Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Highlighted
New Member

ISE Posture with Anyconnect

Hi;

What is the difference between AnyConnect ISE Compliance module versions (3.x and 4.x)? Some remediation and posturing actions are just available in one version or another. I've created Anyconnect configuration file on ISE with only AnyConnect Compliance Module ver 4.2. regarding that it is not possible to add both compliance modules to a single configuration file, do I need to create 2 configuration files (one for each version of compliance module) and provision both to clients? Would anybody clear this a little bit more for me? tnx. 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ISE Posture with Anyconnect

Hi 

The difference is based on anyconnect client version you have installed on your hosts.

Best practices are to use version 4 as version 3 will be depreciated soon. You have to use v3 only if your annyconnect clients are in version 3 and no possibility to upgrade them.

 

As for example, on version 3, you were using menu Antivirus and antispyware where in version 4 everything is in Menu AntiMalware.

 

You can only have 1 profile per host and this will be based essentially on the Anyconnect version. If I can recommend you something, it's gonna be to, if possible, have all your clients in Anyconnect version 4 and use compliance module v4.x.x


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
9 REPLIES

Re: ISE Posture with Anyconnect

Hi 

The difference is based on anyconnect client version you have installed on your hosts.

Best practices are to use version 4 as version 3 will be depreciated soon. You have to use v3 only if your annyconnect clients are in version 3 and no possibility to upgrade them.

 

As for example, on version 3, you were using menu Antivirus and antispyware where in version 4 everything is in Menu AntiMalware.

 

You can only have 1 profile per host and this will be based essentially on the Anyconnect version. If I can recommend you something, it's gonna be to, if possible, have all your clients in Anyconnect version 4 and use compliance module v4.x.x


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
New Member

Re: ISE Posture with Anyconnect

With your explanation now I got it right. Thank you for this helpful answer. 

I have an issue with this posture configuration which I think it does not work, despite configuring based on the documents. In this configuration I created a posture policy which is supposed to check the Windows Update service and enable if it was disabled and force the client to download windows updates from the Internet, but it did nothing. The client was marked as "compliant" despite that Windows Automatic Update was in disabled status. I don't know where I misconfigured. 

I took screenshot of my posture policy screen and attached to the post. If you take a look at it, "TPP01" is the name of the posture policy. If I get it right, we don't need to refer to this name anywhere, right?

 

 

Re: ISE Posture with Anyconnect

Hi

Could you give screenshots for each action if Windows update you configured?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
New Member

Re: ISE Posture with Anyconnect

I uploaded a *.rar file to the following link. Thanks for your time :) 

 

https://1drv.ms/u/s!AqPa0cQhNTly3Gmi0LMtm3yM7Pdj

Re: ISE Posture with Anyconnect

Based on your screenshot you're doing remediation for WSUS and Windows Update but not for Windows services. To do that, you have to create a condition called "Service" where you gonna need to put the right service name with status not running and then apply a remediation like "Application Launch. This is how I manage other services not specially the windows update because usually this is taken care by Local Windows admin using GPO or scripts at login or Users don't have access to services interface.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
New Member

Re: ISE Posture with Anyconnect

I'll do it tomorrow and will post the result here. But shouldn't this built-in items on ISE (pr_AutoUpdateCheck_Rule and Windows Server Update Services Remediations) do the task? So what is the purpose of these on ISE? 

Re: ISE Posture with Anyconnect

The purpose of those is to check the status and update the WSUS but not the windows service

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
New Member

Re: ISE Posture with Anyconnect

Today I tested the scenario with original and built-in ISE posture requirements and it worked. The issue was despite that I've set Windows Update settings in Control Panel to "Never Check Updates", but the Update service was still running (regarding to the output of the "net start" command). Then I killed the service on CLI with "net stop wuauserv" command and re-initiated the authentication process on ISE. After being logged-in with valid AAA username/pass, I checked the messages on the Cisco AnyConnect and the exact same name of the posture requirements on ISE were shown there and marked as "Performed" showing that everything was Ok. I checked the Windows Update service again with "net start" command and it was enabled, showing that the remediation was successful too. After a while the Windows Update in Control Panel displayed the total amount of updates available for download and install (I've configured remediation on ISE to only notify client of available updates and let him to trigger the downloading/installing manually). 

Re: ISE Posture with Anyconnect

Ok nice. I thought it wasn't starting the windows service.
Good to know. Usually I'm not adding Windows Update part of the remediation because customer don't trust them until they've tested (sometimes they had done some rollback).

The way I gave you can be used for all other services not integrated in ISE.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
515
Views
5
Helpful
9
Replies
CreatePlease to create content