Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
1
Helpful
6
Replies

ISE posture with AnyConnect

Go to solution
rkazmierczak
Level 1
Level 1

‎02-20-2018 12:47 AM

Hi,

We're implementing ISE posture with AnyConnect VPN. In the uknown state dACL we had to allow quite a few ports to our domain controllers to get Microsoft NLA (network location awareness) to work, which makes it a bit less secure. Still very secure as the users need to authenticate with 2FA together with machine certificate, but we were wondering if there is any way to disconnect/deauthenticate the client if they fail to pass the posture or if they don't have a posture module installed, after a certain time, say 5 minutes.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to rkazmierczak

‎02-20-2018 08:51 PM

You can disconnect an endpoint from the Live sessions page by triggering a CoA action to terminate.

Thanks,

Nidhi

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎02-20-2018 02:29 AM

From ISE, what you can do is, if the client is non-compliant, you can put the endpoint in a restricted VLAN for limited access until all the posture conditions are met .

You can trigger an automatic remediation on these endpoints or display a message on the endpoint to fulfill the conditions.

Hope this helps.

Thanks,

Nidhi

0 Helpful

Go to solution
rkazmierczak
Level 1
Level 1
In response to Nidhi

‎02-20-2018 03:06 AM

Hi Nidhi

The thing is that wether we're using dACL or change VLAN, we would still need to allow them enough access for the NLA to work. We were wondering if it would be possible to disconnect users for example who do not have the posture module installed. For example a hacker could somehow manage to get hold of the 2FA credentials and at the very least we would like to disconnect them and be alerted about it. For example if a user remains in the uknown state for longer than 5 minutes.

Certainly the interaction of Microsoft NLA and posture is interesting. In a nutshell, unless NLA works, the client thinks they are on a public network and for example all inbound traffic is blocked. Then they go through all the posture but NLA still says they are on the public network because NLA state only changes when the interface is bounced.

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to rkazmierczak

‎02-20-2018 08:51 PM

You can disconnect an endpoint from the Live sessions page by triggering a CoA action to terminate.

Thanks,

Nidhi

0 Helpful

Go to solution
rkazmierczak
Level 1
Level 1
In response to Nidhi

‎02-20-2018 11:07 PM

that's a good idea. Also we are thinking of setting some log correlation in the SIEM so that we can detect anyone in the uknown state for too long and if that happens.

Thanks,

Rafal

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to rkazmierczak

‎02-21-2018 05:23 AM

You could run a periodic pull using our API to scan for unknown endpoints

And then kick them off or maybe even quarantine them

Sent from my iPhone

Go to solution
rkazmierczak
Level 1
Level 1
In response to Jason Kunst

‎02-23-2018 06:37 AM

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents