Solved: How to eliminate the risk when the non-compliant computer access the AD?

jason chu · ‎08-09-2017

Dear All,

Background: It is wired dot1x with machine authentication and posture assessment deployment. My customer has a requirement: network access for computer (including domain/ non-domain) should be restricted before authentication and posture assessment.

I would like to use static port ACL to restrict network access before authentication and posture assessment complete. once the computer passes the authentication and posture assessment, the switch will download the dACL to the port, so that the user can access the production network.

Questions: Since the user login the computer (with no windows account cache) using AD account. The static port ACL should allow the traffic between computer and AD. Hence, when the computer does not pass compliance check, it can access to the AD. How to eliminate the risk when the non-compliant computer access the AD?

Best regards,

Jason Chu

paul · ‎08-09-2017

Having gone down this road many times you need to reset your customer's expectations and clearly explain to them how posturing actually works. Authentication and Posturing are separate activities. Posture happens very late after the login process has completed. If you start restricting access, you are going to break pre-login access, login access, login scripts, drive mappings, etc. If you start putting together the ACL to allow this stuff to work you will be just short of "permit ip any any".

You posture devices that have authenticated, so you know at some level these are trusted devices which takes the risk down a bit. My philosophy is in the unknown state the restrictions need to be noticeable but not detrimental. I usually block Internet access in the unknown state but allow full Internal access. Again these devices have successfully authenticated.

If the device proves to not be compliant then you can slam the door shut.

My 2 cents.

View solution in original post

ognyan.totev · ‎08-09-2017

switch config : ip access-list extended (NAME)

permit udp any any eq bootpc bootps (dhcp)

permit ip any host 10.10.10.10 (ise host IP adrees)

I think maybe this will be enough to can restrict.

paul · ‎08-09-2017

That ACL will break all sorts of things. Would definitely not go that route. Again you need to allow prelogin, login, login scripts, etc. to run before posture status is reported.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

paul · ‎08-09-2017

Having gone down this road many times you need to reset your customer's expectations and clearly explain to them how posturing actually works. Authentication and Posturing are separate activities. Posture happens very late after the login process has completed. If you start restricting access, you are going to break pre-login access, login access, login scripts, drive mappings, etc. If you start putting together the ACL to allow this stuff to work you will be just short of "permit ip any any".

You posture devices that have authenticated, so you know at some level these are trusted devices which takes the risk down a bit. My philosophy is in the unknown state the restrictions need to be noticeable but not detrimental. I usually block Internet access in the unknown state but allow full Internal access. Again these devices have successfully authenticated.

If the device proves to not be compliant then you can slam the door shut.

My 2 cents.