10-22-2017 08:38 PM
I am working on an issue where the client is needing to use NAC agent and AnyConnect posture module in parallel while he migrates all clients to AnyConnect. During testing, he has discovered that there are limited CPP conditions to choose from in order to differentiate the two. The majority of customers use AD groups or Device Location/Device Type while using both NAC agent and AnyConnect posture module simultaneously but he would not like to go this route if possible.
What has been discovered by the client is the attribute ConfigVersionID, is a unique attribute for NAC agent and AnyConnect posture module, which can be seen in the Live Logs upon authentication. When a client machine has the NAC agent installed, this attribute value is always a specific number and when AnyConnect module is installed, it is always another specific number. We can see that this attriute is a condition available in the ISE policies, but not the CPP policies and cx would like it added as enhancement request. But before this is done, I want to confirm that the attribute ConfigVersionID is actually a good way to use in differentiating posture agents (NAC Agent/AnyConnect), since I can also see this value shows up in the Live Logs for clients that authenticate without the NAC agent or AnyConnect posture module installed. Your assistance on confirming what this attribute value truly represents is appreciated before an enhancement request is filed to have it added as a condition in CPP policy.
Solved! Go to Solution.
10-22-2017 10:05 PM
ConfigVersionID increments with any changes involving ISE protocol runtime so I do not think it a good indicator to differentiate agents.
ISE 2.2 adds Endpoint Identity Groups and ISE 2.3 adds Endpoints dictionary and Cisco-VPN3000 dictionary as CP policy conditions. If the customer needing more than what added in 2.2 and 2.3, please ask the account team to bring it up with our PM.
10-22-2017 10:05 PM
ConfigVersionID increments with any changes involving ISE protocol runtime so I do not think it a good indicator to differentiate agents.
ISE 2.2 adds Endpoint Identity Groups and ISE 2.3 adds Endpoints dictionary and Cisco-VPN3000 dictionary as CP policy conditions. If the customer needing more than what added in 2.2 and 2.3, please ask the account team to bring it up with our PM.
10-23-2017 08:22 AM
Hsing,
As always, thank you for the quick response and verification of this attribute. It is much appreciated.
Tremesha Colbert
Customer Support Engineer | Cisco TAC AAA
Cisco TAC – AAA Security
Work Phone: 972-204-8390
Work Hours: 10a – 6p CST
Contact Email: trcolber@cisco.com
Team Lead: Malavika Parthan | mparthan@cisco.com | 972-204-8369
Manager: Paramjeet Kattaria | pkattari@cisco.com |469-255-2297
Have you been looking for an instructional video on ISE which doesn’t exist or isn’t clear? If so, please send your video ideas to isetutorials@cisco.com<mailto:isetutorials@cisco.com> and we will work to publish the content to our Youtube Channel: https://www.youtube.com/channel/UCA2XNn1mXdLV5mlHuqbl-YA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide