07-24-2017 07:31 AM
Hi team,
I have some unanswered questions from an RFI. Can you help?
- Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?
- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?
- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?
- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?
Thanks.
Solved! Go to Solution.
07-24-2017 11:16 AM
Hi George,
Here are the answers for your questions.
Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?
Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.
Please check the ISE scalability community site for information.
https://communities.cisco.com/docs/DOC-68347
- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?
Answer: Please point me to the doc
- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?
Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.
You need to understand the different caveats around this from a security standpoint.
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf
Here is detailed information of the behavior pre and post ISE 2.2
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html
-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?
Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.
It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.
The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.
Hope it helps.
Thanks
Krishnan
07-24-2017 11:16 AM
Hi George,
Here are the answers for your questions.
Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?
Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.
Please check the ISE scalability community site for information.
https://communities.cisco.com/docs/DOC-68347
- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?
Answer: Please point me to the doc
- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?
Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.
You need to understand the different caveats around this from a security standpoint.
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf
Here is detailed information of the behavior pre and post ISE 2.2
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html
-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?
Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.
It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.
The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.
Hope it helps.
Thanks
Krishnan
07-26-2017 06:05 AM
Thanks, Krishnan.
Regarding the MS patches, yes, I`m talking about posture checks. Does the AC agent take proactive action to send to ISE the information about non-compliant status as soon as MS services send the new patch release info? Or do we rely on lease cycles and Periodic Reassessments? I`d like to better understand this process.
All the other items are clear.
Thanks.
George
07-26-2017 08:53 AM
This mechanism relies on the PRA (periodic reassessment) timer
07-26-2017 09:43 AM
Thanks, Jason.
George
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide