cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1024
Views
1
Helpful
4
Replies

ISE RFI questions

gealmeid
Cisco Employee
Cisco Employee

Hi team,

I have some unanswered questions from an RFI. Can you help?

- Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Thanks.

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi George,

Here are the answers for your questions.

Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.

Please check the ISE scalability community site for information.

https://communities.cisco.com/docs/DOC-68347

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

Answer: Please point me to the doc

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.

You need to understand the different caveats around this from a security standpoint.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf

Here is detailed information of the behavior pre and post ISE 2.2

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.

It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.

The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.

Hope it helps.

Thanks

Krishnan

View solution in original post

4 Replies 4

kthiruve
Cisco Employee
Cisco Employee

Hi George,

Here are the answers for your questions.

Is there a limit on the number of VLANs that ISE can control/remediate? If so, what is this limit?

Answer : Not that I know of, however you need to understand that these VLAN’s are used in authorization profiles and policies.

Please check the ISE scalability community site for information.

https://communities.cisco.com/docs/DOC-68347

- What is the ISE Web agent mentioned in the admin guide? Is it still the NAC Web agent? Apparently it is in EOL, right?

Answer: Please point me to the doc

- Can ISE/Anyconnect control endpoints that have more than one interface? Any documentation/guide on this?

Answer: It depends, if you are using Anyconnect NAM it binds to one interface at a time. If you are using multiple NICs with posture you can use posture lease to enhance the user experience.

You need to understand the different caveats around this from a security standpoint.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.pdf

Here is detailed information of the behavior pre and post ISE 2.2

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

-- Once a new patch is released by Microsoft, after how long will ISE posture consider the endpoint non-compliant?

Answer: Are you talking about posture checks? If so, it is fast, however posture remediation may take a while since it depends on the MS services, the patch, how long it takes to download etc.

It also depends on when the patch is released. Usually there is a patch Tuesday where MS release patches.

The BU does testing during this time frame to create new posture checks to the new KB/patches etc and publishes it soon after.

Hope it helps.

Thanks

Krishnan

Thanks, Krishnan.

Regarding the MS patches, yes, I`m talking about posture checks. Does the AC agent take proactive action to send to ISE the information about non-compliant status as soon as MS services send the new patch release info? Or do we rely on lease cycles and Periodic Reassessments? I`d like to better understand this process.

All the other items are clear.

Thanks.

George

This mechanism relies on the PRA (periodic reassessment) timer

Thanks, Jason.


George