01-19-2018 09:14 AM
Hello!
Will AnyConnect ISE posture work with SBL, i.e will posture check work before the user has logged on? If not, what alternatives would be available?
Solved! Go to Solution.
01-19-2018 09:24 AM
Posture check works after user logon to device, we allow for user to log on then CoA based on posture assessment
01-19-2018 09:24 AM
Posture check works after user logon to device, we allow for user to log on then CoA based on posture assessment
01-19-2018 10:18 AM
No it requires the user space
What is your problem use case?
01-19-2018 12:28 PM
in this case, the main (actually the only) reason to use SBL is to allow users to log on to the domain first time from a new laptop, without the cached credentials. the customer also uses folder redirection which must work during this first logon. But because the system scan does not run, the posture is uknown and they get restrictive ACL, which prevents folder redirection from working. We can't make the Non-compliant/uknown dACL more permissive to allow foder redirection as that would mean allowing access to file servers (where the folders reside). Ideally, we would check for things like registry kyes, files, AV, disc encryption before giving them more permissive dACL.
01-19-2018 12:45 PM
You also have to take into consideration of Mobile work force's password expiration if it applies, so SBL comes in handy without requiring them to come into the office to change the password or by some other means. However you also have to allow certain access for Drive mapping / gpo ( as was in our case ) or it takes forever for all the polices to fail before user gets authenticated and then re-exec of gpo.
01-19-2018 01:28 PM
Actually, the states/ levels of trust could be a good idea. The new laptops must have machine cert and have a posture module installed as part of the build so if the user is uknown it can only mean that the system scan did not run initially, most likely because of the SBL.
We could try to restrict it futher but creating an AD group for the "new laptop users" so that only these users can can have a less restrictive dACL with uknown posture, if necessary.
This would prevent a user from moving the machine cert to a diffrent non-corp laptop and trying to log in from it.
What do you think?
01-19-2018 01:32 PM
Sounds good to me. I think if you have the problem of a user moving a certificate you have other issues to be concerned with
01-19-2018 01:39 PM
it is a "high security" environment so they will be considering this, that's why they needed to check for other things like registry keys and disc encryption.
But thanks for your help. Much appreciated. I'll let you know if the security guys accepted this solution
01-19-2018 12:52 PM
OK understood. Unfortunately not possible since we only run in user space and that’s where all of the other systems run as well I believe.
You can ask for an enhancement by reaching out to our product managers
You could have machine auth have some basic sort of trust, this would help some?
State 1 Machine auth + unknown
State 2 user auth + unknown
State 3 user auth + non-compliant (most restrictive?)
State 4 user auth + compliant
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide