With OnGuard posture enforcement, we can do a whitelist on the Aruba WLAN controller for known update sites for required software and windows updates. On the wired side (specifically Cisco), what are people using for an ACL to allow users to update their software? Right now my policy is that if Posture=anything but healthy, then push the OnGuard Cisco-AVPair url-redirect and url-redirect-acl to pop the captive portal to download the OnGuard agent.
Ultimately I'm thinking that if posture=quarantine, then dump the computer into some DMZ'd vlan that only has internet access and port 6558/443 for talking to CPPM - but we can't display a captive portal page then explaining to the user why they are in that state.
Id love to hear suggestions or how others are doing this.