cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1751
Views
0
Helpful
4
Replies

Patch ISE condition

srikkulk
Cisco Employee
Cisco Employee

I’m reaching out in need of some support with an issue I am facing with a customer ISE project.

Customer has Landesk Version 10 Security Patch Manager by which they push Windows Security Patches to all endpoints. They have two requirements.

  1. Run a posture check for Landesk App installation and running services.
  2. Check for Latest critical patches installation and remediate if not installed. (Under Conditons\Patch Management Conditions\Vendor=Landesk\Up to Date\Critical Patches.

I have created policies for Rule 1 and 2. Rule 1 works well and detects the running application. Rule 2 testing was done on 2 machines.

  • First machine with latest patches installed and the posture status was compliant.
  • Second Machine was without the latest patches (uninstalled 5 recent security patches, Control Panel/View Installed Updates).

Issue: For the second machine, even though the patches weren’t latest, the status became back as compliant. I checked the reports on ISE and saw that ISE was passing the critical patches condition for Landesk successfully. Didn’t get any more details. How is Anyconnect checking the installation of critical patches through Landesk. Is it integrated with the Landesk Client on PC and checks with the server for comparison?

Please provide any inputs on how to mitigate this issue. Also the best way to check if latest patches are installed.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0 shows that LANDESK Software, Inc.'s Security and Patch Manager 9.x required CM 4.2.1331.0 minimal and has support for

  • Activate GUI Remediation
  • Up-to-date Check
  • Application Running Check
  • Application Kill


Yes, the remediation is generally done through the patch management client. Thus, please also check the logs on the LANDESK side. If you need further details, please get a copy of the DART file and submit it to Cisco TAC.

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0 shows that LANDESK Software, Inc.'s Security and Patch Manager 9.x required CM 4.2.1331.0 minimal and has support for

  • Activate GUI Remediation
  • Up-to-date Check
  • Application Running Check
  • Application Kill


Yes, the remediation is generally done through the patch management client. Thus, please also check the logs on the LANDESK side. If you need further details, please get a copy of the DART file and submit it to Cisco TAC.

Thanks. I'm using CM 3.6.x which is recently updated than 4.x and support Landesk version 10.

But im still getting posture status as compliant even when patches are missing. Any idea why that is happening?

Peter Koltl
Level 7
Level 7

Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.2.1538.0

 

Link broken...too bad Cisco removes the older Compliance Module support charts from the portal

 

 

Mauritz
Level 1
Level 1