Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5187
Views
25
Helpful
7
Replies

ISE Any Connect Compliance Module 4.3

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎12-08-2020 07:39 AM - edited ‎12-08-2020 07:46 AM

Hello Community,

 

Currently running with ISE 2.6 Patch 3,7 installed. We've an Remote Access VPN being authenticated by the ISE with the posture checks configured. Currently, Anyconnect version is 4.8 and the compliance module is 3.6 with the Service (running) and AV with Def.version checked.

 

We've got an new requirement now to add a new AV condition (Windows Def) which isn't supported in 3.6 due to Cisco Bug and TAC suggested to upgrade to compliance module 4.3. Noticed the AV is showing the compliance module as 3.X or earlier in the posture condition. We need to create a new condition with the CM 4.3 (for testing users) while preserving the existing config (3.6) before rolling out to the all users.

 

So my question is when I am creating a new "Antivirus Condition" ( for Win Def) by default it is taking compliance Module 3.x,  how to change to 4.x Compliance module so that I can call this AV condition in Posture policy ?

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Srinivasan Nagarajan

‎12-14-2020 05:43 AM

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

-You can rely on the CPP to perform the downgrade.  As long as you steer the endpoints to the proper portal you will be fine.

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

-Yes.  ISE CPP can perform the downgrade upon network onboarding connection.

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

-This may vary due to potential client side software such as AV that may cause a delay.  Truthfully during my experience the upgrade/downgrade of CM module has been no longer than 60 seconds.

My suggestion would be to test all scenarios prior to mass rollout/change.  HTH!

View solution in original post

7 Replies 7

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-08-2020 07:56 AM

AFAIK in order to support AV checks like the one you mentioned you need to be running compliance module 3.x or earlier.  

See sections 'Antivirus and Antispyware Support Chart' & 'Compliance Module' in the 2.6 admin guide for further detail.  Cisco Identity Services Engine Administrator Guide, Release 2.6 - Configure Client Posture Policies [Cisco Identity Services Engine] - Cisco

Is it possible to test with a later version of 3.x to see if that meets AV condition needs?

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mike.Cifelli

‎12-08-2020 08:26 AM - edited ‎12-08-2020 08:54 AM

Hi Mike,

 

Thanks for the reply. 

 

1. Believe AM conditions has set of features as similar to AV/AS with enhanced capabilities. Adding Win.Def in AM is it correct?

2.If I add a new posture condition with the 4.X compliance module for the pilot/testing AD group, hope users with the existing 3.6 for all AD users wouldn't be impacted or it wont be applicable for them.

 

Please confirm?

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-08-2020 08:55 AM - edited ‎12-08-2020 08:56 AM

1. Believe AM conditions has set of features as similar to AV/AS with enhanced capabilities. Adding Win.Def in AM hope its correct?

-Anti-Malware conditions require compliance module 4.x or greater.

2.If I add a new posture condition with the 4.X compliance module for the pilot/testing AD group, hope users with the existing 3.6 for all AD users wouldn't be impacted or it wont be applicable for them.

-Correct.  In your posture policy you would/will add a new entry, and within the entry specify the new compliance module 4.x.  As long as in your Client Provisioning Policies you do not change the existing AnyConnect configuration result essentially forcing a 4.x upgrade to existing clients you will be ok.  My recommendation would be to build out a completely new setup to test the 4.x compliance items you wish to play with.

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎12-08-2020 07:34 PM - edited ‎12-08-2020 07:58 PM

Hi Mike,

 

Thanks for the reply. We've an conditions set for the compliance module 3.X to check the AV posture checks and we'd need a new condition with the CM module 4.X as well.

If the CM gets upgraded to 4.X, how to still keep enforcing the policies that is required for 3.X? 

I'm just confused, how two different versions of Compliance modules will run together for different AV conditions.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-09-2020 05:10 AM - edited ‎12-09-2020 05:11 AM

You will need to identify unique conditions for a specific group (for example a vpn tunnel group that would be used as your test scenario) and steer them to a different CPP AnyConnect configuration that is separate from your production stuff to test.  

If the CM gets upgraded to 4.X, how to still keep enforcing the policies that is required for 3.X? 

-If you have clients in the field running CM 3.x and your test group running 4.x you can have different posture policies enforced against each one respectively.

I'm just confused, how two different versions of Compliance modules will run together for different AV conditions.

-They will not run together on a client.  It will be one or the other.

Take a peek at the admin guide: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mike.Cifelli

‎12-11-2020 09:15 PM

Hi Mike,

 

Thanks for the reply. You've been so helpful

 

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Srinivasan Nagarajan

‎12-14-2020 05:43 AM

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

-You can rely on the CPP to perform the downgrade.  As long as you steer the endpoints to the proper portal you will be fine.

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

-Yes.  ISE CPP can perform the downgrade upon network onboarding connection.

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

-This may vary due to potential client side software such as AV that may cause a delay.  Truthfully during my experience the upgrade/downgrade of CM module has been no longer than 60 seconds.

My suggestion would be to test all scenarios prior to mass rollout/change.  HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents