11-24-2014 06:51 PM - edited 03-10-2019 10:12 PM
Hello all,
The basic idea of what I am wanting to do is control access to networks based on computers having up to date Antivirus installed on a computer. If the computer does not, it is denied access or put off for remediation. I am in a Windows AD environment with two RADIUS servers at a central location. Each one of my remote sites has a Cisco 2901,2911, or a 2951 with the ipbase, securityk9, datak9, and uck9 licensed router as the edge device. I would like to somehow use the Cisco routers to use NAC to evaluate the computers and make the decision for network access. I only use 1 brand of AV software so the setup should hopefully be simple. Can someone give me some pointers on the best way to do this using NAC, RADIUS, NPS, or some combination to do this. I am not opposed to buying a Cisco device to put at my headquarters for this function. I would really like to not buy a device for all of my locations.
Thanks in Advance,
David
11-24-2014 08:01 PM
Hi David, it sounds like you are trying to perform "Posture Assessment" The legacy Cisco product that can do this is Cisco NAC. The newer and definitely recommended solution/product would be Cisco ISE. With ISE you can accomplish everything that you have listed above. You need to make sure that you are running on supported hardware/software:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
The most important feature that you will need is CoA (Change of Authorization). This feature will allow you to place the ISE nodes centrally and not having to run them inline.
For more information on ISE check out its main page and/or contact your local Cisco partner:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html
Hope this helps!
Thank you for rating helpful posts!
12-19-2014 06:02 AM
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide