available:

  • on ISE 2.7: AnyConnect, AnyConnect Stealth and Temporal Agent.
  • on ISE 3.3Agent, Agent Stealth, Temporal Agent, AMP Enable and Agentless Posture.

 at Policy > Policy Elements > Results > Client Provisioning > Resources.

  • on ISE 2.7: AnyConnectConfig
  • on ISE 3.3: AgentConfig

You deploy Agent to monitor and enforce Cisco ISE Posture Policies that require interaction with the Client (AnyConnect or Cisco Secure Client).

Remember that (at ISE Administrator Guide, Release 3.3 - Cisco Secure Client

"Cisco ISE 2.7 Patch 8 and above, Cisco ISE 3.0 Patch 7 and above, Cisco ISE 3.1 Patch 5 and above, Cisco ISE 3.2 Patch 1 and above, and Cisco ISE 3.3 and above releases support both AnyConnect and Cisco Secure Client for Windows, macOS, and Linux operating systems.

You can configure both AnyConnect and Cisco Secure Client for your endpoints on these operating systems but only one Policy will be considered at run time for an endpoint. In either case, if the endpoint does not connect to a Cisco ISE managed network device, it should block HTTP Probing from the endpoint to all Cisco ISE PSNs for TCP Port 8905 and Client Provisioning Portal port. The default Client Provisioning Portal port is TCP port 8443."

 

Hope this helps !!!

0 Helpful

Go to solution
Jay233
Level 1
Level 1
In response to Marcelo Morais

‎07-24-2024 01:31 AM

Hi Marcelo,

Quick question - clients are using AnyConnect 4.10 (Compliance mod, NM mod, VPN mod etc) distributed via SCCM not ISE.

What packages are required on ISE 3.3 to support AC 4.10? Do we only need to install the secure client package and this will be compatible with AnyConnect?

 

 

0 Helpful
Customers Also Viewed These Support Documents