Solved: ISE 1.4 APEX license strange

Vadim Semenov · ‎10-14-2015

Hi, all,

Does ISE with MDM integration check worm activities on client’s device if we have Apex license? Or MDM reports only about compliant/not compliant client and report about device attributes to ISE like:
DeviceRegisterStatus
DeviceCompliantStatus
DiskEncryptionStatus
PinLockStatus
JailBrokenStatus
Manufacturer
IMEI
SerialNumber
OsVersion
PhoneNumber

And second opportunity APEX license is Posture, which show us is antivirus running and is updated and so on?

So Can ISE with Apex lic check worm activities or simply can check that antivirus is running?

Marvin Rhoads · ‎10-14-2015

The NAC Agent is still around but is being deprecated in favor of the newer AnyConnect ISE Posture Agent.

Neither can check for viruses per se. They can check that an Antivirus, Anti-malware etc. product is running and has current updates. You have to trust that it is doing its job.

There are detailed guides on integrating various MDM systems. See the listing on this page which includes guides for the products you mentioned and more.

View solution in original post

Marvin Rhoads · ‎10-14-2015

You're welcome.

Whether or not you require successful compliance check for your mobile devices is a local policy decision. If you have an MDM and want to restrict mobile devices based on what it allows you to check then it makes sense to do so.

For non-mobile device endpoints (laptops, PCs etc.) the ISE Posture Agent is the recommended tool. It requires AnyConnect Apex licenses in addition to the ISE Apex licenses.

It can be automatically downloaded using ISE's Client Provisioning Services. Alternatively you can download and install it manually or use an external client software management system (like Microsoft SCCM or Intel LANdesk) to deploy the software.

View solution in original post

Marvin Rhoads · ‎10-14-2015

You're asking about posture services for mobile devices. Posture services require an agent (such as AnyConnect Posture Module and that is not supported on iOS or Android mobile devices) or a proxy (such as your MDM system).

For mobile devices, if your MDM doesn't provide the information, ISE has no way to obtain it to assess posture.

Using AnyConnect Posture Module, we can only check Windows, OS X or Linux hosts.

Vadim Semenov · ‎10-14-2015

So Apex lic regards only to mobile devices? Will it working with remote employees which is using Anyconnect? Can ISE check any viruses on PC before lets PC connect (through AnyConnect) to our network?

I thought what Cisco NAC agent which is embedded from AnyConnect 3.2 version can posture, is'n it?

Regarding MDM i should connect my ISE to online MDM server (lists of supported servers). Should i register, create account in that services, such as Meraki, Mobile Iron?..

Marvin Rhoads · ‎10-14-2015

The NAC Agent is still around but is being deprecated in favor of the newer AnyConnect ISE Posture Agent.

Neither can check for viruses per se. They can check that an Antivirus, Anti-malware etc. product is running and has current updates. You have to trust that it is doing its job.

There are detailed guides on integrating various MDM systems. See the listing on this page which includes guides for the products you mentioned and more.

Vadim Semenov · ‎10-14-2015

Thank you for your explanations!

So if i have mobile device and want to connect to ISE's secured network i should register my device at MDM system - after that (if my device is compliant) i will get to access.

If i want to connect from my Laptop - i should download AnyConnect ISE Posture Agent?

Marvin Rhoads · ‎10-14-2015

You're welcome.

Whether or not you require successful compliance check for your mobile devices is a local policy decision. If you have an MDM and want to restrict mobile devices based on what it allows you to check then it makes sense to do so.

For non-mobile device endpoints (laptops, PCs etc.) the ISE Posture Agent is the recommended tool. It requires AnyConnect Apex licenses in addition to the ISE Apex licenses.

It can be automatically downloaded using ISE's Client Provisioning Services. Alternatively you can download and install it manually or use an external client software management system (like Microsoft SCCM or Intel LANdesk) to deploy the software.

Vadim Semenov · ‎10-14-2015

Thank you so much.

As I understood right, for non-mobile device i should have 2 license: Apex and AnyConnect Apex?

Unfortunatly i have only Apex license, so Is it possible to check what antivirus is instulled not through AnyConnect?

Marvin Rhoads · ‎10-14-2015

You can still use the older Cisco NAC agent for Windows or OS X endpoints. Either the NAC agent client software or the temporal (web-based) can be used. When you do that, you do not need AnyConnect Apex licenses.

Many people don't like it as it uses Java (or ActiveX for the IE-based web agent) and presents challenges in that regard. However, it can provide posture assessment when it's provisioned and working correctly.