https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479744#M527015 <HTML><HEAD></HEAD><BODY><P>Hi, Anshul. I believe what you are looking for is Stealth mode (Clientless) AnyConnect with ISE which was introduced with ISE 2.2 &amp; AnyConnect 4.4. You can find more about this feature here: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html?bookSearch=true#id_38262" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html?bookSearch=true#id_38262">Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies [Cisco Identity Ser…</A></P></BODY></HTML> Tue, 05 Sep 2017 05:42:27 GMT howon 2017-09-05T05:42:27Z https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479743#M527014 <HTML><HEAD></HEAD><BODY><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">Hi Team,</SPAN></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;"><BR /></SPAN></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">Is there anything on the ISE\Anyconnect posture roadmap to allow for posture before logon&nbsp; ?</SPAN></P><P></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">The customers use case is to fully block machines from joining their network if they don’t have AV or up to date windows patches to stop the spread of viruses.&nbsp; This isn’t possible at the present because the Anyconnect GUI only starts after the user logs on so drive mapping fails. </SPAN></P><P></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">This is not a BYOD or guest scenario but more about corporate machines where if they are taken off site to other premises and get infected with malware that disables the AV they shouldn’t be allowed back onto the corporate network.</SPAN></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;"><BR /></SPAN></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">Regards,</SPAN></P><P style="font-size: 11pt; font-family: Calibri,sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><SPAN style="color: #1f497d;">Anshul<BR /></SPAN></P></BODY></HTML> Mon, 04 Sep 2017 15:01:44 GMT https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479743#M527014 ankaushi 2017-09-04T15:01:44Z https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479744#M527015 <HTML><HEAD></HEAD><BODY><P>Hi, Anshul. I believe what you are looking for is Stealth mode (Clientless) AnyConnect with ISE which was introduced with ISE 2.2 &amp; AnyConnect 4.4. You can find more about this feature here: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html?bookSearch=true#id_38262" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html?bookSearch=true#id_38262">Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies [Cisco Identity Ser…</A></P></BODY></HTML> Tue, 05 Sep 2017 05:42:27 GMT https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479744#M527015 howon 2017-09-05T05:42:27Z https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479745#M527016 <HTML><HEAD></HEAD><BODY><P>We don’t discuss roadmap in the public forum.</P><P></P><P>What you’re asking for is likely not possible because all of the services AV etc run in user space. You wouldn’t be able to check if they are running before logon.</P><P></P><P>However you can severely limit your pre-health network with SGT, tag, acl controls to isolate machines before the check runs. With SGT you can even limit lateral movement between machines. Once the check is complete you give them full access by updating the controls.</P></BODY></HTML> Tue, 05 Sep 2017 15:15:48 GMT https://community.cisco.com/t5/network-access-control/posture-before-logon/m-p/3479745#M527016 Jason Kunst 2017-09-05T15:15:48Z