cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8286
Views
10
Helpful
7
Replies
muthumohan
Beginner

What is the purpose of ISE NAC agent compliance module?

Hi All,

Just wondering what is the purpose of the NAC Agent Compliance module that is downloaded with the agent? Does it have the latest AV/AS definition details or what does it have and why do we need it?

Also, what do you mean by saying the posture updates are downloaded from Cisco.com? What exactly is downloaded from cisco.com? Will this information be in turn downloaded to the client via the agent?

I understand the other parts of ISE functioning, but this is the only part that is not clear to me.

Would appreciate any help.

Thanks in advance,

Mohan M           

7 REPLIES 7
jw.sl9
Beginner

The compliance modules provide up-to-date  for antivirus and antispyware vendor support informmation for the NAC agent to interact with.

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
manjeets
Participant

NAC Agent  for Windows Clients

The Cisco NAC Agent provides the posture  assessment and remediation for client machines.

Users can download and install the Cisco  NAC Agent (read-only client software), which can check the host  registry, processes, applications, and services. The Cisco NAC Agent can  be used to perform Windows updates or antivirus and antispyware  definition updates, launch qualified remediation programs, distribute  files uploaded to the Cisco ISE server, distribute web site links to web  sites in order for users to download files to fix their system, or  simply distribute information and instructions.

Warning The NAC Agents cannot communicate  with the Cisco ISE server securely and the Cisco ISE server throws an  error when the Windows XP clients do not have the latest Windows  hotfixes and patches installed in them. You must ensure that the latest  Windows hotfixes and patches are installed on Windows XP clients so that  NAC Agents can establish a secure and encrypted communication with the  Cisco ISE server (SSL over TCP).

The question is about the NAC Agent Compliance Module, not about NAC Agent alone.

Indeed, Cisco ISE User Guide states that Compliance Module is used so that NAC Agent can identify the latest AV/AS clients and definitions, but does not specify what happens when in a network one's deploying NAC Agent, without ISE (Client Provisioning).

In this deployment you would not provide the Compliance Module with NAC Agent, giving the fact that I haven't seen any info on how to integrate NAC Agent with Compliance Module in a installation kit.

What would be the reason for someone not to deploy NAC Agent using ISE?

Well, the users are just users, they don't have admin rights.

What do you do in this case?

Do you still configure Client Provisioning so that clients can get Compliance Module by the means of the already installed NAC Agent and the communication ISE - Client PC?

Octavian Szolga
Participant

Ok, so if no one hurries to answer, I'll answer to both questions, the initial one and mine also.

In ISE you have two menu entries regarding posture updates:

Posture Updates (Administration > System > Settings > Posture > Updates)

and Client Provisiong Updates (Administration > System > Settings > Client Provisioning).

Posture Updates refers to AV/AS definitions updates and windows updates. By updating posture-update.xml file you're practically saying to ISE that a known AV/AS application has a new definition file that can be identified using version XYZ or built day as ddmmyy or something like that.

Client Provisioning Updates automatically updates ISE with the latest NAC Agent and Compliance Module, if available.

What does Compliance Module do? Well, it is basically the means of NAC Agent to 'know', recognize any new AV/AS application released mean time. That means that it's useless to create a posture rule that's saying that it's mandatory to have installed Avast X version, if the NAC Agent is not capable of recognize this app, because it doesn't have the latest Compliance Module installed.

What I didn't initially understood is how do you manually deploy it using Active Directory and not ISE.

The answer lies in the actual ISE - NAC Agent communication when doing posture. Although you can manually deploy NAC Agent by other means than ISE, you will also have to configure ISE for posture client provisioning with (the new) Compliance Module, so when a (already installed NAC Agent) client connects to ISE, it will automatically download the newest version of the Compliance Module that can recognize some new apps released.

By the way, NAC Agent 4.9.0.51 (Cisco's recommended version - compatible  - with ISE 1.1.3) has built-in Compliance Module 3.5.4.1, which is capable of recognising the following AV/AS apps:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/win-avas-3-5-4-1.pdf

For a complete picture of what apps are recognised along with the new version the Compliance Module, you can check

http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_5980_2.pdf

Any new announcements regarding new versions of ISE, NAC Agent, Compliance Module will be posted on ISE Release Notes page:

www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Hi,

Can you please clarify what you mean by automatically updating the compliance module?

From what I understand and my experience working with nac agent compliance module upgrades. You have to manually deploy the compliance module upgrade from the client provisioning settings. If you are referring to the updates in the Administration settings that typically updates the built in checks provided by Cisco....meaning if you are checking for updates for windows hotfixes those rules are updated automatically.

Thanks,

Sent from Cisco Technical Support iPad App

Hi,

Please check the edited post below.

In my opinion, you have to 'manually' deploy the Compliance Module using ISE's Client Provisiong policy only if in the built-in Compliance Module (3.5.4.1) from Cisco Agent does not recognize some new app that you want to check or some new definition files.

By the way, pay attention to the fact that any clients that won't be the subject of a Client Provisioning policy (because you're using AD GP deployment or something else), will have a default compliance status as stated by the following

setting:

Regards,

Octavian

Hi Tarik,

Late reply :)

 

That was exacly what I was reffering to: Changing the client provisioning policy with a newer version of the compliance module so when a posture 'enabled' device connects to the network, ISE will update the locally installed agent with the newer version. (without the need for the user to have admin rights)

Some years passed by and Anyconnect has finally replaced the old NAC agent. :)


Thanks,

Octavian

Content for Community-Ad