Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
4
Helpful
9
Replies

Upgrade to Cisco Secure Client agent version 5 through ISE web portal

Da ICS16
Level 1
Level 1

‎02-22-2024 03:32 AM - last edited on ‎02-22-2024 08:04 AM by Cisco Employee

Dear Community,

We plan to upgrade AnyConnect agent version 4.xx to new Secure Client agent 5.xx through ISE server web portal.

There have around 7K endpoints PC using AnyConnect 4.XX

Could you share good practice how to push upgrade new Secure Client agent from ISE server?

1. Does ISE can push upgrade agent 300 PCs per time? if yes, how to do it?

2. Does ISE can push upgrade new agents to all PCs at the same time? if yes, how to do it?

3. In case #2 failed, how to restore existing PC ( using AC 4.XX ) still working fine?

Remark: We use ISE 3.1 P6

Well appreciated for your supporting.

Best Regards, 

 

1 person had this problem
9 Replies 9

Arne Bier
VIP
VIP

‎02-28-2024 03:38 PM

ISE does not push AnyConnect or Secure Endpoint software to endpoints. That is the job of the ASA/FTD when users make a connection to those firewall devices.

0 Helpful

rezaalikhani
Level 4
Level 4
In response to Arne Bier

‎02-29-2024 12:32 AM - edited ‎02-29-2024 12:33 AM

@Arne Bier  This question comes from the following statements from official Cisco's book:

rezaalikhani_0-1709195507134.png

 

0 Helpful

ahollifield
VIP
VIP
In response to rezaalikhani

‎02-29-2024 06:28 AM

Yes only if your endpoints are actually using CPP flows.  Do all of your endpoints use Posture or BYOD flows?  

Da ICS16
Level 1
Level 1
In response to ahollifield

‎03-07-2024 12:21 AM

Dear @ahollifield ,

We use Posture flow.

Thanks,

0 Helpful

Da ICS16
Level 1
Level 1
In response to ahollifield

‎03-18-2024 08:41 AM

Dear @ahollifield ,

We use posture less. 

Let me know if you recommend on this.

 

Thanks.

0 Helpful

ahollifield
VIP
VIP
In response to Da ICS16

‎03-18-2024 08:51 AM

"Posture Less"  What does this mean?  Earlier you said you use Posture Flow?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rezaalikhani

‎02-29-2024 06:41 AM

As @ahollifield mentioned, the statement you highlighted only applies in a few ISE use cases. Generally, we depend on either an enterprise software management tool or, where VPN is widely used, the headend firewall to deploy new Secure Client versions.

If we are doing ISE posture, it CAN be used to deploy the modules but you should take care to sync what is being pushed from your VPN headend to avoid the systems conflicting with each other.

Da ICS16
Level 1
Level 1
In response to Arne Bier

‎03-18-2024 08:44 AM

Dear @Marvin Rhoads ,

Do all endpoints require have connection both ( dot1x  or VPN connection ) to upgrade to new agents?

Thanks,

0 Helpful

ahollifield
VIP
VIP
In response to Da ICS16

‎03-18-2024 08:53 AM

For VPN you would upgrade from headend instead.  The endpoints must be in a flow that uses a Client Provisioning Portal.  802.1X or VPN alone is not enough to push new Cisco Secure Client packages/versions.

0 Helpful
Customers Also Viewed These Support Documents