06-14-2021 06:14 AM
Hello,
Our customer wants to block connecting USB devices to their laptops using ISE. I know that there is a usb condition that we can use in posture policy. If I use that option, suppose a laptop connects to network without a USB mass storage device then the machine will be compliant will get access. Now the user connects a USB to the machine in the compliant state, what will be the action?. Will anyconnect re-run the posture and block the USB or the USB will be allowed?.
Thanks
06-14-2021 06:24 AM
Now the user connects a USB to the machine in the compliant state, what will be the action?.
-I have not specifically tested this scenario, but I would strongly suggest doing so prior to mass deployment. My guess (based on how the module works; explained below) would be that the device would still remain compliant after passing the check.
Will anyconnect re-run the posture and block the USB or the USB will be allowed?.
-The ISE Posture module will reach out which will re-trigger posturing after a DFG change, or manual interaction via 'Scan Again' button. See here to understand how probing works: AnyConnect ISE posture module discovery host and call home list – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)
HTH!
06-14-2021 04:52 PM
We use MS AD to enforce this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide