Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
1
Replies

Impact of deploying new AC and Compliance package at next login

Go to solution
bricrock
Cisco Employee
Cisco Employee

‎05-02-2018 10:26 AM

Two questions:

  1. After a workstation is postured once during the day, the second time the user/any user logs in to the same workstation, will the user see the ISE posture module popup at least notifying that workstation is compliant or will the user NOT see anything at all? If it does not popup the second time is there a way (i.e. a setting within ISE) to trigger this popup?
  2. If we push an upgrade to AnyConnect to 4.5 and deploy an upgraded Compliance Module (from 3.6.x to 4.2.x) at next login (~1600 users, potentially all performing this action within about an hour), will this cause a major strain on the PSN?  Is there a way to determine potential impact relative to VM sizing?


Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-02-2018 01:33 PM

1. It will depend on whether transition from first user to second user forces a new authentication (Which will force ISE to re-posture the endpoint). Assuming this is a Windows workstation and doing 802.1X machineOnly authentication then users logging in and out would not cause re-posture. However, if you are doing 802.1X machine+user or userOnly, then you would be re-postured as you transition from user1 to user2. You may also need to disable fast-user-switching to force user logoff from the first user to make it work.

2. I don't know of any performance numbers for AC/CM download on ISE however, if you have concerns on performance impact to ISE, you can craft additional Client Provisioning Policy to deploy AC/CM updates to subset of users and update users in a phased approach. You could create matching Windows AD group where only 100 of 1600 users are in for initial AC/CM update then add next batch of users to the group until all 1600 users are in the group and updated.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-02-2018 01:33 PM

1. It will depend on whether transition from first user to second user forces a new authentication (Which will force ISE to re-posture the endpoint). Assuming this is a Windows workstation and doing 802.1X machineOnly authentication then users logging in and out would not cause re-posture. However, if you are doing 802.1X machine+user or userOnly, then you would be re-postured as you transition from user1 to user2. You may also need to disable fast-user-switching to force user logoff from the first user to make it work.

2. I don't know of any performance numbers for AC/CM download on ISE however, if you have concerns on performance impact to ISE, you can craft additional Client Provisioning Policy to deploy AC/CM updates to subset of users and update users in a phased approach. You could create matching Windows AD group where only 100 of 1600 users are in for initial AC/CM update then add next batch of users to the group until all 1600 users are in the group and updated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents