Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
1
Replies

How to block wired Windows PC with no Cisco NAC Agent

pennyyeung
Level 1
Level 1

‎11-25-2016 06:23 PM

Hi,

The normal behavior should be redirected to install Cisco NAC Agent when detect no NAC agent installed on PC.

But my customer want to block all PC no NAC agent and no user interaction, as the Cisco NAC agent will be deployed by IT department.

I found that below instruction to let the PC without NAC agent to become non-compliant state.

I tried but the PC still struck in Pre-Conpliant state and not going to non-compliant state.


Also, anyone has idea to control the Windows PC without NAC agent by other method, not disable client provisioning rule?

I want to control Windows PC without NAC agent (block all access or limited access) and maintain client provisioning rule.

Thanks!


************************************


Default Posture Status

Here, you can configure the posture status of endpoints to compliant, or noncompliant for endpoints that run on Linux, iDevices like Ipad, Ipod (non-agent devices). The same settings also apply to endpoints that run on Windows and Macintosh operating systems when there is no client provisioning policy matching found during posture run-time.

https://supportforums.cisco.com/discussion/12055746/it-possible-run-posture-using-ise-12-without-nac-agent-provisioning

I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.

After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.

ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies

The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.

If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.

The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).


0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎12-04-2016 09:46 PM

There might be two potential solutions:

  1. Use some javascript to alter the presentation of ISE client provisioning portal.
  2. Restrict on the redirect ACL: Cisco wired IOS switches use one ACL for URL redirect and another for port ACL, to which DACL pre-pends. Thus, it's possible to have fewer sites to trigger the URL redirects. The fewer sites could be:
    1. enroll.cisco.com
    2. DiscoveryHost
    3. PSNs
0 Helpful
Customers Also Viewed These Support Documents