Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
0
Helpful
2
Replies

Posture before logon

Go to solution
ankaushi
Cisco Employee
Cisco Employee

‎09-04-2017 08:01 AM

Hi Team,


Is there anything on the ISE\Anyconnect posture roadmap to allow for posture before logon  ?

The customers use case is to fully block machines from joining their network if they don’t have AV or up to date windows patches to stop the spread of viruses.  This isn’t possible at the present because the Anyconnect GUI only starts after the user logs on so drive mapping fails.

This is not a BYOD or guest scenario but more about corporate machines where if they are taken off site to other premises and get infected with malware that disables the AV they shouldn’t be allowed back onto the corporate network.


Regards,

Anshul

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-05-2017 08:15 AM

We don’t discuss roadmap in the public forum.

What you’re asking for is likely not possible because all of the services AV etc run in user space. You wouldn’t be able to check if they are running before logon.

However you can severely limit your pre-health network with SGT, tag, acl controls to isolate machines before the check runs. With SGT you can even limit lateral movement between machines. Once the check is complete you give them full access by updating the controls.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-04-2017 10:42 PM

Hi, Anshul. I believe what you are looking for is Stealth mode (Clientless) AnyConnect with ISE which was introduced with ISE 2.2 & AnyConnect 4.4. You can find more about this feature here: Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies [Cisco Identity Ser…

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-05-2017 08:15 AM

We don’t discuss roadmap in the public forum.

What you’re asking for is likely not possible because all of the services AV etc run in user space. You wouldn’t be able to check if they are running before logon.

However you can severely limit your pre-health network with SGT, tag, acl controls to isolate machines before the check runs. With SGT you can even limit lateral movement between machines. Once the check is complete you give them full access by updating the controls.

0 Helpful
Customers Also Viewed These Support Documents