Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
1
Replies

ISE Posture Agent deployment

tiryan
Cisco Employee
Cisco Employee

‎09-26-2019 02:28 PM

This questions comes from a long time Identity Services Engine customer that is now enabling Posture and wants to deploy different versions of Anyconnect and posture modules from the same ASA.                                           

The posture module  is configured to be deployed via group policy in the ASA, but it only does so for the main AnyConnect version deployed in production. When someone connects to the ASA with a higher version of the main client, the posture modules aren’t being deployed by the ASA. 

Can this be accomplished?
We can easily update the modules via ISE once the client has already been deployed but ISE doesn’t seem to have the ability to force the ASA to deploy the module when it is not present. ISE can also allow the client to download the entire AnyConnect+Module package (via client provisioning portal) but it gets a little troublesome because you cannot update the client while currently connected to the ASA and running the package often requires admin rights on the machine (which some of our clients do not have). The module deployment via the ASA overcomes these limitations in a pretty seamless fashion, the only issue is when users connect with a higher version of the AnyConnect client.

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎09-28-2019 07:48 PM

When using ISE with ASA, we need to put the same version of AnyConnect on them both.

Using VPN to push AnyConnect client upgrade  might be of interest to you.

0 Helpful
Customers Also Viewed These Support Documents