Solved: Re: How to keep endpoint alive after session termination

Jeffrey Jones · ‎02-01-2017

Situation: User logs off system terminating session with ISE, how can an administrator still get to the device for windows updates, etc, or to log in to the system to troubleshoot. VNC is installed on endpoints, but we can not even RDP to the endpoint.

ISE version 2.1 patch 1 and 2, AnyConnect version 4.3 with NAM and ISE Posture, DART also installed.

Craig Hyps · ‎02-01-2017

Jeffrey,

I have already responded to your question in other post here: Re: ISE 1.4 API remove stale sessions

You can use Low Impact Mode or return a default MAB-based policy that grants required access.

Craig

View solution in original post

Craig Hyps · ‎02-01-2017

Jeffrey,

I have already responded to your question in other post here: Re: ISE 1.4 API remove stale sessions

You can use Low Impact Mode or return a default MAB-based policy that grants required access.

Craig

Charlie Moreton · ‎02-02-2017

This is a good question. I think that if you have implemented machine authentication (AD Domain Joined Machines), you should be able to do this.

I have an Authorization Compound Condition (Policy > Policy Elements > Conditions > Authorization > Compound Conditions) set up like this:

Which is used in my Wired Access Policy Set (Policy > Policy Sets)

The permissions (AD-ONLY) given are set at Policy > Policy Elements > Results > Authorization Profiles. Of course, you'll need a DACL for this, too (Policy > Policy Elements > Results > Downloadable ACLs).

And that should give you the access you desire.

Jeffrey Jones · ‎02-02-2017

This works great on Cisco switches, but not on HP ProCurve which this customer has. cant do dacl

Charlie Moreton · ‎02-02-2017

Then reference the ACL on the switch: