What about "post-traffic police" and/or "post-re-checking" without
kicking user and machine out by clearing "Certified Device List"?
David Wang Networking Services, CCS
www.uoguelph.ca 519-824-4120 ext 52046
On 10-Feb-09, at 12:22 PM, Dennis Xu wrote:
We want to have an option in filter list for: require login, bypass
posture assessment
We have a requirement that some devices in the filter require
authentication, but need to bypass posture assessment.
Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217
----- Original Message -----
From: "Daniel Sichel" <[email protected]>
To: [email protected]
Sent: Tuesday, February 10, 2009 12:03:02 PM GMT -05:00 US/Canada
Eastern
Subject: Wish list
4) Have the agent run as a service and/or run before the windows
logon
portion of boot up. So basically the agent could load, verify the
posture of the computer
Amen to that. Have the CAS actually proxy the authentication process
and
hand the Kerberos ticket(s) to the machine only when fully remediated.
Also, have a backround process triggered after remediation and
authentication to allow roaming profiles to work. Even having to sit
through a "Please wait, Clean Access is checking your machine."
would be
fine, if log in would then work like normal.
The Cisco solution for roaming profiles is to allow unremediated
clients
FULL ACCESS TO THEIR PROFILE SHARES. Am I the only one on crazy pills
here? I thought one of the major features of this system was the
ability
to deny access to sensitive network assets until clients are
remediated.
Right now I have to allow netbios and authentication access to my
domain
controllers to anyone, and as I mentioned, if I want roaming profiles,
all my most sensitive shares. I am starting to think just doing
Nessus,
Nagios, or Snort connected with a script to shut down offending
ports on
my switches would be a better solution than Clean Access. No other
Cisco
product mandates a permissive policy like this of allow then deny. Any
security pro knows you deny, verify, authenticate, remediate, then
(and
only then) allow access.
Dan Sichel
Ponderosa Telephone
