topic Re: How to keep endpoint alive after session termination in Network Access Control

How to keep endpoint alive after session termination

Jeffrey Jones — Wed, 01 Feb 2017 19:25:39 GMT

Situation: User logs off system terminating session with ISE, how can an administrator still get to the device for windows updates, etc, or to log in to the system to troubleshoot. VNC is installed on endpoints, but we can not even RDP to the endpoint.

ISE version 2.1 patch 1 and 2, AnyConnect version 4.3 with NAM and ISE Posture, DART also installed.

Re: How to keep endpoint alive after session termination

Craig Hyps — Thu, 02 Feb 2017 05:34:03 GMT

Jeffrey,

I have already responded to your question in other post here: Re: ISE 1.4 API remove stale sessions

You can use Low Impact Mode or return a default MAB-based policy that grants required access.

Craig

Re: How to keep endpoint alive after session termination

Charlie Moreton — Thu, 02 Feb 2017 18:23:06 GMT

This is a good question. I think that if you have implemented machine authentication (AD Domain Joined Machines), you should be able to do this.

I have an Authorization Compound Condition (Policy > Policy Elements > Conditions > Authorization > Compound Conditions) set up like this:

Which is used in my Wired Access Policy Set (Policy > Policy Sets)

The permissions (AD-ONLY) given are set at Policy > Policy Elements > Results > Authorization Profiles. Of course, you'll need a DACL for this, too (Policy > Policy Elements > Results > Downloadable ACLs).

And that should give you the access you desire.

Re: How to keep endpoint alive after session termination

Jeffrey Jones — Thu, 02 Feb 2017 21:51:44 GMT

This works great on Cisco switches, but not on HP ProCurve which this customer has. cant do dacl

Re: How to keep endpoint alive after session termination

Charlie Moreton — Thu, 02 Feb 2017 21:55:37 GMT

Then reference the ACL on the switch: