Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4171
Views
12
Helpful
7
Replies

Cisco ISE Posture over AnyConnect for IPAD Device

Go to solution
enco123enco35374
Level 1
Level 1

‎03-08-2021 07:09 AM

Hi dear friends,

 

Can you help me about my case 

 

I have a Cisco ISE which are integrated with Domain Controller. Also I have Cisco AnyConnect which I used for remote VPN which is located to ASA Firewall. I want that Ipad devices which are on internet to access on internal network through Cisco AnyConnect with domain controller credential . Now also I need to increase the security so after successfully authentication i need to have ISE Posture for IPad devices .

 

Can you tell if this is possibility to configure ,and if you have any kind of guide for that 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to enco123enco35374

‎03-10-2021 07:27 PM

ISE Posture is mainly an agent-based function and requires the AnyConnect ISE Posture module installed on either Windows or MacOS. There is no posture agent for handheld devices (apple, android, etc), so ISE has no native posture capability for these devices.

The approach that some customers use is to enroll handheld devices with an MDM solution, integrate that solution with ISE, and have ISE perform compliance checks against the MDM as part of the AuthZ Policy conditions.

You can find some example guides of MDM integrations on the ISE Security Ecosystem Integration Guides page.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to enco123enco35374

‎03-11-2021 01:36 PM

I'm not sure what you mean by "certificates that iPAD required to activate AnyConnect module posture" as iPads do not support the AnyConnect Posture module.

If you want to enrol certificates on you iPads so that you can authenticate them via EAP-TLS, you could use the ISE BYOD flow to register and enrol an identity certificate from either an external CA or the ISE Internal CA. If the devices will be enrolling with an MDM, however, the better option would be to have the MDM push a certificate to the iPad during it's registration/enrolment process.

See the Cisco ISE BYOD Prescriptive Deployment Guide  for more information on the ISE BYOD flows.

View solution in original post

7 Replies 7

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-08-2021 07:12 AM

Take a peek at the following guide for assistance and combability concerns: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

0 Helpful

Go to solution
enco123enco35374
Level 1
Level 1
In response to Mike.Cifelli

‎03-08-2021 07:20 AM

Hi Mike ,

Do you have any kind solution for Ipad because I think is not supported to ISE 1.6

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to enco123enco35374

‎03-08-2021 08:28 AM

Hi @enco123enco35374 ,

 beyond what @Mike.Cifelli said ... take a look at:

Cisco Identity Services Engine Network Component Compatibility, Release 2.6

and search for Validated Client Machine Operating Systems, Supplicants, and Agents and check for iPad.

also take a look at:

Cisco AnyConnect ISE Posture MAC OSX Support Charts for Compliance Module.

 you are able to create a Posture Policy at

 Work Center > Posture > Posture Policy, Operating Systems = Mac OSX

 

Hope this helps !!!

0 Helpful

Go to solution
enco123enco35374
Level 1
Level 1
In response to Marcelo Morais

‎03-10-2021 01:00 AM

Hi Marcelo,

 

I have one question about posture operating system 

 

at Posture Policy at

 Work Center > Posture > Posture Policy, Operating Systems = Mac OSX

i can see only two kind of operating systems , windows and MaC OSX , but i cant see  IPad OS or Apple OS 

iPad OS 13.1

 

Can you tell me if I cant use MAC OSX for IPAD OS 13.1 or should do something else to fulfill this requirements 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to enco123enco35374

‎03-10-2021 07:27 PM

ISE Posture is mainly an agent-based function and requires the AnyConnect ISE Posture module installed on either Windows or MacOS. There is no posture agent for handheld devices (apple, android, etc), so ISE has no native posture capability for these devices.

The approach that some customers use is to enroll handheld devices with an MDM solution, integrate that solution with ISE, and have ISE perform compliance checks against the MDM as part of the AuthZ Policy conditions.

You can find some example guides of MDM integrations on the ISE Security Ecosystem Integration Guides page.

Go to solution
enco123enco35374
Level 1
Level 1
In response to Greg Gibbs

‎03-11-2021 12:27 AM

Hi Greg thank you for information ,

According with you information without any MDM solution is not availability to have posture with (apple, iPad) or we can used MAC operating system as solution 

 

I have one more question regarding certificates that iPAD required to activate AnyConnect module posture. How can I push this kind of certificate from ISE , or iPAD have self-sign certification where accept from ISE 

 

What to do in this case to activate certificate to iPAD

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to enco123enco35374

‎03-11-2021 01:36 PM

I'm not sure what you mean by "certificates that iPAD required to activate AnyConnect module posture" as iPads do not support the AnyConnect Posture module.

If you want to enrol certificates on you iPads so that you can authenticate them via EAP-TLS, you could use the ISE BYOD flow to register and enrol an identity certificate from either an external CA or the ISE Internal CA. If the devices will be enrolling with an MDM, however, the better option would be to have the MDM push a certificate to the iPad during it's registration/enrolment process.

See the Cisco ISE BYOD Prescriptive Deployment Guide  for more information on the ISE BYOD flows.

Customers Also Viewed These Support Documents