Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5045
Views
5
Helpful
7
Replies

Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

siddhartham
Level 4
Level 4

‎02-21-2013 09:43 AM - edited ‎03-10-2019 08:07 PM

We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.

Do we get any additional advantages in using ISE compared to Anyconnect posture module ......

Siddhartha       

Siddhartha
1 person had this problem
Labels:
0 Helpful
7 Replies 7

dirkmelvin
Level 1
Level 1

‎02-21-2013 11:40 AM

These are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.

I will be watching this thread to see what kind of responses you get.

As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.

Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.

We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.

Wishing you luck in finding your answers for us all.

Dirk

0 Helpful

siddhartham
Level 4
Level 4
In response to dirkmelvin

‎03-11-2013 10:42 AM

Thanks for the response Dirk.

We are not planning to use WSUS server, atleast not at the moment. We allow personal laptops to connect through VPN, the whole idea behind this project is get some kind of controll over those.

I got a trail license and tested the any connect posture module, it seems like its doing its job fine.

Since ISE is what cisco suggesting to use for NAC and since its only a few thousand dollars higher than the any connect premium+Adv End Point license, I am not able to decide which one to choose.

What made you think the Advanced Endpoint licensing would have been a better way to go.?

Siddhartha

Siddhartha
0 Helpful

marioderosa2008
Level 1
Level 1

‎03-14-2013 02:31 AM

Hi,

if you want to perform posturing using the ISE for VPN users and you have an ASA as the NAD, then you will need an Inline Posture Appliance as at the moment ASA's don't support RADIUS CoA (unless its changed recently)...

We tried this in a proof of concept with certificate authentication and it never worked. For one reason or another the Inline appliance did not handle certificte authentication very well...

It may work if you use a pre shared key instead, but we never tried that i dont think.

We are also about to try the new AnyConnect client with Advanced Endpoint licensing too. Whoever implements first should post thier results in this thread...

Mario

0 Helpful

dirkmelvin
Level 1
Level 1
In response to marioderosa2008

‎03-19-2013 09:38 AM

Yes, have an IPN in place. This was not our ideal deployment, as we were banking on Cisco releasing the code for the ASA that woudl eliminate the need for the IPN.

Alas, since this had not happened at purchase time we purchased the hardware IPN, to be later deployed as the everything node, once the ASA code is officially released to allow this. We also have a second IPN to be delivered soon to a second location, so it is good to get all these issues addressed before trying to setup a second site.

So we probably will not be testing the Advanced EndPoint licensing.

AEP was sort of thought as the better way to go as it would be less hardware to manange and done directly on the ASA. However, after looking at the licensing pricing the ISE was the better option, as with the ISE admin node we can manage multiple ISE deployments in one place and the rules apply globally.

Dirk

siddhartham
Level 4
Level 4
In response to dirkmelvin

‎03-20-2013 12:55 PM

Thanks for your input Dirk, we are planning to get a ISE demo and test it.

Siddhartha

Siddhartha
0 Helpful

marioderosa2008
Level 1
Level 1

‎03-19-2013 01:09 PM

Hi Dirk,

Are you using very auth? If so, does the ISE auth the cert or does the ASA??

Also, do you have the posturing/remediation working through IPN?

Mario

Sent from Cisco Technical Support iPhone App

0 Helpful

dirkmelvin
Level 1
Level 1
In response to marioderosa2008

‎04-19-2013 07:24 AM

No, there is not Cert involved in the VPN process. Just the Certs between the IPN and ISE Management node.

We do indeed have some posturing and remediation actively working for VPN Windows Clients.

0 Helpful
Customers Also Viewed These Support Documents