NAC -> ISE Posture Remediation

Kyle Torkelson Fri, 22 Mar 2013 08:46:44 -0700

Wanted to ask if anyone has gone through this scenario...we allow students to 
use ANY anti-virus program, as long as it's supported by the Cisco NAC Agent or 
Cisco Web Agent and latest Compliance Module.  We are running 4.9.2 and we are 
familiar with this screenshot (for example):


[cid:[email protected]]
[cid:[email protected]]
[cid:[email protected]]

Here we pretty much allow any anti-virus programs to connect to obtain their 
latest virus definitions/signatures, no matter if the user is in the 
Unauthenticated Role, Temporary Role, or Quarantine Role.  If a student does 
NOT have an anti-virus program installed, then we point them to a locally 
hosted website where we give them a download to either Symantec Endpoint 
Protection or Microsoft Security Essentials.

What I'm running into with ISE is that this doesn't seem to be a scalable 
solution for us as I need to define an ACL (Unknown or Non-Compliant ACL based 
on Cisco's TrustSec documentation) to allow connections to the IP addresses for 
each of these update sites.  The NAC uses wildcards, but with ISE I think my 
best option is to enable entire subnets instead of individual IP addresses.  
For example,

*.microsoft.com and *.windowsupdate.com

Instead I need to use:

24.220.183.0
69.31.58.0
64.4.11.0
157.56.0.0
157.55.0.0
65.55.0.0
65.54.0.0
212.96.161.0
207.46.21.58

When integrating this with a Cisco Wireless Controller, I can only have 64 
entries in an ACL.  It seems to me that whenever a student with a different 
software anti-virus vendor comes on campus, I'm going to have to use wireshark 
or another sniffing tool to see what IP addresses that client is trying to 
connect to and then add those IP's to my ACL.

Am I missing something?  Or, are there other solutions that anyone can think 
of?  Do I use a shaping device or firewall on the edge to permit this kind of 
traffic and in ISE just "Allow All" but then catch this internet traffic at the 
edge?  In our current solution, we like the flexibility and aren't really sure 
we want to force a certain anti-virus program on all students.  I'm not sure 
it's feasible to host an internal remediation server for multiple types of 
anti-virus software, either.

Thoughts and recommendations?

Thanks again...

[signature]

<<inline: image001.png>>

<<inline: image002.png>>

<<inline: image003.png>>

<<inline: image005.jpg>>

NAC -> ISE Posture Remediation

Reply via email to