Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
5
Helpful
3
Replies

Filter out devices without AnyConnect or NAC Agent

Go to solution
ozgguler
Cisco Employee
Cisco Employee

‎11-07-2018 11:44 AM

Hi All

 

My customer wants to filter out devices which don't have Anyconnect or NAC Agent on them. If AC/Agent is installed, it should communicate to AD for domain logon. Otherwise device should not be able to access any resource. 

To sum up, customer doesn't want any device to communicate Active directory even for logon, if it doesn't have AC or NAC Agent. 

How can we deal with this request?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2018 12:05 PM

Hi,

This is a chicken / egg scenario. While we can certainly prevent the endpoint communicating with AD through enforcement such as group-based policy or ACL, the user needs to be able to communicate with AD to validate credentials. What's more is that AC doesn't run until after the user logs into the desktop. One way to potentially solve for this is the EAP method. Certificate-based authentication would allow the end user to get to the desktop where AC could then run. If the user gets to the desktop and AC doesn't run or isn't installed then the endpoint would be left with group-based policy or ACL in place until AC was provisioned.

Regards,
-Tim

View solution in original post

3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2018 12:05 PM

Hi,

This is a chicken / egg scenario. While we can certainly prevent the endpoint communicating with AD through enforcement such as group-based policy or ACL, the user needs to be able to communicate with AD to validate credentials. What's more is that AC doesn't run until after the user logs into the desktop. One way to potentially solve for this is the EAP method. Certificate-based authentication would allow the end user to get to the desktop where AC could then run. If the user gets to the desktop and AC doesn't run or isn't installed then the endpoint would be left with group-based policy or ACL in place until AC was provisioned.

Regards,
-Tim

Go to solution
ozgguler
Cisco Employee
Cisco Employee

‎11-07-2018 12:15 PM

Thanks Tim

 

Do you mean EAP Chaining with AC? Or directly cert auth with limited access?

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to ozgguler

‎11-07-2018 12:26 PM

I was thinking EAP-TLS with limited access until posture was performed. Then CoA would provide full access.

Regards,
-Tim
0 Helpful
Customers Also Viewed These Support Documents