topic Re: NEEDED : ISE 1.1.3 Posture configuration and Switch Config ( in Network Access Control

NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

vrz rrr — Mon, 11 Mar 2019 03:16:06 GMT

hello,

could anyone please post screen capture of ISE posture configuration ( and remediation )

I need urgently a dACL and a redirection ACL that work at least in a mockup lab.

Authentification and authorizations policies not needed.

posture and remediation policies not needed.

The issue is about ACLs (I guess)

Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.

My IOS is 122.55 SE or 52 SE

Thank you by advance.

Best regards.

NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL,

vrz rrr — Thu, 04 Apr 2013 18:15:27 GMT

up up !

🙂

NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL,

Venkatesh Attuluri — Fri, 05 Apr 2013 01:06:08 GMT

URL Redirect ACL on the access switch

access# conf taccess(config)# ip access-list extended ACL-POSTURE-REDIRECT

access(config-ext-nacl)# deny udp any any eq domain

access(config-ext-nacl)# deny udp any host <> eq 8905

access(config-ext-nacl)# deny udp any host <> eq 8906

access(config-ext-nacl)# deny tcp any host <> eq 8443

access(config-ext-nacl)# deny tcp any host <> eq 8905

access(config-ext-nacl)# deny tcp any host <> eq www

access(config-ext-nacl)# permit ip any any

access(config-ext-nacl

a dACL that restricts network access for endpoints that are not posture compliant.

Name

POSTURE_REMEDIATION

Description

Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.

DACL Content

permit udp any any eq domain

permit icmp any any

permit tcp any host <> eq 8443

ermit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host <> eq 8905

permit udp any host <> eq 8905

permit udp any host <>1 eq 8906

permit tcp any host <> eq 80

Re: NEEDED : ISE 1.1.3 Posture configuration and Switch Config (

vrz rrr — Fri, 05 Apr 2013 06:16:10 GMT

...

Re: NEEDED : ISE 1.1.3 Posture configuration and Switch Config (

vrz rrr — Fri, 05 Apr 2013 07:46:58 GMT

Hi Venkatesh,

Your the ultimate ISE Guru !!

You're right

Thanks a lot.

See screen captures and Sw config below

-----------------------------------------------------------------------

aaa new-model

aaa group server radius ISE

server 192.168.6.10 auth-port 1812 acct-port 1813

server 192.168.6.10 auth-port 1645 acct-port 1646

aaa authentication login default local

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa authorization network auth-list group ISE

aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group ISE

aaa server radius dynamic-author

client 192.168.6.10 server-key 123456789

ip dhcp snooping

ip device tracking

dot1x system-auth-control

dot1x critical eapol

interface FastEthernet1/0/1

switchport mode access

ip access-group ACL-ALLOW in

authentication port-control auto

authentication periodic

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

ip http server

ip http secure-server

ip access-list extended ACL-ALLOW

permit ip any any

ip access-list extended ACL-POSTURE-REDIRECT

deny udp any any eq domain

deny udp any host 192.168.6.10 eq 8905

deny udp any host 192.168.6.10 eq 8906

deny tcp any host 192.168.6.10 eq 8443

deny tcp any host 192.168.6.10 eq 8905

deny tcp any host 192.168.6.10 eq www

permit ip any any

snmp-server community snmp RO

snmp-server community RO RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.6.10 public

snmp-server host 192.168.6.10 version 2c snmp mac-notification

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789

radius-server vsa send accounting

radius-server vsa send authentication