cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2307
Views
15
Helpful
4
Replies

MAB with Posture Check

kelvinskk
Level 1
Level 1

I have a customer with the following requirements. Can someone help to see if I'm doing it right?

  • Authenticate windows clients via MAC address only (MAB).
  • Posture check (Anti-virus definitions) via Anyconnect. 

Would like to check if below is the correct way to deploy? I've heard that MAB does not work with CoA. 
• Client to disable the Windows Wired Autoconfig service (802.1x) so that the client will be subjected to MAB.
• Posture check using anyconnect will kick in next. If posture pass, CoA will be done to change the VLAN to production VLAN. If posture fails, COA will be done to change the VLAN to remediation VLAN. 

 

 

1 Accepted Solution

Accepted Solutions

JohnNewman7082
Level 1
Level 1

The issue is not MAB, but actually just client functionality.

When you do a VLAN change, the client does not see a network change.  The line never goes down, so the client never requests for another IP address.

 

I typically recommend people start on the vlan they want to END with.

So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.

 

If posture check is good, then send an ACL and open up access.

If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.

 

Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time.  As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.

 

There is also something called the network transition delay timer, though I do not remember the ins and outs of it:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010111.html#task_0037E9BB0C0947088AE28C137E2306AD

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

MAB works with CoA. However MAB doesn't work well with VLAN change after CoA. With MAB the endpoint is unaware of CoA and it will not renew IP, which is core of the problem. If using AnyConnect Posture module, it does have few options to address it, but as a best practice we don't recommend MAB with VLAN change.

I don't believe Posture works with pure MAB. You will need to tie MAB with either passive-ID (Easy Connect) or webauth to have real username for it to work.

We'll be using the AnyConnect Posture module. What are the few options that might work?

JohnNewman7082
Level 1
Level 1

The issue is not MAB, but actually just client functionality.

When you do a VLAN change, the client does not see a network change.  The line never goes down, so the client never requests for another IP address.

 

I typically recommend people start on the vlan they want to END with.

So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.

 

If posture check is good, then send an ACL and open up access.

If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.

 

Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time.  As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.

 

There is also something called the network transition delay timer, though I do not remember the ins and outs of it:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010111.html#task_0037E9BB0C0947088AE28C137E2306AD

Thanks John! Your suggestion of using port ACL should work.