Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
25
Helpful
3
Replies

ISE Posture - AnyConnect Compliance module v3.x vs v4.x

blazarov86
Level 1
Level 1

‎06-08-2017 01:14 AM - edited ‎03-11-2019 12:46 AM

Hello Community,

I have searched very hard to find info on that matter, but with almost no result, so I've decided to post a thread here. Our environment is based ISE 2.2 ASA 9.4 and AnyConnect 4.4

As you know there are two separate version "trains" for the ISE compliance module for AnyConnect:

  • v 3.x where the latest version is v 3.6.xxxx
  • v 4.x where the latest version is v 4.2.xxxx

Obviously they have some substantial functional differences that are reflected in the ISE posture condition policies, e.g.:

  • Anti-Malware is only for v4.x
  • Anti-Spyware is only for v3.x
  • Anti-Virus in only for v3.x
  • Application conditions are for both v3.x and v4.x
  • Patch management conditions have to separately configured for v3.x and v4.x
  • .. and so on..

So my questions are:

  • What is the general rule of thumb for choosing to use v3 or v4 AC Compliance module? Obviously both would do the job one way or the other, and both support the current AnyConnect versions. So what is the catch?
  • Since AV and Anti-Spyware checks seem "depreciated" in compliance module v4 is it true to assume that they have been consolidated into Anti-Malware checks that covers all?

2 people had this problem
Labels:
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-08-2017 04:39 AM

Yes - v4.x is calling all those related checks Anti-malware.

Use v4.x as a general rule as v3.x will totally be deprecated in the future.

efellows.support
Level 1
Level 1
In response to Marvin Rhoads

‎06-08-2017 05:58 AM

Thanks Marvin,

do you know if there is any reason to still use v3.x - like any common functionality that is still not doable with 4.x ? Or maybe OS support.. Looked at available docs & release notes and couldn't find such..

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to efellows.support

‎06-08-2017 07:09 AM

As far as I know, the only reason to use 3.x compliance module is if you have clients with AnyConnect 3.x.

If you have no such clients, then you should only run the 4.x compliance module.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents