Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1848
Views
0
Helpful
1
Replies

Can we do Posture without Authentication ?

ATKS
Level 1
Level 1

‎05-19-2020 02:02 AM

Hi There, 

We have a requirement to posture check workstations that have not authenticated with the ISE.

Is this possible?

The posture check and remediation elements of the workflow are sufficient for our needs. 

Why do we need this?

We have ISE authentication for Wired and Wireless users, normal posture checking and remediation works for these users (using call home to contact ISE as we don't have/need a separate authorization profile)

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?

 

Labels:
0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-23-2020 11:11 AM

We have a requirement to posture check workstations that have not authenticated with the ISE.
Is this possible?
-What specific checks are you looking to accomplish for nodes that are not onboarded to the network via ISE? My question is why are some nodes onboarded via ISE and others would not be? My recommendation would be to onboard any device via ISE, which means that host facing ports should be configured with some sort of secure mechanism (mab/dot1x).

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?
-AFAIK without at least utilizing ISE for authz only you cannot accomplish this. I currently support one customer that utilizes an RA VPN via CAC with UPN extraction and authorization only via ISE/AD which grants the ability to perform posture checks. In this scenario you would only rely on ISE to perform authorization/posture checks.
0 Helpful
Top