Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1920
Views
0
Helpful
4
Replies

Patch ISE condition

Go to solution
srikkulk
Cisco Employee
Cisco Employee

‎05-21-2018 01:35 AM

I’m reaching out in need of some support with an issue I am facing with a customer ISE project.

Customer has Landesk Version 10 Security Patch Manager by which they push Windows Security Patches to all endpoints. They have two requirements.

  1. Run a posture check for Landesk App installation and running services.
  2. Check for Latest critical patches installation and remediate if not installed. (Under Conditons\Patch Management Conditions\Vendor=Landesk\Up to Date\Critical Patches.

I have created policies for Rule 1 and 2. Rule 1 works well and detects the running application. Rule 2 testing was done on 2 machines.

  • First machine with latest patches installed and the posture status was compliant.
  • Second Machine was without the latest patches (uninstalled 5 recent security patches, Control Panel/View Installed Updates).

Issue: For the second machine, even though the patches weren’t latest, the status became back as compliant. I checked the reports on ISE and saw that ISE was passing the critical patches condition for Landesk successfully. Didn’t get any more details. How is Anyconnect checking the installation of critical patches through Landesk. Is it integrated with the Landesk Client on PC and checks with the server for comparison?

Please provide any inputs on how to mitigate this issue. Also the best way to check if latest patches are installed.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-21-2018 09:14 PM

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0 shows that LANDESK Software, Inc.'s Security and Patch Manager 9.x required CM 4.2.1331.0 minimal and has support for

  • Activate GUI Remediation
  • Up-to-date Check
  • Application Running Check
  • Application Kill


Yes, the remediation is generally done through the patch management client. Thus, please also check the logs on the LANDESK side. If you need further details, please get a copy of the DART file and submit it to Cisco TAC.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-21-2018 09:14 PM

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0 shows that LANDESK Software, Inc.'s Security and Patch Manager 9.x required CM 4.2.1331.0 minimal and has support for

  • Activate GUI Remediation
  • Up-to-date Check
  • Application Running Check
  • Application Kill


Yes, the remediation is generally done through the patch management client. Thus, please also check the logs on the LANDESK side. If you need further details, please get a copy of the DART file and submit it to Cisco TAC.

0 Helpful

Go to solution
srikkulk
Cisco Employee
Cisco Employee
In response to hslai

‎05-21-2018 10:32 PM

Thanks. I'm using CM 3.6.x which is recently updated than 4.x and support Landesk version 10.

But im still getting posture status as compliant even when patches are missing. Any idea why that is happening?

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎01-21-2020 02:08 AM

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0

 

Link broken...too bad Cisco removes the older Compliance Module support charts from the portal

 

 

0 Helpful

Go to solution
Mauritz
Level 1
Level 1

‎09-26-2022 10:40 AM

You can get the updated link, for the last Compliance Module, here: https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 

0 Helpful
Customers Also Viewed These Support Documents
Top