cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1114
Views
25
Helpful
7
Replies

ISE Any Connect Compliance Module 4.3

Hello Community,

 

Currently running with ISE 2.6 Patch 3,7 installed. We've an Remote Access VPN being authenticated by the ISE with the posture checks configured. Currently, Anyconnect version is 4.8 and the compliance module is 3.6 with the Service (running) and AV with Def.version checked.

 

We've got an new requirement now to add a new AV condition (Windows Def) which isn't supported in 3.6 due to Cisco Bug and TAC suggested to upgrade to compliance module 4.3. Noticed the AV is showing the compliance module as 3.X or earlier in the posture condition. We need to create a new condition with the CM 4.3 (for testing users) while preserving the existing config (3.6) before rolling out to the all users.

 

So my question is when I am creating a new "Antivirus Condition" ( for Win Def) by default it is taking compliance Module 3.x,  how to change to 4.x Compliance module so that I can call this AV condition in Posture policy ?

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

-You can rely on the CPP to perform the downgrade.  As long as you steer the endpoints to the proper portal you will be fine.

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

-Yes.  ISE CPP can perform the downgrade upon network onboarding connection.

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

-This may vary due to potential client side software such as AV that may cause a delay.  Truthfully during my experience the upgrade/downgrade of CM module has been no longer than 60 seconds.

My suggestion would be to test all scenarios prior to mass rollout/change.  HTH!

View solution in original post

7 REPLIES 7
Mike.Cifelli
VIP Advocate

AFAIK in order to support AV checks like the one you mentioned you need to be running compliance module 3.x or earlier.  

See sections 'Antivirus and Antispyware Support Chart' & 'Compliance Module' in the 2.6 admin guide for further detail.  Cisco Identity Services Engine Administrator Guide, Release 2.6 - Configure Client Posture Policies [Cisco Identity Services Engine] - Cisco

Is it possible to test with a later version of 3.x to see if that meets AV condition needs?

Hi Mike,

 

Thanks for the reply. 

 

1. Believe AM conditions has set of features as similar to AV/AS with enhanced capabilities. Adding Win.Def in AM is it correct?

2.If I add a new posture condition with the 4.X compliance module for the pilot/testing AD group, hope users with the existing 3.6 for all AD users wouldn't be impacted or it wont be applicable for them.

 

Please confirm?

Mike.Cifelli
VIP Advocate

1. Believe AM conditions has set of features as similar to AV/AS with enhanced capabilities. Adding Win.Def in AM hope its correct?

-Anti-Malware conditions require compliance module 4.x or greater.

2.If I add a new posture condition with the 4.X compliance module for the pilot/testing AD group, hope users with the existing 3.6 for all AD users wouldn't be impacted or it wont be applicable for them.

-Correct.  In your posture policy you would/will add a new entry, and within the entry specify the new compliance module 4.x.  As long as in your Client Provisioning Policies you do not change the existing AnyConnect configuration result essentially forcing a 4.x upgrade to existing clients you will be ok.  My recommendation would be to build out a completely new setup to test the 4.x compliance items you wish to play with.

Hi Mike,

 

Thanks for the reply. We've an conditions set for the compliance module 3.X to check the AV posture checks and we'd need a new condition with the CM module 4.X as well.

If the CM gets upgraded to 4.X, how to still keep enforcing the policies that is required for 3.X? 

I'm just confused, how two different versions of Compliance modules will run together for different AV conditions.

Mike.Cifelli
VIP Advocate

You will need to identify unique conditions for a specific group (for example a vpn tunnel group that would be used as your test scenario) and steer them to a different CPP AnyConnect configuration that is separate from your production stuff to test.  

If the CM gets upgraded to 4.X, how to still keep enforcing the policies that is required for 3.X? 

-If you have clients in the field running CM 3.x and your test group running 4.x you can have different posture policies enforced against each one respectively.

I'm just confused, how two different versions of Compliance modules will run together for different AV conditions.

-They will not run together on a client.  It will be one or the other.

Take a peek at the admin guide: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Hi Mike,

 

Thanks for the reply. You've been so helpful

 

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

 

1. In case of any issues, if new CM (4.3) can't detect the ISE PSN, how do we rollback the config to restore the normalcy? 

-You can rely on the CPP to perform the downgrade.  As long as you steer the endpoints to the proper portal you will be fine.

2. Just by adding the CM module back to 3.6 in CPP, would users be able to downgrade the CM from 4.3 to 3.6 ? Will any-connect allow it or any other extra config is required?

-Yes.  ISE CPP can perform the downgrade upon network onboarding connection.

3. As users would be cut off the network, how much time does it typically require to restore the connectivity?

-This may vary due to potential client side software such as AV that may cause a delay.  Truthfully during my experience the upgrade/downgrade of CM module has been no longer than 60 seconds.

My suggestion would be to test all scenarios prior to mass rollout/change.  HTH!

View solution in original post

Content for Community-Ad