cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
1
Helpful
6
Replies

ISE posture with AnyConnect

rkazmierczak
Level 1
Level 1

Hi,

We're implementing ISE posture with AnyConnect VPN. In the uknown state dACL we had to allow quite a few ports to our domain controllers to get Microsoft NLA (network location awareness) to work, which makes it a bit less secure. Still very secure as the users need to authenticate with 2FA together with machine certificate, but we were wondering if there is any way to disconnect/deauthenticate the client if they fail to pass the posture or if they don't have a posture module installed, after a certain time, say 5 minutes.

1 Accepted Solution

Accepted Solutions

You can disconnect an endpoint from the Live sessions page by triggering a CoA action to terminate.

Thanks,

Nidhi

View solution in original post

6 Replies 6

Nidhi
Cisco Employee
Cisco Employee

From ISE, what you can do is, if the client is non-compliant, you can put the endpoint in a restricted VLAN for limited access until all the posture conditions are met .

You can trigger an automatic remediation on these endpoints or display a message on the endpoint to fulfill the conditions.

Hope this helps.

Thanks,

Nidhi

Hi Nidhi

The thing is that wether we're using dACL or change VLAN, we would still need to allow them enough access for the NLA to work. We were wondering if it would be possible to disconnect users for example who do not have the posture module installed. For example a hacker could somehow manage to get hold of the 2FA credentials and at the very least we would like to disconnect them and be alerted about it. For example if a user remains in the uknown state for longer than 5 minutes.

Certainly the interaction of Microsoft NLA and posture is interesting. In a nutshell, unless NLA works, the client thinks they are on a public network and for example all inbound traffic is blocked. Then they go through all the posture but NLA still says they are on the public network because NLA state only changes when the interface is bounced.

You can disconnect an endpoint from the Live sessions page by triggering a CoA action to terminate.

Thanks,

Nidhi

that's a good idea. Also we are thinking of setting some log correlation in the SIEM so that we can detect anyone in the uknown state for too long and if that happens.

Thanks,

Rafal

You could run a periodic pull using our API to scan for unknown endpoints

And then kick them off or maybe even quarantine them

Sent from my iPhone

Thanks