cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1545
Views
0
Helpful
2
Replies
Highlighted
Beginner

NonAgent (Agentless) workflow of ISE compared to Forescout

We are keen on considering an agentless ISE scenario in order to avoid adding another ‘agent’ on the end point. This will also be a requirement in dealing with endpoints that are not corporate managed, or nonsupplicant devices (thermostats, cameras, etc).


We know the ISE agent does posture assessment with simple or compound condition check and remediation. No issue with that.


But, in the agentless scenario –

  • can ISE do compliance check for Anti-Virus and OS Patch levels and offer remediation link
  • check if hosts are part of domain or security posture of endpoint
  • We need a “quarantine” network/segment where endpoints that fail can obtain the required tools and software to be able to connect to corp network

thanks

ram

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

View solution in original post

Highlighted
Cisco Employee

I would suggest to use Cisco Temporal Agent, which replaces NAC Web Agent. It's a native application to download to the Windows/macOS endpoints, without installation, and to evaluate for the posture compliance.