cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1378
Views
0
Helpful
5
Replies

ISE 2.2 and AnyConnect NAC/Posture

Hi, folks.

 

Is there a possibility for the AnyConnect NAC/Posture module to check for a particular network it is connected to ??

 

Here is the situation and what I am trying to achieve:

  • W10 Laptop with AnyConnect SSL VPN and NAC/Posture module installed
  • It is connected to the company LAN and authenticates against ISE 2.2 using 802.1x
  • NAC/Posture agent starts and client gets postured:
    • When the client connects to the LAN, it falls into the "Posture unknown/limited access" state, then
      • Posture succeeds, client gets moved into "Posture compliant/full access" state or
      • Posture fails, client stays in "Posture unknown" and remediation timer starts, then
        • Client is remediated, re-checked, succeeds posture and is moved to "Posture compliant" state, or
        • Client is not remediated, timer expires and client is moved into "Posture non-compliant/very limited access" state

This process runs fine when connected to the company LAN, the point is, it also runs, when the client is connected to a DIFFERENT/NON-COMPANY network, in which there is no NAC/ISE at all !!!

 

Is there a config option somewhere to make the NAC agent on the client check, which network it is connected to (company owned or foreign) and based on that result, either run or skip the whole NAC process ???

 

Grateful for any clues

 

Rgs

Frank

 

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Normally if you configured your profile with discovery host, when users are out of your network, the posture should fall but they can get access to the network.

 

There's no option to say to not perform posture. The posture is always there but have an impact only on your protected network.

 

Out of your office, they can connect anywhere else even if the posture fails


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jan.nielsen
Level 7
Level 7
Like Francesco says, if you are on a non company network, running the posture check, wont actually do anything, if you are concerned about users misunderstanding the dialogs coming from posture, you could look into the new silent anyconnect feature, where the client won't actually give the user any dialogs/messages at all.

That's a great feature. Just a query: Assume there will be a message if the PC is non-compliant (and therefore blocked?)...

So if the PC is non-compliant in the silent Posture mode, the Anyconnect does nothing visible until the remediation timer is complete. This timer can be a minimum of 1 minute. So for 1 minute, the user has no clue what's going on in a scenario where posture fails for a condition that cannot be remedied automatically.

This is one of the reasons why I moved away from Stealth mode back to the Regular posture. At least the user sees some message to prompt to reach out to the helpdesk.

In addition of what Rahul said for stealth mode, you have some posture check not available in that mode.

I've implemented it once and rollback right away to normal mode because of user experience.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: