Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2509
Views
5
Helpful
2
Replies

Cisco ISE USB Mass Storage Block

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎06-14-2021 06:14 AM

Hello,

Our customer wants to block connecting USB devices to their laptops using ISE. I know that there is a usb condition that we can use in posture policy. If I use that option, suppose a laptop connects to network without a USB mass storage device then the machine will be compliant will get access. Now the user connects a USB to the machine in the compliant state, what will be the action?. Will anyconnect re-run the posture and block the USB or the USB will be allowed?.

 

Thanks

Labels:
0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-14-2021 06:24 AM

Now the user connects a USB to the machine in the compliant state, what will be the action?.

-I have not specifically tested this scenario, but I would strongly suggest doing so prior to mass deployment.  My guess (based on how the module works; explained below) would be that the device would still remain compliant after passing the check.

Will anyconnect re-run the posture and block the USB or the USB will be allowed?.

-The ISE Posture module will reach out which will re-trigger posturing after a DFG change, or manual interaction via 'Scan Again' button.  See here to understand how probing works: AnyConnect ISE posture module discovery host and call home list – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH! 

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-14-2021 04:52 PM

We use MS AD to enforce this.

0 Helpful
Customers Also Viewed These Support Documents