OS determination

novakam@wofford.edu · ‎07-26-2018

I was wondering how to determine what version of the AnyConnect client to be downloaded on a machine when connecting to VPN. I have our ASAs integrated with ISE. Is it on the ISE side or the ASA side? I apologize if this is a stupid question for the Cisco "authorities" out there.

Ben Walters · ‎07-26-2018

You can deploy new versions of anyconnect using either ISE or the ASA.

To do this through ISE you would need to set up client provisioning and you would then set up policies to say for example that if a client is below 4.5.x upgrade them to 4.6.x. This does require you to install the ISE posture module and ISE compliance modules for AnyConnect but it adds a lot more control than deploying the new version directly from the ASA. ISE also allows you to deploy AnyConnect to clients that do not already have it installed through the provisioning portal.

If you wanted to do it through the ASA directly you would load the image you want to upgrade to and everyone would be prompted to install the new version when they connect based on they VPN group policy.

It really depends on how you want to be able to manage the version upgrades, we have several different firewalls that host VPNs, all integrated with ISE so for us it is better to have ISE take care of upgrading clients. If you had just one firewall that serves the VPN to your clients it might be easier to just use the ASA.

hslai · ‎07-26-2018

If using ISE posture, then it requires setting the client provisioning (CP) policy elements (AnyConnect web deploy package(s), profiles, and configuration(s) and policy rules in ISE.

If allowing the RA-VPN users to upgrade AnyConnect while ISE has CP policy rules for such users, then the AnyConnect versions on ASA and ISE need to be the same for the upgrade to work for VPN users.