cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1292
Views
0
Helpful
4
Replies

ISE Clarifications

Hi 

 

I have read about ISE but still find it diffcult to understand the following. I will be mots greatful if someone can explain the following to me.

 

1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.

2. What is AV Pair. I say that 

    Client Provisioning(Posture)       ACL     Client Provisioning(Policy).

3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.

4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.

5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.

6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.

 

Thanks a lot in advance.

2 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
For the posture related questions see here: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
2. What is AV Pair. I say that
-The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes (VSA), thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair."
4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.
-You have the ability to configure the native supplicant with GPO to support wireless 802.1x onboarding. This link will walk you through the process of setting up the native supplicant for wired. Note that the wireless build out is similar. For wireless focus on the WLAN AutoConfig service & the corresponding 802.11 policy policy. See: https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/
Lastly, here is another valuable link that may assist you in your journey: https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867
Good luck & HTH!

View solution in original post

1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.

----> Anyconnect agent is a core component where you have modules like VPN, NAM and Posture (which is also called Compliance checker). Compliance module is installed in ISE which each module like 3.x or 4.x has different features. Like 4.x has AM. 3.x will have AS and AV both different. Each Module 4.x and 3.X has different supported things.

 

2. What is AV Pair. I say that 

    Client Provisioning(Posture)       ACL     Client Provisioning(Policy). --> AV pair as explainced above. These are values or data field which can be extracted to use as a condition or provide a result when you are making authorization or authentication policy.

3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.

 

--> Authentication --> Authorization --> in Authorization posture compliance if unknown --> redirect to posture checks --> it runs all the posture checks if anything pass --> network access.

 

There are scenario's depending on which stage you are stuck on but above is the most simple way of letting you know.

AUP and web portal are only comes in picture when you are doing Any connect installation.

99.9% you will be pushing any connect package through MSI using Windows SCCM.

 

4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.

--> Native Supplicant will see MUN-Wifi in the SSID/NW. Assume if you have Cisco WLC when you configure the SSID you have select Dot1x authentication in the ssid and then select AAA servers in the SSID. When some one tries to connect to it. It would do the redirection and ISE will do the needful depending on the policies you have configured.

 

5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.

-->Cisco ISE download's the software details from talos. Check the compliance module version if its present in the 3.x or 4.x.

 

6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.

--> in the newer version's there are Temporal Agents which is available for the same.

 

Please rate helpful

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni
For the posture related questions see here: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
2. What is AV Pair. I say that
-The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes (VSA), thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair."
4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.
-You have the ability to configure the native supplicant with GPO to support wireless 802.1x onboarding. This link will walk you through the process of setting up the native supplicant for wired. Note that the wireless build out is similar. For wireless focus on the WLAN AutoConfig service & the corresponding 802.11 policy policy. See: https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/
Lastly, here is another valuable link that may assist you in your journey: https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867
Good luck & HTH!

1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.

----> Anyconnect agent is a core component where you have modules like VPN, NAM and Posture (which is also called Compliance checker). Compliance module is installed in ISE which each module like 3.x or 4.x has different features. Like 4.x has AM. 3.x will have AS and AV both different. Each Module 4.x and 3.X has different supported things.

 

2. What is AV Pair. I say that 

    Client Provisioning(Posture)       ACL     Client Provisioning(Policy). --> AV pair as explainced above. These are values or data field which can be extracted to use as a condition or provide a result when you are making authorization or authentication policy.

3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.

 

--> Authentication --> Authorization --> in Authorization posture compliance if unknown --> redirect to posture checks --> it runs all the posture checks if anything pass --> network access.

 

There are scenario's depending on which stage you are stuck on but above is the most simple way of letting you know.

AUP and web portal are only comes in picture when you are doing Any connect installation.

99.9% you will be pushing any connect package through MSI using Windows SCCM.

 

4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.

--> Native Supplicant will see MUN-Wifi in the SSID/NW. Assume if you have Cisco WLC when you configure the SSID you have select Dot1x authentication in the ssid and then select AAA servers in the SSID. When some one tries to connect to it. It would do the redirection and ISE will do the needful depending on the policies you have configured.

 

5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.

-->Cisco ISE download's the software details from talos. Check the compliance module version if its present in the 3.x or 4.x.

 

6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.

--> in the newer version's there are Temporal Agents which is available for the same.

 

Please rate helpful

Thanks Guys

 

The Compliance Module 4.X does not list IMMUNET.

 

Any suggestions please.

 

Regards

 

Adrian

Hi,

 

But its supported in 3.x

 

https://www.cisco.com/c/dam/en/us/td/docs/security/ise/ComplianceModule/win-avas-3_6_11428_2.pdf

 

 Cisco Identity Services Engine release version. Supported Windows AV/AS Product ... Immunet Free Antivirus. 3.x. 4.9.0.29 / 3.5.3084.2.
 
as this is an anti-virus software you can always use 3.x.
 
Any special reason why you want to use 4.x
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: