Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1931
Views
0
Helpful
2
Replies

NonAgent (Agentless) workflow of ISE compared to Forescout

Go to solution
arathyram
Beginner
Beginner

‎04-22-2018 03:42 PM

We are keen on considering an agentless ISE scenario in order to avoid adding another ‘agent’ on the end point. This will also be a requirement in dealing with endpoints that are not corporate managed, or nonsupplicant devices (thermostats, cameras, etc).


We know the ISE agent does posture assessment with simple or compound condition check and remediation. No issue with that.


But, in the agentless scenario –

  • can ISE do compliance check for Anti-Virus and OS Patch levels and offer remediation link
  • check if hosts are part of domain or security posture of endpoint
  • We need a “quarantine” network/segment where endpoints that fail can obtain the required tools and software to be able to connect to corp network

thanks

ram

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-24-2018 01:30 AM

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-24-2018 01:30 AM

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-24-2018 08:43 PM

I would suggest to use Cisco Temporal Agent, which replaces NAC Web Agent. It's a native application to download to the Windows/macOS endpoints, without installation, and to evaluate for the posture compliance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents