cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

146
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

Impact of deploying new AC and Compliance package at next login

Two questions:

  1. After a workstation is postured once during the day, the second time the user/any user logs in to the same workstation, will the user see the ISE posture module popup at least notifying that workstation is compliant or will the user NOT see anything at all? If it does not popup the second time is there a way (i.e. a setting within ISE) to trigger this popup?
  2. If we push an upgrade to AnyConnect to 4.5 and deploy an upgraded Compliance Module (from 3.6.x to 4.2.x) at next login (~1600 users, potentially all performing this action within about an hour), will this cause a major strain on the PSN?  Is there a way to determine potential impact relative to VM sizing?


Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

1. It will depend on whether transition from first user to second user forces a new authentication (Which will force ISE to re-posture the endpoint). Assuming this is a Windows workstation and doing 802.1X machineOnly authentication then users logging in and out would not cause re-posture. However, if you are doing 802.1X machine+user or userOnly, then you would be re-postured as you transition from user1 to user2. You may also need to disable fast-user-switching to force user logoff from the first user to make it work.

2. I don't know of any performance numbers for AC/CM download on ISE however, if you have concerns on performance impact to ISE, you can craft additional Client Provisioning Policy to deploy AC/CM updates to subset of users and update users in a phased approach. You could create matching Windows AD group where only 100 of 1600 users are in for initial AC/CM update then add next batch of users to the group until all 1600 users are in the group and updated.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

1. It will depend on whether transition from first user to second user forces a new authentication (Which will force ISE to re-posture the endpoint). Assuming this is a Windows workstation and doing 802.1X machineOnly authentication then users logging in and out would not cause re-posture. However, if you are doing 802.1X machine+user or userOnly, then you would be re-postured as you transition from user1 to user2. You may also need to disable fast-user-switching to force user logoff from the first user to make it work.

2. I don't know of any performance numbers for AC/CM download on ISE however, if you have concerns on performance impact to ISE, you can craft additional Client Provisioning Policy to deploy AC/CM updates to subset of users and update users in a phased approach. You could create matching Windows AD group where only 100 of 1600 users are in for initial AC/CM update then add next batch of users to the group until all 1600 users are in the group and updated.

View solution in original post

Content for Community-Ad