Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
4
Replies

Cisco ISE inline posture node Posture assessment query

marioderosa2008
Level 1
Level 1

‎04-25-2013 07:32 AM - edited ‎03-10-2019 08:21 PM

Hi all,

i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...

"In a deployment, such as outlined in the example, when more endpoints connect to the wireless network

they are likely to fall into one of the identity groups that already have authenticated and authorized users

connected to the network.

For instance, there may be an employee, executive, and guest that have been granted access through the

outlined steps. This situation means that the respective restrictive or full-access profiles for those ID

groups have already been installed on the Inline Posture node. The subsequent endpoint authentication

and authorization uses the existing installed profiles on the Inline Posture node, unless the original

profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile

with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."

                  

Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?

I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.

Thanks!

Mario

Labels:
0 Helpful
4 Replies 4

Ryan Wolfe
Level 5
Level 5

‎04-25-2013 05:20 PM

I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).

After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.

So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.

If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.

https://communities.cisco.com/docs/DOC-30977

HTH,

Ryan

0 Helpful

marioderosa2008
Level 1
Level 1
In response to Ryan Wolfe

‎05-01-2013 03:51 AM

Hi Ryan,

i do not have access to that document.. can you share?

thanks


Mario

0 Helpful

harvisin
Level 3
Level 3

‎04-30-2013 06:52 PM

Hello,

I just went through your query and for the same I have a link to share which would help you in solving your query.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

0 Helpful

marioderosa2008
Level 1
Level 1
In response to harvisin

‎05-01-2013 03:50 AM

Thanks Harvinder,

yes I have been using this document to design my iPEP proposal... thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents