Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
2
Replies

ISE Posture check before login into computer - wired dot1x

Srin_G
Level 3
Level 3

‎04-10-2018 09:01 PM - edited ‎02-21-2020 10:53 AM

Hi all,

 

ISE Posture check before login into computer - wired dot1x - can this be achieved?

We are running Cisco ISE v2.1 patch 3

Posture check requirement:

1) AV service enabled

2) updated AV DAT file - checks the registry for date

3) whitelisting software service enabled

Authentication: Machine certificate

 

this works fine after login but we use local script to map drives for the users because group policy wont let map drives while the computer is checking the posture.

I wonder we can do this posture check and put the machine in right vlan before the user logon.

 

regards

 

 

Labels:
0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎04-10-2018 10:07 PM

Hi,

Posture check cannot be done before user login. Still, maybe you can run the scripts with a specific delay in order for posture to complete.

(Anyconnect itself can run scripts, but I don't think it will be of any help, because the functionality would be used for VPN alone)

 

https://supportforums.cisco.com/t5/aaa-identity-and-nac/ise-and-windows-drive-mapping-scripts/td-p/3031751

 

Regards,

Octavian

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎04-10-2018 10:27 PM

Yes it can be done. Treat unauthenticated machines as MAB devices and
perform posture part of authorization process. Then they get a dACL which
allows them to map drives only without full access. Full access can be
obtained after authentication.
0 Helpful
Customers Also Viewed These Support Documents