Re: Can we do Posture without Authentication ?

ATKS · ‎05-19-2020

Hi There,

We have a requirement to posture check workstations that have not authenticated with the ISE.

Is this possible?

The posture check and remediation elements of the workflow are sufficient for our needs.

Why do we need this?

We have ISE authentication for Wired and Wireless users, normal posture checking and remediation works for these users (using call home to contact ISE as we don't have/need a separate authorization profile)

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?

Mike.Cifelli · ‎05-23-2020

We have a requirement to posture check workstations that have not authenticated with the ISE.
Is this possible?
-What specific checks are you looking to accomplish for nodes that are not onboarded to the network via ISE? My question is why are some nodes onboarded via ISE and others would not be? My recommendation would be to onboard any device via ISE, which means that host facing ports should be configured with some sort of secure mechanism (mab/dot1x).

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?
-AFAIK without at least utilizing ISE for authz only you cannot accomplish this. I currently support one customer that utilizes an RA VPN via CAC with UPN extraction and authorization only via ISE/AD which grants the ability to perform posture checks. In this scenario you would only rely on ISE to perform authorization/posture checks.