We actually went through the same issue moving from NAC to ISE but ours was a "bit" simpler in that we only permitted ~14 AV programs with NAC. We ended up turning off posture because we were having issues with our deployment in the beginning of the year (running beta code to get EAP-Chaining support) but when running it we were permitting all traffic out to the internet for students over tcp/80. Updates would work but trying to access any internal sites or anything else would cause the URL redirect ACL to match and the user would be redirected to get the agent installed. Other than the beta-bugs we were hitting it worked quite well for us.
We also threw around the idea of doing a real quarantine VLAN that we could push through a squid box for filtering/caching but one of our goals was to stay away from VLAN changes after initial authentication (Even though .1x handles that WAAY better than the NAC agent alone) and stick with the capabilities provided through dACLs. Hopefully after the release of 1.2 we'll turn posture back on :) --Jeremy On Fri, Mar 22, 2013 at 11:41 AM, Kyle Torkelson < [email protected]> wrote: > Wanted to ask if anyone has gone through this scenario…we allow students > to use ANY anti-virus program, as long as it’s supported by the Cisco NAC > Agent or Cisco Web Agent and latest Compliance Module. We are running > 4.9.2 and we are familiar with this screenshot (for example):**** > > ** ** > > **** > > **** > > **** > > ** ** > > Here we pretty much allow any anti-virus programs to connect to obtain > their latest virus definitions/signatures, no matter if the user is in the > Unauthenticated Role, Temporary Role, or Quarantine Role. If a student > does NOT have an anti-virus program installed, then we point them to a > locally hosted website where we give them a download to either Symantec > Endpoint Protection or Microsoft Security Essentials.**** > > ** ** > > What I’m running into with ISE is that this doesn’t seem to be a scalable > solution for us as I need to define an ACL (Unknown or Non-Compliant ACL > based on Cisco’s TrustSec documentation) to allow connections to the IP > addresses for each of these update sites. The NAC uses wildcards, but with > ISE I think my best option is to enable entire subnets instead of > individual IP addresses. For example, **** > > ** ** > > *.microsoft.com and *.windowsupdate.com**** > > ** ** > > Instead I need to use:**** > > ** ** > > 24.220.183.0**** > > 69.31.58.0**** > > 64.4.11.0**** > > 157.56.0.0**** > > 157.55.0.0**** > > 65.55.0.0**** > > 65.54.0.0**** > > 212.96.161.0**** > > 207.46.21.58**** > > ** ** > > When integrating this with a Cisco Wireless Controller, I can only have 64 > entries in an ACL. It seems to me that whenever a student with a different > software anti-virus vendor comes on campus, I’m going to have to use > wireshark or another sniffing tool to see what IP addresses that client is > trying to connect to and then add those IP’s to my ACL.**** > > ** ** > > Am I missing something? Or, are there other solutions that anyone can > think of? Do I use a shaping device or firewall on the edge to permit this > kind of traffic and in ISE just “Allow All” but then catch this internet > traffic at the edge? In our current solution, we like the flexibility and > aren’t really sure we want to force a certain anti-virus program on all > students. I’m not sure it’s feasible to host an internal remediation > server for multiple types of anti-virus software, either.**** > > ** ** > > Thoughts and recommendations?**** > > ** ** > > Thanks again…**** > > ** ** > > [image: signature]**** > > ** ** >
<<image001.png>>
<<image003.png>>
<<image002.png>>
<<image005.jpg>>
