Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
2
Replies

Controlling Network Access

David Lee
Level 1
Level 1

‎11-24-2014 06:51 PM - edited ‎03-10-2019 10:12 PM

Hello all,

 

The basic idea of what I am wanting to do is control access to networks based on computers having up to date Antivirus installed on a computer.  If the computer does not, it is denied access or put off for remediation.  I am in a Windows AD environment with two RADIUS servers at a central location.  Each one of my remote sites has a Cisco 2901,2911, or a 2951 with the ipbase, securityk9, datak9, and uck9 licensed router as the edge device.  I would like to somehow use the Cisco routers to use NAC to evaluate the computers and make the decision for network access.  I only use 1 brand of AV software so the setup should hopefully be simple.  Can someone give me some pointers on the best way to do this using NAC, RADIUS, NPS, or some combination to do this.  I am not opposed to buying a Cisco device to put at my headquarters for this function.  I would really like to not buy a device for all of my locations.

 

Thanks in Advance,

 

David

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎11-24-2014 08:01 PM

Hi David, it sounds like you are trying to perform "Posture Assessment" The legacy Cisco product that can do this is Cisco NAC. The newer and definitely recommended solution/product would be Cisco ISE. With ISE you can accomplish everything that you have listed above. You need to make sure that you are running on supported hardware/software:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html

The most important feature that you will need is CoA (Change of Authorization). This feature will allow you to place the ISE nodes centrally and not having to run them inline. 

For more information on ISE check out its main page and/or contact your local Cisco partner:

http://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎12-19-2014 06:02 AM

Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents