Identity Services Engine (ISE) compliance/posture ONLY Cisco Anyconnect VPN clients
We purchased our ISE back in October 2012. It took a month to get here as it was on New Product Hold.
When we first started discussing the abilities of ISE, we made it clear that we would only be using if for VPN users from the start (maybe to expand to all devices eventually). So our concentration, of course, was heavily on how all this functionality would work for VPN users.
We layed out, what I thought was very specific ground floor HAVE TO HAVE 'rules':
When a VPN user connects they have to have:
Current AntiVirus Program installed (specific AV for any of our corporate systems, any supported for contractors and the occassional work at home employee on their own system)
Antivirus process running
Antivirus DATs less than 7 days old
Micorosft Updates installed (we have an in house WSUS server and want all of our systems to have only the updates that we have approved)
If they don't meet this criteria they should not be allowed on our network, period.
So when our consultant began working we had a flawless implementation (at least I think) of the NAC agent detecting that any user in the 'employee' AD group had to have our corporate AV installed. If not employee's were denied access but not disconnected from the VPN. (We will address that before go-live) And for contractors it seems to be detecting thier installed AV just the same.
The difficult part has come now that we are trying to get the Microsoft Updates properly detected and installed. As it is right now, I can't tell if ISE is actually detecting the MS updates, and since he forces the kick off of the WSUS client update check it considers that good enough to be compliant, or if ISE/NAC is really even checking.I have a test laptop that needs 5 updates installed, when I connect to the VPN the NAC agent pops up saying that I meat all my criteria and gives me full network access. But I have only downloaded these 5 updates (confirmed through logs on the client that the updates DID come from our WSUS server) but they have not been installed yet. I have been testing like this for over 2 weeks and no change in result yet.
I do have a TAC opened #624565347
All we want is for the ISE/NAC to properly talk to WSUS and tell the client that they do or don't have those updates installed. If they don't have them installed, let it download the updates and install them then allow them on the network. But until all Microsoft updates and antivirus updates are installed they have very restricted network access (just enough to get to the in-house WSUS and Antivirus update servers). After a certain amount of time if the NAC agent doesn't detect the required updates then the VPN should be forcibly disconnected.
So, can anyone tell me is it possible for this to happen?
Right now we have the ISE settings as attached. Using version 1.1.1u5 (admin shows to have u5, but IPN shows u4)
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...
To participate in this event, please use the button to ask your questions
(This event was formerly know as Ask the Expert event)
This topic is a chance to discuss more about the best configuration and troubleshooting pr...