cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
2
Replies

Successfully Combining Host Scan and ISE Posture

LoXodonte
Level 1
Level 1

What exactly does it mean in the Support documentation that Cisco "does not recommend the combined use of HostScan and ISE posture" 

 

I've been a bit dumbfounded by this statement; can we define combining? Does this meaning simulteaneous execution? For clarity, could someone please give an example by contrasting a Combined use scenario vs ideal scenario? 

2 Replies 2

Hi,
It's not recommended because they serve the same purpose, determining OS, AV, AS, FW applications running a computer connecting to the network and ensuring compliance. If you were to run both you'd be doubling the administrative effort, having to configure 2 identical posture policies - For example, imagine incorrectly configure a different setting on one policy e.g. ISE, posture succeeds using Hostscan but fails ISE posture.

HTH

HTH

I think the issue that confuses things is how Cisco interchangeably refers to VPN Posture and Hostscan, as if they are completely synonymous. When checking VPN message history in Anyconnect I see reference to Hostscan so was concerned it was running in parallel with ISE; however I found some documentation online that indicated that after version 3x (I think), Host scan is a separate install....so I went looking at our install for the module name (anyconnect-win-version-posture-predeploy-k9.msi) which is NOT present; ISE only....a good thing it would seem, and I don't see anything in programs and features that indicates both are installed...so about the time I feel confident that the module is not present on my stem, I go poking through my DART logs and find a Any Connect Posture Module Folder with anticipated libcsd.log right along with an AnyConnect ISE Posture log folder.  WHAT IS GOING ON. Are we running "combined" Hostscan or not?!?!

 

If they're going to go out of their way in the documentation to advise NOT combining Hostscan with ISE, they should distinguish between the "hostcan module" and the "VPN posture" function instead of putting HostScan in parenthesis next to every single reference of VPN Posture to confuse those of us that don't have keys to the flippin city.