cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

116
Views
5
Helpful
1
Replies
Highlighted
Beginner

Can we do Posture without Authentication ?

Hi There, 

We have a requirement to posture check workstations that have not authenticated with the ISE.

Is this possible?

The posture check and remediation elements of the workflow are sufficient for our needs. 

Why do we need this?

We have ISE authentication for Wired and Wireless users, normal posture checking and remediation works for these users (using call home to contact ISE as we don't have/need a separate authorization profile)

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?

 

1 REPLY 1
Highlighted
VIP Collaborator

Re: Can we do Posture without Authentication ?

We have a requirement to posture check workstations that have not authenticated with the ISE.
Is this possible?
-What specific checks are you looking to accomplish for nodes that are not onboarded to the network via ISE? My question is why are some nodes onboarded via ISE and others would not be? My recommendation would be to onboard any device via ISE, which means that host facing ports should be configured with some sort of secure mechanism (mab/dot1x).

The same users also use Anyconnect VPN for remote access... unfortunately the VPN headend does not authenticate against the ISE. Is there a way for these users to run the ISE posture check workflow?
-AFAIK without at least utilizing ISE for authz only you cannot accomplish this. I currently support one customer that utilizes an RA VPN via CAC with UPN extraction and authorization only via ISE/AD which grants the ability to perform posture checks. In this scenario you would only rely on ISE to perform authorization/posture checks.