cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

349
Views
2
Helpful
4
Replies
rwehe
Cisco Employee

ISE for AnyConnect Distribution

Hello ISE experts,

I'm wondering if anyone has information (case studies, limitations, etc.) for distributing AnyConnect updates (both AnyConnect client and posture module updates) via SCCM vs coming from ISE. The use case for this ISE environment is extremely large and I'm wondering if we're going to run into any troubles by relying on ISE for all AnyConnect updates to our endpoints.

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
howon
Cisco Employee

it is always recommended to use external s/w distribution if possible. It is better from scalability ,end user experience, and management perspective. Scalability-wise, # of users ISE can manage during posture state is significantly lower than non redirected flows such as straight 802.1X or MAB which is shown here: ISE Performance & Scale. So in a large environment, where many users are expected to connect and download the client at the same time, could experience delay. But more importantly, having users with varying technical knowledge go through the agent installation via provisioning portal can be problematic. Lastly, is the permissions on the endpoint, without admin rights end user may not be able to initially install the agent themselves.

View solution in original post

4 REPLIES 4
howon
Cisco Employee

it is always recommended to use external s/w distribution if possible. It is better from scalability ,end user experience, and management perspective. Scalability-wise, # of users ISE can manage during posture state is significantly lower than non redirected flows such as straight 802.1X or MAB which is shown here: ISE Performance & Scale. So in a large environment, where many users are expected to connect and download the client at the same time, could experience delay. But more importantly, having users with varying technical knowledge go through the agent installation via provisioning portal can be problematic. Lastly, is the permissions on the endpoint, without admin rights end user may not be able to initially install the agent themselves.

View solution in original post

rwehe
Cisco Employee

If ISE is decided to be used as a distribution method (maybe for a secondary method for endpoints that slip between the cracks of SCCM) would the load for pushing updates and downloads be on the PSN node that the endpoint authenticates with or the PAN node?

Thanks

Psn

Thanks Jason.

Content for Community-Ad