Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
5
Helpful
8
Replies

Cisco ISE drive encryption posture using Any connect version 4.6.4056

Go to solution
Peter Bernardo
Level 1
Level 1

‎05-03-2019 10:54 AM

Hi,

 

I am trying to posture drive encryption on MAC OS X, ISE and Anyconnect is able to identify that the main volume which is encrypted with filevault BUT once I plug in an external HDD. Anyconnect is unable to detect the secondary drive. Should't AC be able to pick this up and report back to ISE?

 

Here's my setup

ISE Ver 2.4 Patch 8

AnyConnect version 4.6.4056

Compliance module 4.3.557.4352

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-03-2019 11:31 AM

More of an anyconnect forum question

https://www.cisco.com/c/en/us/td/docs/security/ise/anyconnect_support_chart/Cisco_AnyConnect_ISE_Posture_Mac_Support_Charts_for_Compliance_Module_4_3_557_4352.html#ISE_DE_Mac.xml

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7/configure-posture.html#id_24158

I got the answers from the links – Check for Disk Encryption (Yes) & Detect USB stick detection (No) for Apple MACs.

USB stick detection support was implicit “When a USB mass storage device is attached to a Windows endpoint, a posture client is able to detect it”


View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Bernardo

‎05-08-2019 06:54 AM

We are pretty sure the answer is no. Anyconnect can sense USB drive connection but not its encrypted state and not likely to write a rule on it, if there was then would be included in the feature. @Nidhi  is also double checking

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Bernardo

‎05-09-2019 10:45 AM

We don’t discuss futures in public forum please reach out to our product managers for features

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-03-2019 11:31 AM

More of an anyconnect forum question

https://www.cisco.com/c/en/us/td/docs/security/ise/anyconnect_support_chart/Cisco_AnyConnect_ISE_Posture_Mac_Support_Charts_for_Compliance_Module_4_3_557_4352.html#ISE_DE_Mac.xml

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7/configure-posture.html#id_24158

I got the answers from the links – Check for Disk Encryption (Yes) & Detect USB stick detection (No) for Apple MACs.

USB stick detection support was implicit “When a USB mass storage device is attached to a Windows endpoint, a posture client is able to detect it”


Go to solution
Peter Bernardo
Level 1
Level 1
In response to Jason Kunst

‎05-03-2019 12:31 PM

Hi Jason,

 

Thank you for the quick reply.  I think I need to add more info to my question.

 

Currently we are posturing endpoints with disk encryption before they are compliant and allowed full access to the network.  The issue is when a MAC OSX is encrypted with Filevault (ISE posture requirement for MACOSX check encryption) we allow to the network but when the user connects an external usb non-encypted drive, i am expecting during the re-assessment of Anyconnect to detect the drive and make the endpoint non-compliant. This is not triggering. I guess my question is one, is this something that i can write a policy for in ISE or two, AC detects an un-encrypted drive and reports to ISE then marks the endpoint as non-compliant. thanks for your time.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Bernardo

‎05-08-2019 06:54 AM

We are pretty sure the answer is no. Anyconnect can sense USB drive connection but not its encrypted state and not likely to write a rule on it, if there was then would be included in the feature. @Nidhi  is also double checking

0 Helpful

Go to solution
Peter Bernardo
Level 1
Level 1
In response to Jason Kunst

‎05-09-2019 10:03 AM

Hi Jason,

 

Thank you again for your reply.  Currently we are using Clearpass/Onguard client. Clearpass is also using OPSWAT and they can detect/report USB drive encryption during posture.  Can you clarify if the enhancement feature request is in ISE or AnyConnect?  Thanks.

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Peter Bernardo

‎05-09-2019 10:08 AM

As Jason mentioned, condition check for Disk encryption for USB drives cannot be performed. 

This feature request shoul dbe both on Anyconnect as well as ISE . From Anyconnect to support this check and from ISE to be able to configure a nested condition like this.

Thanks,

Nidhi

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Nidhi

‎05-09-2019 10:13 AM

Thanks nidi, externally for feature request reach out to http://cs.co/ise-feedback internally http://cs.co/ise-pm
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Bernardo

‎05-09-2019 10:45 AM

We don’t discuss futures in public forum please reach out to our product managers for features
0 Helpful

Go to solution
Peter Bernardo
Level 1
Level 1
In response to Jason Kunst

‎05-09-2019 01:31 PM

Thank you both for your time!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents