Is it possible for the ISE 1.2 NAC/Posture agent to submit a posture report before user login on a Windows desktop system?
We're trialling ISE 1.2, performing machine based authentication using EAP-TLS/Certificates. On top of this we are also using the posture agent and do not grant access until a 'compliant' posture report is received.
Currently when a desktop powers up the posture status is 'pending' and this does not change until the user logs in, the NAC agent submits a successful posture report. This can take quite a few minutes leaving the user in a state of limbo where they have logged in to the computer but they must wait for the posture report.
I see the NacAgent service runs as system, but the NACAgentUI.exe does not and only starts with the user logs in.
I have faced the same issue but maybe in different order.
On the ISE 1.2, Cisco changed the behavior of the NAC agent pop-up, you need to enable the redirect on the authorization profile in order to start the NAC agent and start the posture process.
From the case, I see that the NAC agent is already installed, so do you have the redirect enabled or not ?
As well as the agent installed and configured to use our policy nodes, we also have the redirect enabled. I can confirm the redirect is working, if I attempt to load a web page before the agent has completed the posture report when logging in, the session is redirected to ISE.
Ideally I don't want the user to have to wait for this posture report and for it to occur before they login. Is that possible?
Based on my experience the user login process needs to execute because ISE is policy driven, you can set different posture requirements based on user groups, also you need to trigger the 802.1x process from the wireless or wired access level for the authorization profile to send the redirect session down to the NAD.
*Please rate helpful posts*
Ok, so what you want to achieve is Posturing before user login, to be honest, and as Tarik said, you need to check the posture based on policies and also triggered the 802.1x and CoA in case you need to change the authorization.
I have an idea but dont know if it is applicable or not (I dont have the facility to test it right now), can you do the authentication and posturing based on machine name (Machine authentication), and check if this triggers the posture process or not?
In general, I believe that the user must login to start the posturing and decide if the machine is compliant or not based on the ISE policies.
Hi Ahmad and Tarik,
I appreciate you both replying.
We already perform our authentication to the network based on machine authentication, we're using EAP-TLS authentication that utilise computer certificates that have been deployed as part of computers joining our active directory environment. The posture process is not triggering until a user logs in to the computer using their AD credentials.
It appears that even though we're not using different posture and authorization requirements based on the user when we use EAP-TLS, the client still wants to wait regardless for a user to log in just in case. Subsequently it would seem what I want to do is not possible?
Just out of curiosity what is it that you are looking to acheive with the nac agent? What is it scanning for? Your best bet is to work with Cisco or your local account team to see what they can do but your research from the initial post is dead on, the nacagentui.exe doesnt start till after the user logs on, it is painful when it comes to the process taking its time.
However did you think about allowing the posture agent to run while you grant full access to the user based on their machine authentication session. When the nac agent sends a report of non-compliant you can consider revoking user access then. I know this allows a vulnerable/infected machine from being able to connect to the network but in the end this is something that can be explored as an option of the delay out weighs the security policy.
*Please rate helpful posts*
At the moment we just check anti virus installation, anti virus definitions and that the Microsoft SCCM client is running. These are all items that obviously start as a system service, so it's unfortunate that even though the NACAgent also starts as a system service it can't perform the posture report before a user logging on to the machine.
It would be a great feature to have, it would make logging on to the network much more seamless for the end user.
That is correct, the nac agent is unaware of what policies exist in your ISE design. It's sole purpose is to start when the services allow it to do so and then send the information about the services and AV information it can gather so ISE can make a decision on whether the client is compliant or not compliant, it can then take direction on how to remeidate the client when it fails. There is nothing you can configure from ISE that will allow you to run the nac agent before user login.
In the end when the nac agent makes into the anyconnect secure mobility client you might have hope there since there are some start before login vpn features, but I do not see the nac agent adopting this any time soon. You should however still work with your Cisco Account team on doing some research with the BU on your behalf, this could benefit alot of nac customers.
*Please rate helpful posts*
Posture before login is really a very nice feature to be added to the ISE solution, but is it technically do-able from the ISE point of view? Since there is no user information at all before the login page, the only information that we can use at this stage is "hostname" or "netbios" name? can we have feature like this from tecnical point of view?
You might want to run a script to see if you can force the service to start earlier. Might want to open a tac caee to see if they can provide some help or if a feature request needs to be created.
Sent from Cisco Technical Support Android App