Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
4
Helpful
2
Replies

Cisco ISE - How to be Selective of AnyConnect Modules to Install to Clients?

Matthew Martin
Level 5
Level 5

‎05-12-2016 10:16 AM - edited ‎03-10-2019 11:45 PM

Hello All,

Cisco ISE Server: v2.0.0.306 (*ISE-VM-K9)

I am trying to figure out how you can deploy the AnyConnect Network Access Manager module through the Client Provisioning on ISE.

Checking the downloads section of Cisco.com for an NAM pkg or zip file shows none at all. I can see the NAM module is included in the "Full installation package - Windows / Head-end deployment (PKG)", but we don't need every one of those modules included in that Package to be installed on the client's devices. So is it possible to be selective of what Modules you want installed on the clients from that pkg file?

Or is this something where I need to build my own custom pkg/zip file containing the Module(s) I want installed. At the moment we already have ISE pushing the AnyConnect Secure Mobility Client, the ISE Posture module, and the ISE Compliance module. But, now we also need to have the Network Access Manager (*NAM) pushed to the client as well, with a custom configuration profile. And I am not seeing the correct installation file needed to upload the NAM module to the Head-end (*i.e. the ISE Server)...

If it's possible could someone explain how I would do that, or point me to where I can find this information?

Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt

Labels:
0 Helpful
2 Replies 2

jan.nielsen
Level 7
Level 7

‎05-12-2016 01:57 PM

ISE should not install all modules on your machines just as a default. As long as you don't configure a client provisioning policy where NAM is enabled, ISE won't deploy NAM.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/deploy-anyconnect.html

Matthew Martin
Level 5
Level 5
In response to jan.nielsen

‎05-12-2016 02:24 PM

Jan, thanks for the reply.

Actually, I was just able to figure this all out about an hour ago or so.

I was going through the AnyConnect Configuration resource that we setup with our ISE contractor who helped setup ISE for us, in Policy > Policy Elements > Results > Client Provisioning > Resources > "[AnyConnect_Configuration_Name]", and I noticed the options for what Modules to include with AnyConnect. And since we already uploaded the Full Installation Head-end package for Windows, the only things I really needed to do were these below...

Inside the AnyConnect Configuration resource that we created (*from the section I described above), I did the following:

  1. Under the "AnyConnect Module Selection" Section - check the Network Access Manager's checkbox.
  2. I then created a Configuration Profile for NAM using the Standalone AnyConnect Profile Editor.
  3. I then uploaded that XML config file I created with the Editor as a resource to Client Provisioning.
  4. Lastly, back in the AnyConnect Configuration described above, in the "Profile Selection" Section, I chose the new config Profile I uploaded in the previous step. And that was basically it...


After I did those steps, a short while later I went back to my test laptop and when I woke it up it had already automatically downloaded the new NAM module and was asking me to reboot. And that was that...

Thanks Again,
Matt

0 Helpful
Customers Also Viewed These Support Documents