01-08-2022 06:35 AM
Hi Experts,
With the Anyconnect mobility client (pre-deploy package), we've got an ISE pre-posture (host scan) and posture module. In addition to that, Cisco offers a Compliance module as well. As far as I know, compliance module is performing the posture assessment. Can you please suggest how a ISE posture module is different from the compliance module?
Thank you.
anyconnect-win-4.10.03104-iseposture-predeploy-k9
anyconnect-win-4.10.03104-posture-predeploy-k9
Solved! Go to Solution.
01-08-2022 10:02 AM
@Srinivasan Nagarajan I've already explained what the ISE Posture module is reponsible for. The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.
The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.
These 2 modules work together and have their own roles.
01-08-2022 08:15 AM
@Srinivasan Nagarajan the ISE Posture module and Posture (hostscan) module are different and should not be used together. The Hostscan module is for posture assessment against an ASA.
The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture.
01-08-2022 08:33 AM
Hi Rob,
Thanks for the reply. I'd like to get clarified on the ISE posture module and compliance module.
While compliance module is responsible for performing the posture assessment on the endpoints, not sure what is the ISE posture module (which is part of Anyconnect pre-deployment package) is responsible for?
anyconnect-win-4.10.03104-iseposture-predeploy-k9 >> ISE Posture
anyconnect-win-4.3.1728.6145-isecompliance-predeploy-k9 >> Compliance Module
01-08-2022 09:06 AM
@Srinivasan Nagarajan the ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.
More information
01-08-2022 09:18 AM
Hi @Rob Ingram
Many thanks for your time in replying to this.
"the ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirements status"
- This is the compliance module (tile system scan) which is responsible to perform the above checks.
But the below ISE posture module which is part of Anyconnect pre-deploy and I'd like to get clarified on the below?
anyconnect-win-4.10.03104-iseposture-predeploy-k9
01-08-2022 09:35 AM
AnyConnect ISE Posture module = anyconnect-win-4.10.03104-iseposture-predeploy-k9
Compliance Module = anyconnect-win-4.3.2290.6145-isecompliance-predeploy-k9.msi
I'm not sure what else you need clarification on?
01-08-2022 09:51 AM
Hi @Rob Ingram
As Compliance module (system scan) is performing the posture checks, I'd like to know about the ISE posture module (which is part of Anyconnect pre-deploy) and what is it responsible for
01-08-2022 10:02 AM
@Srinivasan Nagarajan I've already explained what the ISE Posture module is reponsible for. The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.
The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.
These 2 modules work together and have their own roles.
01-08-2022 10:07 AM
Hi @Rob Ingram
Many thanks. I got what I needed..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide