05-03-2019 10:54 AM
Hi,
I am trying to posture drive encryption on MAC OS X, ISE and Anyconnect is able to identify that the main volume which is encrypted with filevault BUT once I plug in an external HDD. Anyconnect is unable to detect the secondary drive. Should't AC be able to pick this up and report back to ISE?
Here's my setup
ISE Ver 2.4 Patch 8
AnyConnect version 4.6.4056
Compliance module 4.3.557.4352
Solved! Go to Solution.
05-03-2019 11:31 AM
05-08-2019 06:54 AM
We are pretty sure the answer is no. Anyconnect can sense USB drive connection but not its encrypted state and not likely to write a rule on it, if there was then would be included in the feature. @Nidhi is also double checking
05-09-2019 10:45 AM
05-03-2019 11:31 AM
05-03-2019 12:31 PM
Hi Jason,
Thank you for the quick reply. I think I need to add more info to my question.
Currently we are posturing endpoints with disk encryption before they are compliant and allowed full access to the network. The issue is when a MAC OSX is encrypted with Filevault (ISE posture requirement for MACOSX check encryption) we allow to the network but when the user connects an external usb non-encypted drive, i am expecting during the re-assessment of Anyconnect to detect the drive and make the endpoint non-compliant. This is not triggering. I guess my question is one, is this something that i can write a policy for in ISE or two, AC detects an un-encrypted drive and reports to ISE then marks the endpoint as non-compliant. thanks for your time.
05-08-2019 06:54 AM
We are pretty sure the answer is no. Anyconnect can sense USB drive connection but not its encrypted state and not likely to write a rule on it, if there was then would be included in the feature. @Nidhi is also double checking
05-09-2019 10:03 AM
Hi Jason,
Thank you again for your reply. Currently we are using Clearpass/Onguard client. Clearpass is also using OPSWAT and they can detect/report USB drive encryption during posture. Can you clarify if the enhancement feature request is in ISE or AnyConnect? Thanks.
05-09-2019 10:08 AM
As Jason mentioned, condition check for Disk encryption for USB drives cannot be performed.
This feature request shoul dbe both on Anyconnect as well as ISE . From Anyconnect to support this check and from ISE to be able to configure a nested condition like this.
Thanks,
Nidhi
05-09-2019 10:13 AM
05-09-2019 10:45 AM
05-09-2019 01:31 PM
Thank you both for your time!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide