View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0200 - ISE 1.3 Guest Access Posture Compliance

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video extends our knowledge on Cisco ISE 1.3 posture assessment to guest computers, specifically Windows, that do not have NAC Agent installed. Continuing on from our previous guest videos, we will enable device compliance check using temporal NAC web Agent. We will perform basic Antivirus software install check and look at both situations where the posture check passes and fails, in which case, we will also perform remediation.
 
Topic:
  • Guest Portal (Device Compliance)
  • Logical Profile
  • Authentication Policy
  • Policy Element Result
    • Authorization (dACL ACL)
    • Authorization (Authorization Profile)
  • Authorization Policy
  • Posture Policies
  • Client Provisioning Policies
  • Cisco Web Agent (Windows)
  • NAC Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

what will happen to Mobile devices in terms of compliance ? will they skip the posture validation ?

Most likely the device will be stuck in the unknown state. If you expect mobile devices, you might need to come up with two different policies, one using Windows Device as condition and redirect to the guest posture and another to catch all devices and pass them right through without posture.

Just tested with an iPhone and it looks like it bypasses the posture check completely and automatically become compliant.

Hi,

In the Posture checks, can we check if a mobile device is jailbroken or not. If yes, please can you advise how to put the rule in.

Regards
Sachin

For posture check on mobile devices, an MDM integration is required. Please see the videos below.

http://www.labminutes.com/sec0114_ise_12_byod_mdm_integration_1
http://www.labminutes.com/sec0193_ise_13_byod_meraki_mdm_integration_1

It s not working with nac agent

Can we use the AnyConnect agent instead of NAC web agent for the guest? We want to guest to use anyconnect client for posturing.

We never tried this but you should be able redirect user to client provisioning portal after guest succesful login to have them download Anyconnect and posture module although some guest might not be willing to do this as it install new software on their machines.