Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
4
Helpful
3
Replies

ISE Deployment queries

Go to solution
ymadheka
Level 4
Level 4

‎07-18-2017 04:44 AM

Hi Team,

We are in the process of deploying the ISE at customer site and need few pointers and help on below requirements:

  • How best we can deploy the Cisco AnyConnect agent in production, do we have any best practices for the same.
  • Deploying different policy enforcement for instance can we defined different access level or push the system to different VLANs depending up on the certain matching criteria or policy in ISE, if any end system has AV  updated and DLP is not updated then go to X vlan, if both AV and DLP is updated then go to Y vlan etc,.)
  • Automatic remediation configuration guide for WSUS or AV server (ISE Design & Integration Guides has the older version), need the updated one for ISE 2.2 version.

Appreciate any quick help on this.

Thanks & Regards,

Yogesh Madhekar

1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5

‎07-18-2017 07:28 AM

1. Depends on environment. If you have wsus then consider using it.

2. Changing VLANs is not the preferred method for isolating users based on posture. Consider dacls first.

3. The available guide should serve as a great starting point. Not much has changed in the configuration of posture between ISE 2.1 and 2.2. The presentation says it's from 2.1.

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

View solution in original post

3 Replies 3

Go to solution
gbekmezi-DD
Level 5
Level 5

‎07-18-2017 07:28 AM

1. Depends on environment. If you have wsus then consider using it.

2. Changing VLANs is not the preferred method for isolating users based on posture. Consider dacls first.

3. The available guide should serve as a great starting point. Not much has changed in the configuration of posture between ISE 2.1 and 2.2. The presentation says it's from 2.1.

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Go to solution
hariholla
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎07-18-2017 11:30 AM

Just to add to George's response:

1) You can use systems manager of any sort to deploy AnyConnect and the profiles for posture or other modules. For devices that are unmanaged (like BYOD assets) ISE authorization policy can be defined to provision the agent through ISE on-boarding flow.

2) Yes changing the VLANs is a bad idea, dACLs keeps it seamless. However, with posture, you have one of the 3 compliance states: Compliant, Non-complaint and Uknown. So if either AV or DLP is missing, then the endpoint would still be deemed non-compliant, you can't have a partially complaint status for posture.

3) Yes, there isn't much change for 2.x for WSUS. Also MS has moved from from WSUS to SCCM now.

Cheers!

-Hari

Go to solution
ymadheka
Level 4
Level 4
In response to hariholla

‎07-19-2017 01:45 AM

Hi Hari,

Thanks for the quick response.

Can you please provide details of how Dacl's will be useful for the compliant state based on different checks?

Also do we have any document giving best practices for implementing ISE in enterprises that can be shared with the customer?


Thanks in advance for any help.

Customers Also Viewed These Support Documents