cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE RFI questions

gealmeid
Cisco Employee
Cisco Employee

Hi team,

I have some unanswered questions from an RFI. Can you help?

- Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi George,

Here are the answers for your questions.

Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.

Please check the ISE scalability community site for information.

https://communities.cisco.com/docs/DOC-68347

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

Answer: Please point me to the doc

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.

You need to understand the different caveats around this from a security standpoint.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf

Here is detailed information of the behavior pre and post ISE 2.2

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.

It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.

The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.

Hope it helps.

Thanks

Krishnan

View solution in original post

4 REPLIES 4

kthiruve
Cisco Employee
Cisco Employee

Hi George,

Here are the answers for your questions.

Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.

Please check the ISE scalability community site for information.

https://communities.cisco.com/docs/DOC-68347

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

Answer: Please point me to the doc

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.

You need to understand the different caveats around this from a security standpoint.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf

Here is detailed information of the behavior pre and post ISE 2.2

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.

It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.

The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.

Hope it helps.

Thanks

Krishnan

Thanks, Krishnan.

Regarding the MS patches, yes, I`m talking about posture checks. Does the AC agent take proactive action to send to ISE the information about non-compliant status as soon as MS services send the new patch release info? Or do we rely on lease cycles and Periodic Reassessments? I`d like to better understand this process.

All the other items are clear.

Thanks.

George

This mechanism relies on the PRA (periodic reassessment) timer

Thanks, Jason.


George

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: