Showing results for 
Search instead for 
Did you mean: 

AnyConnect ISE posture with SBL



Will AnyConnect ISE posture work with SBL, i.e will posture check work before the user has logged on? If not, what alternatives would be available?

1 Accepted Solution

Accepted Solutions


Posture check works after user logon to device, we allow for user to log on then CoA based on posture assessment

View solution in original post

8 Replies 8


Posture check works after user logon to device, we allow for user to log on then CoA based on posture assessment

Jason Kunst
Cisco Employee
Cisco Employee

No it requires the user space

What is your problem use case?

in this case, the main (actually the only) reason to use SBL is to allow users to log on to the domain first time from a new laptop, without the cached credentials. the customer also uses folder redirection which must work during this first logon. But because the system scan does not run, the posture is uknown and they get restrictive ACL, which prevents folder redirection from working. We can't make the Non-compliant/uknown dACL more permissive to allow foder redirection as that would mean allowing access to file servers (where the folders reside). Ideally, we would check for things like registry kyes, files, AV, disc encryption before giving them more permissive dACL.

You also have to take into consideration of Mobile work force's password expiration if it applies, so SBL comes in handy without requiring them to come into the office to change the password or by some other means. However you also have to allow certain access for Drive mapping / gpo ( as was in our case ) or it takes forever for all the polices to fail before user gets authenticated and then re-exec of gpo.

Actually, the states/ levels of trust could be a good idea. The new laptops must have machine cert and have a posture module installed as part of the build so if the user is uknown it can only mean that the system scan did not run initially, most likely because of the SBL.
We could try to restrict it futher but creating an AD group for the "new laptop users" so that only these users can can have a less restrictive dACL with uknown posture, if necessary.

This would prevent a user from moving the machine cert to a diffrent non-corp laptop and trying to log in from it.

What do you think?

Sounds good to me. I think if you have the problem of a user moving a certificate you have other issues to be concerned with

it is a "high security" environment so they will be considering this, that's why they needed to check for other things like registry keys and disc encryption.

But thanks for your help. Much appreciated. I'll let you know if the security guys accepted this solution

OK understood. Unfortunately not possible since we only run in user space and that’s where all of the other systems run as well I believe.

You can ask for an enhancement by reaching out to our product managers

You could have machine auth have some basic sort of trust, this would help some?

State 1 Machine auth + unknown

State 2 user auth + unknown

State 3 user auth + non-compliant (most restrictive?)

State 4 user auth + compliant

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers