topic Re: AnyConnect ISE posture with SBL in Network Access Control

AnyConnect ISE posture with SBL

rkazmierczak — Fri, 19 Jan 2018 17:14:19 GMT

Hello!

Will AnyConnect ISE posture work with SBL, i.e will posture check work before the user has logged on? If not, what alternatives would be available?

Re: AnyConnect ISE posture with SBL

raufm — Fri, 19 Jan 2018 17:24:33 GMT

Posture check works after user logon to device, we allow for user to log on then CoA based on posture assessment

Re: AnyConnect ISE posture with SBL

Jason Kunst — Fri, 19 Jan 2018 18:18:06 GMT

No it requires the user space

What is your problem use case?

Re: AnyConnect ISE posture with SBL

rkazmierczak — Fri, 19 Jan 2018 20:28:26 GMT

in this case, the main (actually the only) reason to use SBL is to allow users to log on to the domain first time from a new laptop, without the cached credentials. the customer also uses folder redirection which must work during this first logon. But because the system scan does not run, the posture is uknown and they get restrictive ACL, which prevents folder redirection from working. We can't make the Non-compliant/uknown dACL more permissive to allow foder redirection as that would mean allowing access to file servers (where the folders reside). Ideally, we would check for things like registry kyes, files, AV, disc encryption before giving them more permissive dACL.

Re: AnyConnect ISE posture with SBL

raufm — Fri, 19 Jan 2018 20:45:00 GMT

You also have to take into consideration of Mobile work force's password expiration if it applies, so SBL comes in handy without requiring them to come into the office to change the password or by some other means. However you also have to allow certain access for Drive mapping / gpo ( as was in our case ) or it takes forever for all the polices to fail before user gets authenticated and then re-exec of gpo.

Re: AnyConnect ISE posture with SBL

Jason Kunst — Fri, 19 Jan 2018 20:52:00 GMT

OK understood. Unfortunately not possible since we only run in user space and that’s where all of the other systems run as well I believe.

You can ask for an enhancement by reaching out to our product managers

You could have machine auth have some basic sort of trust, this would help some?

State 1 Machine auth + unknown

State 2 user auth + unknown

State 3 user auth + non-compliant (most restrictive?)

State 4 user auth + compliant

Re: AnyConnect ISE posture with SBL

rkazmierczak — Fri, 19 Jan 2018 21:28:36 GMT

Actually, the states/ levels of trust could be a good idea. The new laptops must have machine cert and have a posture module installed as part of the build so if the user is uknown it can only mean that the system scan did not run initially, most likely because of the SBL.
We could try to restrict it futher but creating an AD group for the "new laptop users" so that only these users can can have a less restrictive dACL with uknown posture, if necessary.

This would prevent a user from moving the machine cert to a diffrent non-corp laptop and trying to log in from it.

What do you think?

Re: AnyConnect ISE posture with SBL

Jason Kunst — Fri, 19 Jan 2018 21:32:49 GMT

Sounds good to me. I think if you have the problem of a user moving a certificate you have other issues to be concerned with

Re: AnyConnect ISE posture with SBL

rkazmierczak — Fri, 19 Jan 2018 21:39:44 GMT

it is a "high security" environment so they will be considering this, that's why they needed to check for other things like registry keys and disc encryption.

But thanks for your help. Much appreciated. I'll let you know if the security guys accepted this solution