browse
Overview
This configuration guide covers the steps to provision the OrgInfo.json file and AnyConnect via ISE (Identity Services Engine).
Pre-requisites
- Access to the Umbrella Dashboard.
- Access to the ISE Dashboard.
- Umbrella Module Profile (OrgInfo.json).
- AnyConnect Headend Deployment Package (Windows or Mac OS).
- ISE Posture Compliance Library (Windows or Mac OS).
- ISE latest patch is required to avoid CSCvz01485: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz01485
Not covered
- ISE Authentication and Authorization policies.
- ISE Client Provisioning Portal and client redirection.
Before you begin
- Access your Umbrella Dashboard and download the Umbrella Module Profile (OrgInfo.json) under Deployments > Roaming Computers > Download > Download Module Profile:
- Go to the Cisco Software Download page and download the AnyConnect Headend Deployment Package according to your version and needs:
- Go to the Cisco Software Download page and download the ISE Posture Compliance Library according to your version and needs:
ISE configuration
- Access your ISE Dashboard go to Work Centers > Posture > Client Provisioning > Resources > Add > Agent resources from local disk:
- Select Cisco Provided Package > Choose File > AnyConnect Headend Deployment Package > Submit >Confirm:
- Repeat step 1 > Select Cisco Provided Package > Choose File > ISE Posture Compliance Library > Submit > Confirm:
- Repeat step 1 > Select Customer Created Package > Select AnyConnect Profile > Add Name > Choose File > OrgInfo.json > Submit:
- Under Work Centers > Posture > Client Provisioning > Resources > Add > AnyConnect Posture Profile:
- Add Name > Add Server name rules (A list of wildcarded, comma-separated names that defines the servers that the agent can connect to. E.g. "*.cisco.com") > Submit:
- Under Work Centers > Posture > Client Provisioning > Resources > Add > AnyConnect Configuration:
- Select the AnyConnect Package (from step 2) > Add Configuration Name > Select the Compliance Package (from step 3) > Select the AnyConnect Modules (Umbrella and Diagnostic) > Select the ISE Profile (from step 6) > Select the Umbrella Profile (from step 4) > Submit:
- Under Work Centers > Posture > Client Provisioning > Client Provisioning Policy > Edit Policy > Under Results add the AnyConnect Configuration (from step 8) > Save:
- From the ISE side, proceed to create an Authorization Policy that redirects the clients to the Client Provisioning Portal. Please note that this is outside the scope of this guide.
Client side
- Once the client is able to get the redirection from the Client Provisioning Portal click "Start":
- Select "This is my first time here" and it will start downloading AnyConnect:
- Open/run the downloaded file and it will start the process:
- When "Trusted and Secure Connection" message appears click "Connect" if the ISE information is correct:
- Once the "Installation is completed" message appears click "Quit":
- You can close all other windows, you will notice that Umbrella has been installed, plus the ISE Posture module: