cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2280
Views
0
Helpful
2
Replies

NonAgent (Agentless) workflow of ISE compared to Forescout

arathyram
Level 1
Level 1

We are keen on considering an agentless ISE scenario in order to avoid adding another ‘agent’ on the end point. This will also be a requirement in dealing with endpoints that are not corporate managed, or nonsupplicant devices (thermostats, cameras, etc).


We know the ISE agent does posture assessment with simple or compound condition check and remediation. No issue with that.


But, in the agentless scenario –

  • can ISE do compliance check for Anti-Virus and OS Patch levels and offer remediation link
  • check if hosts are part of domain or security posture of endpoint
  • We need a “quarantine” network/segment where endpoints that fail can obtain the required tools and software to be able to connect to corp network

thanks

ram

1 Accepted Solution

Accepted Solutions

ldanny
Cisco Employee
Cisco Employee

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

View solution in original post

2 Replies 2

ldanny
Cisco Employee
Cisco Employee

ISE2.4 now provides to scan agentless endpoints when using the Visibility Setup Wizard , although providing read only ability.

That being said no enforcement can be taken without having an actual agent on the endpoint , same goes for forescout.

You could use AnyConnect in stealth mode where the agent is installed but cannot be seen by the user.

There is also the option of using Temporal Agent where an agent will be installed and once compliance check is complete it will remove itself.

hslai
Cisco Employee
Cisco Employee

I would suggest to use Cisco Temporal Agent, which replaces NAC Web Agent. It's a native application to download to the Windows/macOS endpoints, without installation, and to evaluate for the posture compliance.