06-06-2020 06:22 PM
Hi
I have read about ISE but still find it diffcult to understand the following. I will be mots greatful if someone can explain the following to me.
1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.
2. What is AV Pair. I say that
Client Provisioning(Posture) ACL Client Provisioning(Policy).
3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.
4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.
5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.
6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.
Thanks a lot in advance.
Solved! Go to Solution.
06-08-2020 05:31 AM
06-08-2020 05:54 AM
1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.
----> Anyconnect agent is a core component where you have modules like VPN, NAM and Posture (which is also called Compliance checker). Compliance module is installed in ISE which each module like 3.x or 4.x has different features. Like 4.x has AM. 3.x will have AS and AV both different. Each Module 4.x and 3.X has different supported things.
2. What is AV Pair. I say that
Client Provisioning(Posture) ACL Client Provisioning(Policy). --> AV pair as explainced above. These are values or data field which can be extracted to use as a condition or provide a result when you are making authorization or authentication policy.
3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.
--> Authentication --> Authorization --> in Authorization posture compliance if unknown --> redirect to posture checks --> it runs all the posture checks if anything pass --> network access.
There are scenario's depending on which stage you are stuck on but above is the most simple way of letting you know.
AUP and web portal are only comes in picture when you are doing Any connect installation.
99.9% you will be pushing any connect package through MSI using Windows SCCM.
4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.
--> Native Supplicant will see MUN-Wifi in the SSID/NW. Assume if you have Cisco WLC when you configure the SSID you have select Dot1x authentication in the ssid and then select AAA servers in the SSID. When some one tries to connect to it. It would do the redirection and ISE will do the needful depending on the policies you have configured.
5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.
-->Cisco ISE download's the software details from talos. Check the compliance module version if its present in the 3.x or 4.x.
6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.
--> in the newer version's there are Temporal Agents which is available for the same.
Please rate helpful
06-08-2020 05:31 AM
06-08-2020 05:54 AM
1. What is the difference between Anyconnect Agent and Compliance Module. Read that Compliance Module 4.X does the Anti-Malware checks, so then what would be the need for Any Connect Agent.
----> Anyconnect agent is a core component where you have modules like VPN, NAM and Posture (which is also called Compliance checker). Compliance module is installed in ISE which each module like 3.x or 4.x has different features. Like 4.x has AM. 3.x will have AS and AV both different. Each Module 4.x and 3.X has different supported things.
2. What is AV Pair. I say that
Client Provisioning(Posture) ACL Client Provisioning(Policy). --> AV pair as explainced above. These are values or data field which can be extracted to use as a condition or provide a result when you are making authorization or authentication policy.
3. Is there any sequence of events on how exactly the Network Compliance tests happens. Example, when a device connects to Corporate WiFI, first it authenticates, next is put into a remediation vlan ( where it will download the Any Connect Agent), the client is then redirected to a web portal where the user needs to accept the AUP, devices is scanned etc. I am sorry I am finding it difficult since I am no being able to see a pattern, like connecting the dots.
--> Authentication --> Authorization --> in Authorization posture compliance if unknown --> redirect to posture checks --> it runs all the posture checks if anything pass --> network access.
There are scenario's depending on which stage you are stuck on but above is the most simple way of letting you know.
AUP and web portal are only comes in picture when you are doing Any connect installation.
99.9% you will be pushing any connect package through MSI using Windows SCCM.
4. If the name of Corporate WiFi is Mun-WiFi, would the Native Supplicant be Mun-WiFi, when we look for connection checks.
--> Native Supplicant will see MUN-Wifi in the SSID/NW. Assume if you have Cisco WLC when you configure the SSID you have select Dot1x authentication in the ssid and then select AAA servers in the SSID. When some one tries to connect to it. It would do the redirection and ISE will do the needful depending on the policies you have configured.
5. Upon failing the Posture Condition, we also want the devices to download the latest definition of the Immunet. But it is not on the list of the Anti-malware. How can we get devices automatically download the Immunet automatically.
-->Cisco ISE download's the software details from talos. Check the compliance module version if its present in the 3.x or 4.x.
6. Are there any dis solvable agents supported by ISE. The AnyConnect is permanently installed on ISE i believe.
--> in the newer version's there are Temporal Agents which is available for the same.
Please rate helpful
06-10-2020 03:07 AM
Thanks Guys
The Compliance Module 4.X does not list IMMUNET.
Any suggestions please.
Regards
Adrian
06-10-2020 09:52 AM
Hi,
But its supported in 3.x
https://www.cisco.com/c/dam/en/us/td/docs/security/ise/ComplianceModule/win-avas-3_6_11428_2.pdf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: