Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3442
Views
20
Helpful
8
Replies

Anyconnect Posture Package

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎01-08-2022 06:35 AM

Hi Experts,

With the Anyconnect mobility client (pre-deploy package), we've got an ISE pre-posture (host scan) and posture module. In addition to that, Cisco offers a Compliance module as well. As far as I know, compliance module is performing the posture assessment. Can you please suggest how a ISE posture module is different from the compliance module?

Thank you.

anyconnect-win-4.10.03104-iseposture-predeploy-k9 
anyconnect-win-4.10.03104-posture-predeploy-k9 

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-08-2022 10:02 AM

@Srinivasan Nagarajan  I've already explained what the ISE Posture module is reponsible for. The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.

 

The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.

 

These 2 modules work together and have their own roles.

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎01-08-2022 08:15 AM

@Srinivasan Nagarajan the ISE Posture module and Posture (hostscan) module are different and should not be used together. The Hostscan module is for posture assessment against an ASA.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/configure-posture.html

 

The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture.

 

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-08-2022 08:33 AM

Hi Rob,

Thanks for the reply. I'd like to get clarified on the ISE posture module and compliance module.

While compliance module is responsible for performing the posture assessment on the endpoints, not sure what is the ISE posture module (which is part of Anyconnect pre-deployment package) is responsible for?

anyconnect-win-4.10.03104-iseposture-predeploy-k9 >> ISE Posture

anyconnect-win-4.3.1728.6145-isecompliance-predeploy-k9 >> Compliance Module

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-08-2022 09:06 AM

@Srinivasan Nagarajan the ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.

 

More information

https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

 

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-08-2022 09:18 AM

Hi @Rob Ingram 

Many thanks for your time in replying to this.

"the ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirements status"

 - This is the compliance module (tile system scan) which is responsible to perform the above checks.

 

But the below ISE posture module which is part of Anyconnect pre-deploy and I'd like to get clarified on the below?

anyconnect-win-4.10.03104-iseposture-predeploy-k9 

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-08-2022 09:35 AM

@Srinivasan Nagarajan 

AnyConnect ISE Posture module = anyconnect-win-4.10.03104-iseposture-predeploy-k9 

Compliance Module = anyconnect-win-4.3.2290.6145-isecompliance-predeploy-k9.msi

 

I'm not sure what else you need clarification on?

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-08-2022 09:51 AM

Hi @Rob Ingram 

As Compliance module (system scan) is performing the posture checks, I'd like to know about the ISE posture module (which is part of Anyconnect pre-deploy) and what is it responsible for

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-08-2022 10:02 AM

@Srinivasan Nagarajan  I've already explained what the ISE Posture module is reponsible for. The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirments status.

 

The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.

 

These 2 modules work together and have their own roles.

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-08-2022 10:07 AM

Hi @Rob Ingram 

Many thanks. I got what I needed..

0 Helpful
Customers Also Viewed These Support Documents