08-28-2019 12:21 AM
Hi Experts,
While upgrading and replacing, hit a bottle-neck, we were not able to identify the endpoints that are installed with AnyConnect and the ones that are still having Cisco NAC agent.
So, that this identification could be used in policies.
Was able to locate an attribute named, PostureAgentVersion, but when I check the policies, I am not able to search or locate it.
Firstly, could this attribute, PostureAgentVersion, used in policies?
Secondly is there any way that could be utilized to do this segregation?
Solved! Go to Solution.
09-04-2019 09:28 AM - edited 09-04-2019 09:29 AM
You could use nac agent to check for aciseposture.exe service check. If true, you could move that user to AD group for AC CPP.
09-04-2019 02:23 PM - edited 09-04-2019 02:24 PM
Service check is your option as mentioned before. You can try application check as well.
What version of ISE, NAC agent and Anyconnect are you using.
Till ISE 2.2, ISE is compatible with certain versions of NAC agent.
Check the ISE compatibility guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696
Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.
Thanks
Krishnan
09-04-2019 09:28 AM - edited 09-04-2019 09:29 AM
You could use nac agent to check for aciseposture.exe service check. If true, you could move that user to AD group for AC CPP.
09-04-2019 02:23 PM - edited 09-04-2019 02:24 PM
Service check is your option as mentioned before. You can try application check as well.
What version of ISE, NAC agent and Anyconnect are you using.
Till ISE 2.2, ISE is compatible with certain versions of NAC agent.
Check the ISE compatibility guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696
Anyconnect also support UID and ACIDEX attributes. UID is a unique identifier that identifies Anyconnect. Mainly used to identify corporate laptops. ISE 2.6 and AC 4.7 are compatible and validated for this.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide