Showing results for 
Search instead for 
Did you mean: 

Identity Services Engine (ISE) compliance/posture ONLY Cisco Anyconnect VPN clients


We purchased our ISE back in October 2012. It took a month to get here as it was on New Product Hold.

When we first started discussing the abilities of ISE, we made it clear that we would only be using if for VPN users from the start (maybe to expand to all devices eventually). So our concentration, of course, was heavily on how all this functionality would work for VPN users.

We layed out, what I thought was very specific ground floor HAVE TO HAVE 'rules':

When a VPN user connects they have to have:

Current AntiVirus Program installed (specific AV for any of our corporate systems, any supported for contractors and the occassional work at home employee on their own system)

Antivirus process running

Antivirus DATs less than 7 days old

Micorosft Updates installed (we have an in house WSUS server and want all of our systems to have only the updates that we have approved)

If they don't meet this criteria they should not be allowed on our network, period.

So when our consultant began working we had a flawless implementation (at least I think) of the NAC agent detecting that any user in the 'employee' AD group had to have our corporate AV installed. If not employee's were denied access but not disconnected from the VPN. (We will address that before go-live) And for contractors it seems to be detecting thier installed AV just the same.

The difficult part has come now that we are trying to get the Microsoft Updates properly detected and installed. As it is right now, I can't tell if ISE is actually detecting the MS updates, and since he forces the kick off of the WSUS client update check it considers that good enough to be compliant, or if ISE/NAC is really even checking.I have a test laptop that needs 5 updates installed, when I connect to the VPN the NAC agent pops up saying that I meat all my criteria and gives me full network access. But I have only downloaded these 5 updates (confirmed through logs on the client that the updates DID come from our WSUS server) but they have not been installed yet. I have been testing like this for over 2 weeks and no change in result yet.

I do have a TAC opened #624565347

All we want is for the ISE/NAC to properly talk to WSUS and tell the client that they do or don't have those updates installed. If they don't have them installed, let it download the updates and install them then allow them on the network. But until all Microsoft updates and antivirus updates are installed they have very restricted network access (just enough to get to the in-house WSUS and Antivirus update servers). After a certain amount of time if the NAC agent doesn't detect the required updates then the VPN should be forcibly disconnected.

So, can anyone tell me is it possible for this to happen?

Right now we have the ISE settings as attached. Using version 1.1.1u5 (admin shows to have u5, but IPN shows u4)


Identity Services Engine (ISE) compliance/posture ONLY Cisco Any

Wow, no responses?

Was I too long winded?