cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
0
Helpful
2
Replies

Remediation via Auth VLAN

dgaikwad
Level 5
Level 5

Hi Experts,

 

Is remediation possible if I am implementing auth VLAN for switches that do not support URL redirection?

Since, when auth VLAN is configured ISE acts as the DNS/DHCP server.

I have configured anti-virus definition to automatic remediation.

 

So, now my anti-virus definition is not up to date and I am able to ping the AV servers.

Will the auto-remediation happen in this case?

Will AnyConnect be able to reach out to those AV servers and download the right definition?

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Is remediation possible if I am implementing auth VLAN for switches that do not support URL redirection?
(howon: Yes)
Since, when auth VLAN is configured ISE acts as the DNS/DHCP server.
(howon: ISE 2.1+)
I have configured anti-virus definition to automatic remediation.
So, now my anti-virus definition is not up to date and I am able to ping the AV servers.
Will the auto-remediation happen in this case?
(howon: This will be done per posture policy. If you can reach the servers and auto remediation is enabled then endpoint can auto-remediate to update AV DAT files any other actions needed for remediation)
Will AnyConnect be able to reach out to those AV servers and download the right definition?
(howon: Yes, as long as they can resolve the AV server IP and access is allowed then they can reach the servers. See following picture for allowing DNS for AV servers)

Screen Shot 2018-10-15 at 9.37.01 AM.png

View solution in original post

2 Replies 2

howon
Cisco Employee
Cisco Employee

Is remediation possible if I am implementing auth VLAN for switches that do not support URL redirection?
(howon: Yes)
Since, when auth VLAN is configured ISE acts as the DNS/DHCP server.
(howon: ISE 2.1+)
I have configured anti-virus definition to automatic remediation.
So, now my anti-virus definition is not up to date and I am able to ping the AV servers.
Will the auto-remediation happen in this case?
(howon: This will be done per posture policy. If you can reach the servers and auto remediation is enabled then endpoint can auto-remediate to update AV DAT files any other actions needed for remediation)
Will AnyConnect be able to reach out to those AV servers and download the right definition?
(howon: Yes, as long as they can resolve the AV server IP and access is allowed then they can reach the servers. See following picture for allowing DNS for AV servers)

Screen Shot 2018-10-15 at 9.37.01 AM.png

I have similar configuration except that the allowed domains field is empty.

I will add those up and post an update, thanks!