Cisco ISE Posture support Symantec or Mcafee AV in one condition

Similar Messages

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE User support

  In ISE-3355 Platform when we say it supports between 500 and 1000 concurrent users, is it the concurrent user session or authentication or what exactly it is?

  Hi,
  You can use the global search box available at the top of the Cisco ISE home page to search for endpoints. You can use any of the following criteria to search for an endpoint:
  •User name
  •MAC Address
  •IP Address
  •Authorization Profile
  •Endpoint Profile
  •Failure Reason
  •Identity Group
  •Identity Store
  •Network Device name
  •Network Device Type
  •Operating System
  •Posture Status
  •Location
  •Security Group
  •User Type
  You should enter at least three characters for any of the search criteria in the Search field to display data.
  The search result provides a detailed and at-a-glance information about the current status of the endpoint, which you can use for troubleshooting. Search results display only the top 25 entries. It is recommended to use filters to narrow down the results.

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE posture problem

  Hi all,
  I've been playing around with ISE demo and I am very impressed!!!
  After trying different scenarios with my co-workers I came to a point where we find it kind of buggy.
  I have rules to redirect unknown users to pasturing through web where they download NAC CLIENT and everything works fine.
  Here's the catch:
  On a windows 7 machine (connecting wirelessly with built in wireless client) they are stuck on posture pending if they do the following:
  They connect - open up web browser - ise redirects them to download the client they hit install and the warning about installing the client pops up - that moment the user decides to close the browser (it's most likely to happen when you have 5000+ users)  - dissconnects from network and tries to re-connect again. NOW - when they open up the web browser ISE says unable to allow access to network and all that error.
  So it's not letting them download the nac agent any more.. no matter what they do connect - reconnect wait 2-3 minutes nothing, only after a period of time they are able to get the NAC client installation page.
  NOTE: this works totally fine on a windows xp machine with the INTEL PRO SET wireless utility.
  It's not a big thing but when you have 5000+ clients and you want to introduce them to something new it will cause alot of helpdesk calls and all that you know how it goes.
  Thanks in advance.
  P.s I can create a short video of the whole process.

  Very interesting thread. Can you tell me – how can ISE differentiate between a new/unknown computer owned by an employee and/or the organization, which you WANT to load the NAC client on, and a guest that you might want to give Internet access to but you don’t want to load a NAC client on?

• Cisco ISE 1.2.x with Posture Configuration - Windows Patches

  Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
  With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
  pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
  Thanks.

  Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• Multiple domains authentication on Cisco ISE

  Hi,
  Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
  I can only set Cisco ISE to join on single active directory and LDAP
  Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
  Thanks
  Pongsatorn

  Hi,
  We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
  From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
  Please share your experience if someone has faced similar situation before.
  Regards,
  Akhtar

• Cisco ISE - Guest Access With Google Chrome

  We've implemented the self provisioning guest portal/Guest SSID and it seems to work great for internet explorer, if a user uses Google Chrome to go through the setup the password is generated, they login and accept the terms and conditions, but then they get hung up on the WLC URL and then have to start self provisioning again.
  Any ideas?

  Please check the below browser requirements :
  Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
  These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
  Table 8     Supported Operating Systems and Browsers
  Supported Operating System Browser Versions
  Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
  •Native browser
  Apple iOS 6, 5.1, 5.0.1, 5.0
  •Safari 5, 6
  Apple Mac OS X 10.5, 10.6, 10.7, 10.8
  •Mozilla Firefox 3.6, 4, 5, 9
  •Safari 4, 5, 6
  •Google Chrome 11
  Microsoft Windows 82
  •Microsoft IE 10
  Microsoft Windows 73
  •Microsoft IE 9
  •Mozilla Firefox 3.6, 5, 9
  •Google Chrome 11
  Microsoft Windows Vista, Microsoft Windows XP
  •Microsoft IE 6, 7, 8
  •Mozilla Firefox 3.6, 9
  •Google Chrome 5
  Red Hat Enterprise Linux (RHEL) 5
  •Mozilla Firefox 3.6, 4, 5, 9
  •Google Chrome 11
  Ubuntu
  •Mozilla Firefox 3.6, 9

• CIsco ISE - HP Openview monitoring.

  Hi guys,
  I have a doubt about monitoring Cisco ISE services in the network.
  We can send some alarms notifications to a multiple e-mails, but my doubt is if I can monitoring ISE services with a network monitoring software like HP Open View.
  I didn't find any documentation about it yet.
  Someone knows if I can do this?

  Hi Tarik, How are you?
  The doubt is.... my customer have ise in vmware and he need monitoring availability for cisco ISE. The question is: How can I do that? I did found any document informing if I can send snmp traps or something like that to a Monitoring Server.
  About "link down" and "link Up" he can monitoring the ESX Vmware appliance right?
   There are something that I can do with Cisco ISE. I need to pass a answer to my client if  the Cisco ISE can support this kind of configuration. 
  Thanks for your help.

• Cisco ISE 1.2 and Symantec Endpoint Protection

  Hi Experts,
  Good Day!
  I'm just wondering if ISE 1.2 is able to detect an application/software in a laptop like the Symantec Endpoint Protection before giving the user an access to the network? Is it possible?
  I tried to searched over the internet however, I can't find any documentation about it.
  Thank you for your support.
  Cheers,
  Niks

  hello ,have you checked posturing service of ISE , with ISE posture service enabled you can check Antivirus Installation , Antivirus Version/ Antivirus Definition Date etc . Check the following link for different Posture Assessment Options  available
  http://www.cisco.com/en/US/partner/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2276381

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

  We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.
  Do we get any additional advantages in using ISE compared to Anyconnect posture module ......
  Siddhartha       

  These are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.
  I will be watching this thread to see what kind of responses you get.
  As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.
  Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.
  We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.
  Wishing you luck in finding your answers for us all.
  Dirk