Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1500
Views
2
Helpful
4
Replies

ISE for AnyConnect Distribution

Go to solution
rwehe
Cisco Employee
Cisco Employee

‎05-01-2018 01:49 PM

Hello ISE experts,

I'm wondering if anyone has information (case studies, limitations, etc.) for distributing AnyConnect updates (both AnyConnect client and posture module updates) via SCCM vs coming from ISE. The use case for this ISE environment is extremely large and I'm wondering if we're going to run into any troubles by relying on ISE for all AnyConnect updates to our endpoints.

Thank you!

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-01-2018 02:18 PM

it is always recommended to use external s/w distribution if possible. It is better from scalability ,end user experience, and management perspective. Scalability-wise, # of users ISE can manage during posture state is significantly lower than non redirected flows such as straight 802.1X or MAB which is shown here: ISE Performance & Scale. So in a large environment, where many users are expected to connect and download the client at the same time, could experience delay. But more importantly, having users with varying technical knowledge go through the agent installation via provisioning portal can be problematic. Lastly, is the permissions on the endpoint, without admin rights end user may not be able to initially install the agent themselves.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-01-2018 02:18 PM

it is always recommended to use external s/w distribution if possible. It is better from scalability ,end user experience, and management perspective. Scalability-wise, # of users ISE can manage during posture state is significantly lower than non redirected flows such as straight 802.1X or MAB which is shown here: ISE Performance & Scale. So in a large environment, where many users are expected to connect and download the client at the same time, could experience delay. But more importantly, having users with varying technical knowledge go through the agent installation via provisioning portal can be problematic. Lastly, is the permissions on the endpoint, without admin rights end user may not be able to initially install the agent themselves.

0 Helpful

Go to solution
rwehe
Cisco Employee
Cisco Employee
In response to howon

‎05-11-2018 02:35 PM

If ISE is decided to be used as a distribution method (maybe for a secondary method for endpoints that slip between the cracks of SCCM) would the load for pushing updates and downloads be on the PSN node that the endpoint authenticates with or the PAN node?

Thanks

0 Helpful

Go to solution
rwehe
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-11-2018 02:43 PM

Thanks Jason.

0 Helpful
Customers Also Viewed These Support Documents