Solved: Posture module deployment for AnyConnect - Limit client impact

BertCauwelier98 · ‎02-17-2022

Hi,

I would like to test the posture module and complience on a small set of users before deploying this across our envoirement.

Can i limit the impact of the AnyConnect posture Module on End-points ?

For example only execute posture when user = part of identity group abc.

and only the users that are part of group abc will see the "posture module" in there anyconnect.

or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.

i basically want to phase the deployment and first execute posture on a small group, then bigger...eventually "all"

Mike.Cifelli · ‎02-17-2022

Can i limit the impact of the AnyConnect posture Module on End-points ?

-You absolutely can. This can be done via a few ways IMO. One, only deploy the module to certain clients you are testing, and ensure ISE policies are setup to only support the so called test group. Not sure how you are planning to deploy the respective modules, but you have a couple of options IMO. SCCM, manual, or webdeploy via ASA/ISE.

For example only execute posture when user = part of identity group abc.

and only the users that are part of group abc will see the "posture module" in there anyconnect.

-You have the ability to do this. You need to do/consider a few things. One, conditions within the posture policy need to be configured so that they will match your criteria. Two, during testing I would recommend setting your default posture status to compliant and set your requirements to audit mode. This will allow test clients to pass your requirements no matter what, but let you actually monitor in ISE the impact they will have once you set to enforce mode.

or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.

-This depends on how you roll the required components out. I would strongly suggest looking at this: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

View solution in original post

Mike.Cifelli · ‎02-17-2022

Can i limit the impact of the AnyConnect posture Module on End-points ?

-You absolutely can. This can be done via a few ways IMO. One, only deploy the module to certain clients you are testing, and ensure ISE policies are setup to only support the so called test group. Not sure how you are planning to deploy the respective modules, but you have a couple of options IMO. SCCM, manual, or webdeploy via ASA/ISE.

For example only execute posture when user = part of identity group abc.

and only the users that are part of group abc will see the "posture module" in there anyconnect.

-You have the ability to do this. You need to do/consider a few things. One, conditions within the posture policy need to be configured so that they will match your criteria. Two, during testing I would recommend setting your default posture status to compliant and set your requirements to audit mode. This will allow test clients to pass your requirements no matter what, but let you actually monitor in ISE the impact they will have once you set to enforce mode.

or will the posture module be added to any Anyconnect client across the entire envoirement regardless of my policy rules to only apply to specific test group.

-This depends on how you roll the required components out. I would strongly suggest looking at this: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!