Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No AV no Access

McBill
New here
‎May 4 2019 5:15 AM
‎May 4 2019 5:15 AM

No AV no Access

Can I block all internet access to any and all clients behind my Meraki Firewall by automatically checking for AV software?  

0 Kudos
Subscribe
2 Replies 2
BrechtSchamp
Kind of a big deal
‎May 4 2019 10:24 AM
‎May 4 2019 10:24 AM

There is an old feature in the splash pages. But I don't think you should use it as it's based on a Java applet which is older technology:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Network_Access_Control_(NAC)

 

If you have it, Meraki Systems manager also has a security policy compliance check feature:

2019-05-04 19_15_37-Window.png

 

I think you could also integrate with Cisco ISE for compliancy checks. But I'm not sure, I haven't tested this myself. It seems like it would be possible to check for compliancy when connecting to a WPA-Enterprise SSID. Maybe someone else will have more info on this. But here's a guide:

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/361...

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2019 2:01 PM
‎May 4 2019 2:01 PM

I've actually played with this some time ago (maybe 2 years ago).

 

If you use Systems Manager on the machines you can create a security compliance policy that requires antivirus to be installed and running.  This creates a dynamic tag, and you you can dynamically assign a group policy based on weather antivirus is working or not.  This compliance test is based on the result returned by the Windows Security centre.

https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager

If still have my test policy partially setup (screenshot below).  I also had it test to make sure a firewall was running on the machine.

 

2.PNG

 

All of this cane be done without any additional servers or anything.  The idea is great.

 

But there was a catch.  A big catch.  If a machine is non-compliant (say antivirus is not running) and then you fix that compliance issue it can take many many many hours before the Systems Manager agent on the machine reports in that the machine is now compliant.  The problem is - I can't leave now compliant machines not attached to the network - I can't leave them in a state where the person can't work - especially when I can't even say how long.  It could be 1 hour, it could be the next day.

 

I spoke to Cisco Meraki at the time, and said if they could communicate the compliance state each time the agent checks in, or whenever the Windows Security centre has a state change, I could sell a tonne of Systems Manager.  I have customers that would use this feature because it is so simple to setup.

 

But nothing happened at the time.  I've had no further feedback.  And I haven't been back to see if this has been resolved.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.