In the first entry of this series, we looked at the high-level mechanics involved in using AnyConnect with the ISE Posture module to perform endpoint host inspection (posture) when connecting to an AnyConnect VPN head-end (ASA/FTD). In the second entry of this series, we narrowly focused on getting the ISE posture module provisioned. If you haven’t check those out yet, please do, links below!
In this entry, we will take stock of the various endpoint checks that the ISE AnyConnect Posture Module is capable of. Enjoy!
The Full Catalog of Checks
Here we will identify the full catalog of posture checks that are possible, with a description of each and some opinion mixed in.
You can find the available posture check conditions by navigating to Work Centers > Posture > Policy Elements. On the resulting page, you will see a list of items underneath the “Conditions”. These items comprise the full catalog of (OS dependent) posture checks that the ISE posture module can perform.
Note: These capabilities are based on AnyConnect 4.X and ISE 3.1.
Now that we’ve described the full catalog of AnyConnect ISE Posture Module checks, in the next entry we will look at the detailed configuration of the most commonly selected checks and their associated remediation options. Thanks for reading!
As always if you have any questions on getting Cisco's ISE set up for you and your business and would like to schedule a free consultation with us, please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Want the answers to the most asked questions about ISE? Check out our video below!
Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686