Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
10
Helpful
7
Replies

ISE 1.4 APEX license strange

Go to solution
Vadim Semenov
Level 1
Level 1

‎10-14-2015 03:09 AM - edited ‎03-10-2019 11:09 PM

Hi, all,

Does ISE with MDM integration check worm activities on client’s device if we have Apex license? Or MDM reports only about compliant/not compliant client and report about device attributes to ISE like:
DeviceRegisterStatus
DeviceCompliantStatus
DiskEncryptionStatus
PinLockStatus
JailBrokenStatus
Manufacturer
IMEI
SerialNumber
OsVersion
PhoneNumber

And second opportunity APEX license is Posture, which show us is antivirus  running and is updated and so on?

So Can ISE with Apex lic check worm activities or simply can check that antivirus is running?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vadim Semenov

‎10-14-2015 09:11 AM

The NAC Agent is still around but is being deprecated in favor of the newer AnyConnect ISE Posture Agent.

Neither can check for viruses per se. They can check that an Antivirus, Anti-malware etc. product is running and has current updates. You have to trust that it is doing its job.

There are detailed guides on integrating various MDM systems. See the listing on this page which includes guides for the products you mentioned and more.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vadim Semenov

‎10-14-2015 09:37 AM

You're welcome.

Whether or not you require successful compliance check for your mobile devices is a local policy decision. If you have an MDM and want to restrict mobile devices based on what it allows you to check then it makes sense to do so.

For non-mobile device endpoints (laptops, PCs etc.) the ISE Posture Agent is the recommended tool. It requires AnyConnect Apex licenses in addition to the ISE Apex licenses.

It can be automatically downloaded using ISE's Client Provisioning Services. Alternatively you can download and install it manually or use an external client software management system (like Microsoft SCCM or Intel LANdesk) to deploy the software.

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-14-2015 08:31 AM

You're asking about posture services for mobile devices. Posture services require an agent (such as AnyConnect Posture Module and that is not supported on iOS or Android mobile devices) or a proxy (such as your MDM system).

For mobile devices, if your MDM doesn't provide the information, ISE has no way to obtain it to assess posture.

Using AnyConnect Posture Module, we can only check Windows, OS X or Linux hosts. 

0 Helpful

Go to solution
Vadim Semenov
Level 1
Level 1
In response to Marvin Rhoads

‎10-14-2015 09:03 AM

So Apex lic regards only to mobile devices? Will it working with remote employees which is using Anyconnect? Can ISE check any viruses on PC before lets PC connect (through AnyConnect) to our network?

I thought what Cisco NAC agent which is embedded from AnyConnect 3.2 version can posture, is'n it?

Regarding MDM i should connect my ISE to online MDM server (lists of supported servers). Should i  register, create account in that services, such as Meraki, Mobile Iron?..

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vadim Semenov

‎10-14-2015 09:11 AM

The NAC Agent is still around but is being deprecated in favor of the newer AnyConnect ISE Posture Agent.

Neither can check for viruses per se. They can check that an Antivirus, Anti-malware etc. product is running and has current updates. You have to trust that it is doing its job.

There are detailed guides on integrating various MDM systems. See the listing on this page which includes guides for the products you mentioned and more.

Go to solution
Vadim Semenov
Level 1
Level 1
In response to Marvin Rhoads

‎10-14-2015 09:28 AM

Thank you for your explanations!

So if i have mobile device and want to connect to ISE's secured network i should register my device at MDM system - after that (if my device is compliant) i will get to access.

If i want to connect from my Laptop  - i should download AnyConnect ISE Posture Agent?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vadim Semenov

‎10-14-2015 09:37 AM

You're welcome.

Whether or not you require successful compliance check for your mobile devices is a local policy decision. If you have an MDM and want to restrict mobile devices based on what it allows you to check then it makes sense to do so.

For non-mobile device endpoints (laptops, PCs etc.) the ISE Posture Agent is the recommended tool. It requires AnyConnect Apex licenses in addition to the ISE Apex licenses.

It can be automatically downloaded using ISE's Client Provisioning Services. Alternatively you can download and install it manually or use an external client software management system (like Microsoft SCCM or Intel LANdesk) to deploy the software.

Go to solution
Vadim Semenov
Level 1
Level 1
In response to Marvin Rhoads

‎10-14-2015 12:38 PM

Thank you so much.

As I understood right, for non-mobile device i should have 2 license: Apex and AnyConnect Apex?

Unfortunatly i have only Apex license, so Is it possible to check what antivirus is instulled not through AnyConnect?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vadim Semenov

‎10-14-2015 01:17 PM

You can still use the older Cisco NAC agent for Windows or OS X endpoints. Either the NAC agent client software or the temporal (web-based) can be used. When you do that, you do not need AnyConnect Apex licenses.

Many people don't like it as it uses Java (or ActiveX for the IE-based web agent) and presents challenges in that regard. However, it can provide posture assessment when it's provisioned and working correctly.

0 Helpful
Customers Also Viewed These Support Documents