Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
150
Views
0
Helpful
1
Replies

MAB and AnyConnect Posture Checks

jitendrac
Level 1
Level 1

‎07-09-2024 03:14 AM

Can someone help to see if I'm doing it right?

  • Authenticate Windows clients via MAC address only (MAB).
  • Posture check (Anti-virus definitions) via AnyConnect. 

Would like to check if below is the correct way to deploy? I've heard that MAB does not work with CoA. 


• Client to disable the Windows Wired Autoconfig service (802.1x) so that the client will be subjected to MAB.
• Posture check using anyconnect will kick in next. If posture passes, CoA will be done to change the VLAN to production VLAN. If posture fails, COA will be done to change the VLAN to remediation VLAN. 

Ideally if posture with CoA is working with 802.1X then same should work in case of MAB correct? 
My understanding is ISE to send CoA to NAD based on Posture results has nothing to do with authentication method used, correct? 

0 Helpful
1 Reply 1

ccieexpert
Spotlight
Spotlight

‎07-09-2024 08:42 PM

COA works with MAB as well as after  you doing a device profile, you may want to move the device to a different VLAN etc..https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html  But using dot1x would be more secure to say that is a company authorized machine... posture check also check if there is a cert etc

0 Helpful
Customers Also Viewed These Support Documents