>4) Have the agent run as a service and/or run before the windows logon >portion of boot up. So basically the agent could load, verify the >posture of the computer
Amen to that. Have the CAS actually proxy the authentication process and hand the Kerberos ticket(s) to the machine only when fully remediated. Also, have a backround process triggered after remediation and authentication to allow roaming profiles to work. Even having to sit through a "Please wait, Clean Access is checking your machine." would be fine, if log in would then work like normal. The Cisco solution for roaming profiles is to allow unremediated clients FULL ACCESS TO THEIR PROFILE SHARES. Am I the only one on crazy pills here? I thought one of the major features of this system was the ability to deny access to sensitive network assets until clients are remediated. Right now I have to allow netbios and authentication access to my domain controllers to anyone, and as I mentioned, if I want roaming profiles, all my most sensitive shares. I am starting to think just doing Nessus, Nagios, or Snort connected with a script to shut down offending ports on my switches would be a better solution than Clean Access. No other Cisco product mandates a permissive policy like this of allow then deny. Any security pro knows you deny, verify, authenticate, remediate, then (and only then) allow access. Dan Sichel Ponderosa Telephone
