cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
0
Helpful
6
Replies

Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

valrerod
Level 1
Level 1

Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).

-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.

-No certificates are used.

-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.

-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.

-For now I'm testing it on wired endpoints.

Is there a way to configure ISE to fulfill the listed above requirements?

Any ideas would be appreciated.

Thanks,

Val Rodionov

6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

Val,

I am trying to understand why your client would want byod users on the same network as your postured corporate computers.

If you are relying on posturing for machine membership then you will have to use the nac agent on the non-byod users, or redirect the users to the web agent so nothing is installed but the checks for agent installed workstations still work.

Another use case could be combining profiling to make sure posturing is enforced for those users, so if you have a common format for hostnames you should be able to leverage the dhcp hostname to make a decision also.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Thank you for your input!

Here are my answers to your questions:

1. Contractors as well as employees may bring their computers and connect to wired and wireless network. Also VPN users will connect, and we need to make sure that only corporate Windows computers with specific application installed and running have full access. The rest of the users should have limited access to the network - Thin Client network only.

2. Posture should run only on corporate Windows computers and check for various parameters including registry check and application/process. Posture on VPN connected endpoints is very important to the customer. One of the strict requirements is not to install anything on non-corporate computers, so I am trying to configure ISE to do posture only on corporate computers for VPN, wired, and wireless connections. Web Agent might be a solution, but it would work only on Windows computers. We still need to deal with all Mac OSX computers and allow them to access Thin Client network only.

3. Profilng will not work for VPN computers, but it could be a good idea to add it to policies for wired and wireless. However, we cannot rely only on this profiling results as they can be spoofed.

Is there anyway to bypass ISE NAC Agent provisioning and make it work?

Thanks,

Val

Val,

Here is how I would design the solution for contractors, set the authentication failed action next method (for guests or contractors that have dot1x supplicants turned on). My next action would be mab to trigger CWA.

After CWA if the contractor enters AD credentials (using guest authentication sequence that uses AD), if they match a valid contractor group, then they can get access to the dacl that allows the hosted desktop.

In the end users that succeed 802.1x authentication hit the posture/authz policies.

Thanks,

Tarik Admani
*Please rate helpful posts*

valrerod
Level 1
Level 1

Everyone who finds reads this article,

I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"

The answer is Yes.

After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.

ISE configuration:

Posture General Settings - Default Posture Status = NonCompliant

Client Provisioning Policy - no rules defined

Posture Policy - configured per requirements

Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)

Authorization Policies configured as regular posture policies

The result:

After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.

If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.

The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).

Best,

Val Rodionov

The best way is to use AD groups or something that can help build a rigid policy on which users get postured versus users that do not. In the end if a user uninstalls the nac agent they get full access by clicking through the messaging.

When you use AD groups you no longer have to guess on what is accessing the network and you also stay protected from employees bringing non-corporate assets because their group membership will force the posture for the file check you are relying on.

If you use a contractor group that I mentioned they get access by authenticating through the guest portal by entering the contractor creds and then they get access to the thin client DACL.

Also TAC will not provide the directions on modifying the message of any prompt that is configurable through the language templates. I have ran into this issue and was sharing my experiences which lead to providing the responses I detailed above.

If you modify the messaging and when a customer patches or upgrades the appliance that same message you sought to replace will revert back to the default messaging, so keep that in mind when moving forward with this solution.

Thanks,

Tarik Admani
*Please rate helpful posts*

chris_day
Level 1
Level 1

My common deployment for byod and contractors when a customer wants to allow them onto the network is to posture asses them with the web NAC agent. It does the trick if you require av installed and defs up to date. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: