How to update AnyConnect & Compliance Modules on Cisco Identity Services Engine (ISE)

January 11th, 2019
How to update AnyConnect & Compliance Modules on Cisco Ident...

How to update AnyConnect & Compliance Modules on Cisco Identity Services Engine (ISE)

 

I've recently had the pleasure of deploying Cisco's Identity Service Engine (ISE) as an integrated security solution for a customer.  Part of the ISE deployment involved configuring determining the security posture for VPN-connected clients, prior to allowing the client node access to the corporate network.

 

In order for VPN posturing to work on the ASA firewall, there is an additional compliance module that must be installed on the ASA.  The Compliance Module (aka ISE Posture Module) is part of the AnyConnect Secure Mobility Client and offers the Cisco AnyConnect Secure Mobility Client the ability to assess an endpoint's compliance for things like antivirus, antispyware, and firewall software installed on the client endpoint. 

 

In our lab environment, we deployed the windows version of the compliance module on our Cisco ASA firewall.  See diagram below:

 

 

 

It is crucial that the Client Provisioning Policy within ISE references the appropriate version of both the AnyConnect and Compliance packages that are deployed on the ASA firewall.  I've seen instances where the VPN posture module does not work correctly due to the version mismatch between ISE and the ASA firewall and where the posture check does not kick off while the client endpoint is attempting to connect via VPN to the corporate network.

 

Unfortunately, while the ISE administrator can edit the Compliance Module version under the AnyConnect Agent Configuration, the AnyConnect Package CANNOT be edited.  To align the AnyConnect Agent Configuration versioning name with the AnyConnect Package, I highly recommend on creating a new AnyConnect Agent Configuration.

 

As far as compatibility between the AnyConnect and Compliance Module is concerned, a quick check of the compatibility matrix indicates that the AnyConnect Secure Mobility Client needs to be 4.x.  This support documentation also lists the supported versions of patch-management, anti-virus, anti-malware, etc.

 

The following steps below details the step-by-step procedure on how to update both the AnyConnect and Compliance Module on the Cisco ISE Policy Administration Node (PAN).

 

  1. Update AnyConnect and Compliance Module Packages on Cisco ASA firewall
    1. AnyConnect and Compliance Module Packages are downloaded from Cisco Online
    2. Move the firmware to the ASA flash
  2. Download and install AnyConnect Package on Cisco ISE
    1. Policy > Policy Elements > Results > Client Provisioning > Results
    2. Click Add > Agent resources from local disk:

 

 

  1. Select "Cisco Provided Packages" and click on the "Browse" button to upload the package to ISE.  Click on the Submit button.  Another window will then prompt the ISE administrator  to confirm the MD5 hash, click on OK.

 

 

  1. Download and install the AnyConnect Compliance Module (.pkg) on ISE:
    1. Policy > Policy Elements > Results > Client Provisioning > Results
    2. Click Add > Agent resources from local disk:

 

 

  1. Select "Cisco Provided Packages" and click on the "Browse" button to upload the package to ISE.  Click on the Submit button.  Another window will then prompt the ISE administrator to confirm the MD5 hash, click on OK.

 

 

 

Once the new AnyConnect and Compliance Modules have been uploaded, a new Posture Profile will need to be created.

 

  1. Create a new Posture Profile
  1. Policy > Policy Elements > Results > Client Provisioning > Resources
  2. Click Add > AnyConnect Configuration

 

 

  1. Select the new AnyConnect Package under the dropdown

 

 

  1. Enter the configuration name.   Include the version number in the name - ex "AnyConnect Configuration 4.5.4029.0"
  2. Select the new compliance module that was added to ISE in Step #3.
  3. Under Profile Selection, select "POSTURE_PROFILE"
  4. Leave everything else to default and click on the "Save" button.

 

 

 

The final step is to modify the Client Provisioning Policy to include the new AnyConnect Agent Configuration in ISE.

 

  1. Modify the Client Provisioning Policies
    1. Policy > Client Provisioning
    2. Edit the Windows rule to include the new AnyConnect Agent Configuration

 

 

  1. Under Results, under Agent, select the new AnyConnect agent that was just created.

 

 

 

  1. Click on Save and we should be good to go.

 

Join the High Availability, Inc. Mailing List

Subscribe