topic Filter out devices without AnyConnect or NAC Agent in Network Access Control

Filter out devices without AnyConnect or NAC Agent

ozgguler — Wed, 07 Nov 2018 19:44:12 GMT

Hi All

My customer wants to filter out devices which don't have Anyconnect or NAC Agent on them. If AC/Agent is installed, it should communicate to AD for domain logon. Otherwise device should not be able to access any resource.

To sum up, customer doesn't want any device to communicate Active directory even for logon, if it doesn't have AC or NAC Agent.

How can we deal with this request?

Thanks

Re: Filter out devices without AnyConnect or NAC Agent

Timothy Abbott — Wed, 07 Nov 2018 20:05:33 GMT

Hi,

This is a chicken / egg scenario. While we can certainly prevent the endpoint communicating with AD through enforcement such as group-based policy or ACL, the user needs to be able to communicate with AD to validate credentials. What's more is that AC doesn't run until after the user logs into the desktop. One way to potentially solve for this is the EAP method. Certificate-based authentication would allow the end user to get to the desktop where AC could then run. If the user gets to the desktop and AC doesn't run or isn't installed then the endpoint would be left with group-based policy or ACL in place until AC was provisioned.

Regards,
-Tim

Re: Filter out devices without AnyConnect or NAC Agent

ozgguler — Wed, 07 Nov 2018 20:15:27 GMT

Thanks Tim

Do you mean EAP Chaining with AC? Or directly cert auth with limited access?

Re: Filter out devices without AnyConnect or NAC Agent

Timothy Abbott — Wed, 07 Nov 2018 20:26:52 GMT

I was thinking EAP-TLS with limited access until posture was performed. Then CoA would provide full access.

Regards,
-Tim