Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1806
Views
5
Helpful
2
Replies

ISE posture VPN anyconnect module without using provisioning portal

tomalexis
Level 1
Level 1

‎04-15-2021 09:28 PM

Howdy

I am trying to figure out the best option to install the ISE posture module for existing VPN anyconnect users ONLY. 

REading  the docs and samples, all of them show installing the profile / pkg on ISE. 

But I feel thats more cumbersome especially without admin privileges etc ? 

Wouldnt it be a lot easier if the ISE posture module was pushed down from ASA/headend with profile, and then only posture results are sent to ISE ? 

Is there any plan for ISE to just push down the posture module when the redirect happens without any user intervention - kind of like how the ISE posture module gets installed from ASA ?

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-16-2021 05:28 AM

Adding my opinions:

Wouldnt it be a lot easier if the ISE posture module was pushed down from ASA/headend with profile, and then only posture results are sent to ISE ? 

-You still have to have things built out in ISE for this solution to work.  The main pieces being the actual posture policies/requirements (what to assess) on the remote endpoints.

Is there any plan for ISE to just push down the posture module when the redirect happens without any user intervention - kind of like how the ISE posture module gets installed from ASA ?

-If clients have already been previously provisioned then the ISE webdeploy upgrade process is pretty much seamless IMO.  For those un-provisioned clients there is some user intervention required.

Lastly, once you get a hang of relying on ISE CPP and posture configuration I truthfully like it & would recommend it.  From my experience the easiest deployment of all the required modules for this solution to work is the compliance module across any network type (vpn, wired, or wireless).  I would strongly suggest taking a peek at the following resources to understand structure & workflow.

ISE Posture Prescriptive Deployment Guide - Cisco Community

ISE Posture - Cisco Community

Cisco ISE Posture Configuration Part 1 - Posture Conditions - YouTube

Video: Security | Lab Minutes

HTH!

tomalexis
Level 1
Level 1
In response to Mike.Cifelli

‎04-18-2021 02:45 AM

thx Mike. i have already tried in the past and aware of the ISE config requirements.. I am not sure if there are any recent enhancement. 

 

My feeling is that since posture agent required admin privileges etc, especially in the case of exiting anyconnect VPN users, doing CPP is cumbersome and may be difficult without admin privileges. 

I would personally think the following are much more cleaner: 

   1) Install via anyconnect as module and requires no admin privileges

    2) install using SMS, altiris etc to a machine thats already VPN connected. 

I would imagine that CPP would make more sense in case of BYOD or non-company owned machines. 

i know with ISE 3.0 there is agentless module, but it looks like that also need admin privileges to run. 

 

I just wanted to know how others are deploying posture using CPP to download the posture module even for anyconnect VPN users ? or using the ISE posture vpn module from ASA/FTD headend ? 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents