Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
5
Helpful
5
Replies

Anyconnect module - Is it mandatory to install/configure all three VPN,NAM & Posture module in ISE 1.3 for posture assessment

Go to solution
vinodjad1234
Level 2
Level 2

‎04-12-2015 12:39 PM - edited ‎03-10-2019 10:37 PM

Hi Experts ,

 

I have doubt about Anyconnect installation :

 

We want to go for web-deployment from headend device i.e. ISE for posture assessment however I have come across document where its been mentioned the installation process with all three modules :

1) VPN

2)NAM

3) Posture module

 

I have only concern to have posture check on wireless corporate users so do i need to configure all the modules in client provisioning ?

there is no existing client set-up with Anyconnect . no ASA as NAD for my case . I have WLC acting as NAD .

so after client gets 802.1x auth , client has to redirect to posture check using Anyconnect . and its new deployment where client is not having this agent software.

 

Please do guide me with  right direction for Anyconnect deployment for only posture check and how clients can get this agent downloaded automatically is my main concern.

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-12-2015 01:03 PM

For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.

The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.

I hope this helps!

 

Thank you for rating helpful posts! 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-12-2015 01:03 PM

For posture assessment you only need to deploy the "Posture Module." The "NAM" module is only used when you want to replace the Native Windows Supplicant. The "VPN" module is used for anyconnect VPN.

The posture module can be hosted on ISE and be provisioned to endpoints via a Client Provisioning rule. However, the users must have the proper privilege to perform the package installation. In most organizations users do NOT have such privileges. If this is your situation as well then you should deploy the Posture Module via GPO/System Center or some other equivalent system.

I hope this helps!

 

Thank you for rating helpful posts! 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-13-2015 04:09 AM

I'd add to Neno's answer that if you want to do EAP chaining (i.e. to authenticate both the machine and user) then the native supplicant is not sufficient and you would also then use the NAM module.

Otherwise, just the ISE Posture module suffices in your use case.

0 Helpful

Go to solution
phosawyer
Level 1
Level 1

‎04-13-2015 06:16 AM

Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.

I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.

Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to phosawyer

‎04-13-2015 07:03 AM

One other thing to note - there's actually a bug (non-published) that makes it necessary to build a VPN profile to DISABLE the VPN tile even when it's deselected from the installation script.

(This was covered in partner New Product Introduction training for ISE 1.3.)

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎04-21-2015 10:04 AM

Thanks for that note Marvin! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents