An engineer tests Cisco ISE posture services on the network and must configure the compliance module to automatically download and install on endpoints. Which action accomplishes this task for VPN users?
A.
Push the compliance module from Cisco FTD prior to attempting posture.
B.
Use a compound posture condition to check for the compliance module and download, if needed.
C.
Configure the compliance module to be downloaded from within the posture policy.
D.
Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE.
Just for info - from SISE ebook:
It is possible to do posture assessment with application access control using the Cisco Duo Security solution, and it is also possible to perform endpoint posture assessment with a Cisco ASA, using the AnyConnect HostScan module, which ties in to the ASA’s Dynamic
Access Policy (DAP) engine.
However, the use of the HostScan method was mostly replaced with use of the AnyConnect System Scan module with ISE for the policy server; in addition, when using Firepower Threat Defense (FTD) VPN headends, ISE is the only option for posture assessment because Host-Scan and DAP were never ported over.
Cisco made the right call: Posture should be centralized from a policy server, such as ISE, and not distributed to local policy engines within each firewall. This central management ensures that an organization has a consistent posture policy that applies to all network access control methods: wired, wireless, and remote access VPNs (RA-VPNs).
D is correct (CPP with ISE).
As denverfly have explained:
When you configure posture you need to configure in the resources tab the anyconnect configuration which means download the right compliance module and the anyconnect version that is going to be deployed, you can also set some parameters of the anyconnect profile that the client will use.
After that we create the Client Provisioning Policy, with this policy you decided based on specific conditions what type of agent you are going to deploy for the clients (also anyconnect).
The correct answer is - Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE.
To configure the compliance module to automatically download and install on endpoints, you must create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE. This policy will specify the settings for the compliance module, such as the URL from which it can be downloaded and the installation options.
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NikoTomas
8 months, 2 weeks agoXBfoundX
11 months, 1 week agoXBfoundX
11 months, 1 week agoCCNP21
1 year, 3 months agodenverfly
1 year, 4 months agoChidinnaji
1 year, 5 months ago