Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2350
Views
15
Helpful
4
Replies

MAB with Posture Check

Go to solution
kelvinskk
Level 1
Level 1

‎10-31-2019 09:41 PM

I have a customer with the following requirements. Can someone help to see if I'm doing it right?

  • Authenticate windows clients via MAC address only (MAB).
  • Posture check (Anti-virus definitions) via Anyconnect. 

Would like to check if below is the correct way to deploy? I've heard that MAB does not work with CoA. 
• Client to disable the Windows Wired Autoconfig service (802.1x) so that the client will be subjected to MAB.
• Posture check using anyconnect will kick in next. If posture pass, CoA will be done to change the VLAN to production VLAN. If posture fails, COA will be done to change the VLAN to remediation VLAN. 

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 06:58 AM

The issue is not MAB, but actually just client functionality.

When you do a VLAN change, the client does not see a network change.  The line never goes down, so the client never requests for another IP address.

 

I typically recommend people start on the vlan they want to END with.

So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.

 

If posture check is good, then send an ACL and open up access.

If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.

 

Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time.  As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.

 

There is also something called the network transition delay timer, though I do not remember the ins and outs of it:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010111.html#task_0037E9BB0C0947088AE28C137E2306AD

View solution in original post

4 Replies 4

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-01-2019 08:14 AM

MAB works with CoA. However MAB doesn't work well with VLAN change after CoA. With MAB the endpoint is unaware of CoA and it will not renew IP, which is core of the problem. If using AnyConnect Posture module, it does have few options to address it, but as a best practice we don't recommend MAB with VLAN change.

I don't believe Posture works with pure MAB. You will need to tie MAB with either passive-ID (Easy Connect) or webauth to have real username for it to work.

Go to solution
kelvinskk
Level 1
Level 1
In response to howon

‎11-04-2019 12:10 AM

We'll be using the AnyConnect Posture module. What are the few options that might work?

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 06:58 AM

The issue is not MAB, but actually just client functionality.

When you do a VLAN change, the client does not see a network change.  The line never goes down, so the client never requests for another IP address.

 

I typically recommend people start on the vlan they want to END with.

So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.

 

If posture check is good, then send an ACL and open up access.

If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.

 

Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time.  As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.

 

There is also something called the network transition delay timer, though I do not remember the ins and outs of it:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010111.html#task_0037E9BB0C0947088AE28C137E2306AD

Go to solution
kelvinskk
Level 1
Level 1
In response to JohnNewman7082

‎11-04-2019 05:04 PM

Thanks John! Your suggestion of using port ACL should work.

0 Helpful
Customers Also Viewed These Support Documents