We're implementing ISE posture with AnyConnect VPN. In the uknown state dACL we had to allow quite a few ports to our domain controllers to get Microsoft NLA (network location awareness) to work, which makes it a bit less secure. Still very secure as the users need to authenticate with 2FA together with machine certificate, but we were wondering if there is any way to disconnect/deauthenticate the client if they fail to pass the posture or if they don't have a posture module installed, after a certain time, say 5 minutes.
Solved! Go to Solution.
From ISE, what you can do is, if the client is non-compliant, you can put the endpoint in a restricted VLAN for limited access until all the posture conditions are met .
You can trigger an automatic remediation on these endpoints or display a message on the endpoint to fulfill the conditions.
Hope this helps.
The thing is that wether we're using dACL or change VLAN, we would still need to allow them enough access for the NLA to work. We were wondering if it would be possible to disconnect users for example who do not have the posture module installed. For example a hacker could somehow manage to get hold of the 2FA credentials and at the very least we would like to disconnect them and be alerted about it. For example if a user remains in the uknown state for longer than 5 minutes.
Certainly the interaction of Microsoft NLA and posture is interesting. In a nutshell, unless NLA works, the client thinks they are on a public network and for example all inbound traffic is blocked. Then they go through all the posture but NLA still says they are on the public network because NLA state only changes when the interface is bounced.