02-17-2022 05:25 AM
Hi,
I would like to test the posture module and complience on a small set of users before deploying this across our envoirement.
Can i limit the impact of the AnyConnect posture Module on End-points ?
For example only execute posture when user = part of identity group abc.
and only the users that are part of group abc will see the "posture module" in there anyconnect.
or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.
i basically want to phase the deployment and first execute posture on a small group, then bigger...eventually "all"
Solved! Go to Solution.
02-17-2022 06:15 AM
Can i limit the impact of the AnyConnect posture Module on End-points ?
-You absolutely can. This can be done via a few ways IMO. One, only deploy the module to certain clients you are testing, and ensure ISE policies are setup to only support the so called test group. Not sure how you are planning to deploy the respective modules, but you have a couple of options IMO. SCCM, manual, or webdeploy via ASA/ISE.
For example only execute posture when user = part of identity group abc.
and only the users that are part of group abc will see the "posture module" in there anyconnect.
-You have the ability to do this. You need to do/consider a few things. One, conditions within the posture policy need to be configured so that they will match your criteria. Two, during testing I would recommend setting your default posture status to compliant and set your requirements to audit mode. This will allow test clients to pass your requirements no matter what, but let you actually monitor in ISE the impact they will have once you set to enforce mode.
or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.
-This depends on how you roll the required components out. I would strongly suggest looking at this: ISE Posture Prescriptive Deployment Guide - Cisco Community
HTH!
02-17-2022 06:15 AM
Can i limit the impact of the AnyConnect posture Module on End-points ?
-You absolutely can. This can be done via a few ways IMO. One, only deploy the module to certain clients you are testing, and ensure ISE policies are setup to only support the so called test group. Not sure how you are planning to deploy the respective modules, but you have a couple of options IMO. SCCM, manual, or webdeploy via ASA/ISE.
For example only execute posture when user = part of identity group abc.
and only the users that are part of group abc will see the "posture module" in there anyconnect.
-You have the ability to do this. You need to do/consider a few things. One, conditions within the posture policy need to be configured so that they will match your criteria. Two, during testing I would recommend setting your default posture status to compliant and set your requirements to audit mode. This will allow test clients to pass your requirements no matter what, but let you actually monitor in ISE the impact they will have once you set to enforce mode.
or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.
-This depends on how you roll the required components out. I would strongly suggest looking at this: ISE Posture Prescriptive Deployment Guide - Cisco Community
HTH!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide