Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2990
Views
5
Helpful
9
Replies

ISE Posture with Anyconnect

Go to solution
ciscoworlds
Level 4
Level 4

‎10-20-2017 05:08 AM - edited ‎02-21-2020 10:36 AM

Hi;

What is the difference between AnyConnect ISE Compliance module versions (3.x and 4.x)? Some remediation and posturing actions are just available in one version or another. I've created Anyconnect configuration file on ISE with only AnyConnect Compliance Module ver 4.2. regarding that it is not possible to add both compliance modules to a single configuration file, do I need to create 2 configuration files (one for each version of compliance module) and provision both to clients? Would anybody clear this a little bit more for me? tnx. 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-20-2017 07:11 AM

Hi 

The difference is based on anyconnect client version you have installed on your hosts.

Best practices are to use version 4 as version 3 will be depreciated soon. You have to use v3 only if your annyconnect clients are in version 3 and no possibility to upgrade them.

 

As for example, on version 3, you were using menu Antivirus and antispyware where in version 4 everything is in Menu AntiMalware.

 

You can only have 1 profile per host and this will be based essentially on the Anyconnect version. If I can recommend you something, it's gonna be to, if possible, have all your clients in Anyconnect version 4 and use compliance module v4.x.x


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-20-2017 07:11 AM

Hi 

The difference is based on anyconnect client version you have installed on your hosts.

Best practices are to use version 4 as version 3 will be depreciated soon. You have to use v3 only if your annyconnect clients are in version 3 and no possibility to upgrade them.

 

As for example, on version 3, you were using menu Antivirus and antispyware where in version 4 everything is in Menu AntiMalware.

 

You can only have 1 profile per host and this will be based essentially on the Anyconnect version. If I can recommend you something, it's gonna be to, if possible, have all your clients in Anyconnect version 4 and use compliance module v4.x.x


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
ciscoworlds
Level 4
Level 4
In response to Francesco Molino

‎10-20-2017 11:46 AM - edited ‎10-20-2017 11:54 AM

With your explanation now I got it right. Thank you for this helpful answer. 

I have an issue with this posture configuration which I think it does not work, despite configuring based on the documents. In this configuration I created a posture policy which is supposed to check the Windows Update service and enable if it was disabled and force the client to download windows updates from the Internet, but it did nothing. The client was marked as "compliant" despite that Windows Automatic Update was in disabled status. I don't know where I misconfigured. 

I took screenshot of my posture policy screen and attached to the post. If you take a look at it, "TPP01" is the name of the posture policy. If I get it right, we don't need to refer to this name anywhere, right?

 

 

Preview file
61 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ciscoworlds

‎10-21-2017 08:55 AM

Hi

Could you give screenshots for each action if Windows update you configured?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to Francesco Molino

‎10-21-2017 11:26 AM

I uploaded a *.rar file to the following link. Thanks for your time :) 

 

https://1drv.ms/u/s!AqPa0cQhNTly3Gmi0LMtm3yM7Pdj

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ciscoworlds

‎10-21-2017 05:24 PM

Based on your screenshot you're doing remediation for WSUS and Windows Update but not for Windows services. To do that, you have to create a condition called "Service" where you gonna need to put the right service name with status not running and then apply a remediation like "Application Launch. This is how I manage other services not specially the windows update because usually this is taken care by Local Windows admin using GPO or scripts at login or Users don't have access to services interface.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to Francesco Molino

‎10-22-2017 05:50 AM - edited ‎10-22-2017 05:51 AM

I'll do it tomorrow and will post the result here. But shouldn't this built-in items on ISE (pr_AutoUpdateCheck_Rule and Windows Server Update Services Remediations) do the task? So what is the purpose of these on ISE? 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ciscoworlds

‎10-23-2017 05:18 AM

The purpose of those is to check the status and update the WSUS but not the windows service

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to Francesco Molino

‎10-23-2017 07:00 AM

Today I tested the scenario with original and built-in ISE posture requirements and it worked. The issue was despite that I've set Windows Update settings in Control Panel to "Never Check Updates", but the Update service was still running (regarding to the output of the "net start" command). Then I killed the service on CLI with "net stop wuauserv" command and re-initiated the authentication process on ISE. After being logged-in with valid AAA username/pass, I checked the messages on the Cisco AnyConnect and the exact same name of the posture requirements on ISE were shown there and marked as "Performed" showing that everything was Ok. I checked the Windows Update service again with "net start" command and it was enabled, showing that the remediation was successful too. After a while the Windows Update in Control Panel displayed the total amount of updates available for download and install (I've configured remediation on ISE to only notify client of available updates and let him to trigger the downloading/installing manually). 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ciscoworlds

‎10-23-2017 07:04 AM

Ok nice. I thought it wasn't starting the windows service.
Good to know. Usually I'm not adding Windows Update part of the remediation because customer don't trust them until they've tested (sometimes they had done some rollback).

The way I gave you can be used for all other services not integrated in ISE.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents