This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We're implementing ISE posture with AnyConnect VPN. In the uknown state dACL we had to allow quite a few ports to our domain controllers to get Microsoft NLA (network location awareness) to work, which makes it a bit less secure. Still very secure as the users need to authenticate with 2FA together with machine certificate, but we were wondering if there is any way to disconnect/deauthenticate the client if they fail to pass the posture or if they don't have a posture module installed, after a certain time, say 5 minutes.
Solved! Go to Solution.
From ISE, what you can do is, if the client is non-compliant, you can put the endpoint in a restricted VLAN for limited access until all the posture conditions are met .
You can trigger an automatic remediation on these endpoints or display a message on the endpoint to fulfill the conditions.
Hope this helps.
The thing is that wether we're using dACL or change VLAN, we would still need to allow them enough access for the NLA to work. We were wondering if it would be possible to disconnect users for example who do not have the posture module installed. For example a hacker could somehow manage to get hold of the 2FA credentials and at the very least we would like to disconnect them and be alerted about it. For example if a user remains in the uknown state for longer than 5 minutes.
Certainly the interaction of Microsoft NLA and posture is interesting. In a nutshell, unless NLA works, the client thinks they are on a public network and for example all inbound traffic is blocked. Then they go through all the posture but NLA still says they are on the public network because NLA state only changes when the interface is bounced.
that's a good idea. Also we are thinking of setting some log correlation in the SIEM so that we can detect anyone in the uknown state for too long and if that happens.
You could run a periodic pull using our API to scan for unknown endpoints
And then kick them off or maybe even quarantine them
Sent from my iPhone