This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Just wondering what is the purpose of the NAC Agent Compliance module that is downloaded with the agent? Does it have the latest AV/AS definition details or what does it have and why do we need it?
Also, what do you mean by saying the posture updates are downloaded from Cisco.com? What exactly is downloaded from cisco.com? Will this information be in turn downloaded to the client via the agent?
I understand the other parts of ISE functioning, but this is the only part that is not clear to me.
Would appreciate any help.
Thanks in advance,
The compliance modules provide up-to-date for antivirus and antispyware vendor support informmation for the NAC agent to interact with.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
NAC Agent for Windows Clients
The Cisco NAC Agent provides the posture assessment and remediation for client machines.
Users can download and install the Cisco NAC Agent (read-only client software), which can check the host registry, processes, applications, and services. The Cisco NAC Agent can be used to perform Windows updates or antivirus and antispyware definition updates, launch qualified remediation programs, distribute files uploaded to the Cisco ISE server, distribute web site links to web sites in order for users to download files to fix their system, or simply distribute information and instructions.
Warning The NAC Agents cannot communicate with the Cisco ISE server securely and the Cisco ISE server throws an error when the Windows XP clients do not have the latest Windows hotfixes and patches installed in them. You must ensure that the latest Windows hotfixes and patches are installed on Windows XP clients so that NAC Agents can establish a secure and encrypted communication with the Cisco ISE server (SSL over TCP).
The question is about the NAC Agent Compliance Module, not about NAC Agent alone.
Indeed, Cisco ISE User Guide states that Compliance Module is used so that NAC Agent can identify the latest AV/AS clients and definitions, but does not specify what happens when in a network one's deploying NAC Agent, without ISE (Client Provisioning).
In this deployment you would not provide the Compliance Module with NAC Agent, giving the fact that I haven't seen any info on how to integrate NAC Agent with Compliance Module in a installation kit.
What would be the reason for someone not to deploy NAC Agent using ISE?
Well, the users are just users, they don't have admin rights.
What do you do in this case?
Do you still configure Client Provisioning so that clients can get Compliance Module by the means of the already installed NAC Agent and the communication ISE - Client PC?
Ok, so if no one hurries to answer, I'll answer to both questions, the initial one and mine also.
In ISE you have two menu entries regarding posture updates:
Posture Updates (Administration > System > Settings > Posture > Updates)
and Client Provisiong Updates (Administration > System > Settings > Client Provisioning).
Posture Updates refers to AV/AS definitions updates and windows updates. By updating posture-update.xml file you're practically saying to ISE that a known AV/AS application has a new definition file that can be identified using version XYZ or built day as ddmmyy or something like that.
Client Provisioning Updates automatically updates ISE with the latest NAC Agent and Compliance Module, if available.
What does Compliance Module do? Well, it is basically the means of NAC Agent to 'know', recognize any new AV/AS application released mean time. That means that it's useless to create a posture rule that's saying that it's mandatory to have installed Avast X version, if the NAC Agent is not capable of recognize this app, because it doesn't have the latest Compliance Module installed.
What I didn't initially understood is how do you manually deploy it using Active Directory and not ISE.
The answer lies in the actual ISE - NAC Agent communication when doing posture. Although you can manually deploy NAC Agent by other means than ISE, you will also have to configure ISE for posture client provisioning with (the new) Compliance Module, so when a (already installed NAC Agent) client connects to ISE, it will automatically download the newest version of the Compliance Module that can recognize some new apps released.
By the way, NAC Agent 220.127.116.11 (Cisco's recommended version - compatible - with ISE 1.1.3) has built-in Compliance Module 18.104.22.168, which is capable of recognising the following AV/AS apps:
For a complete picture of what apps are recognised along with the new version the Compliance Module, you can check
Any new announcements regarding new versions of ISE, NAC Agent, Compliance Module will be posted on ISE Release Notes page:
Can you please clarify what you mean by automatically updating the compliance module?
From what I understand and my experience working with nac agent compliance module upgrades. You have to manually deploy the compliance module upgrade from the client provisioning settings. If you are referring to the updates in the Administration settings that typically updates the built in checks provided by Cisco....meaning if you are checking for updates for windows hotfixes those rules are updated automatically.
Sent from Cisco Technical Support iPad App
Please check the edited post below.
In my opinion, you have to 'manually' deploy the Compliance Module using ISE's Client Provisiong policy only if in the built-in Compliance Module (22.214.171.124) from Cisco Agent does not recognize some new app that you want to check or some new definition files.
By the way, pay attention to the fact that any clients that won't be the subject of a Client Provisioning policy (because you're using AD GP deployment or something else), will have a default compliance status as stated by the following
Late reply :)
That was exacly what I was reffering to: Changing the client provisioning policy with a newer version of the compliance module so when a posture 'enabled' device connects to the network, ISE will update the locally installed agent with the newer version. (without the need for the user to have admin rights)
Some years passed by and Anyconnect has finally replaced the old NAC agent. :)