topic Re: Where does the NAC Agent tries to connect to in Network Access Control

Where does the NAC Agent tries to connect to

SHECHTER1 — Fri, 08 Jan 2016 04:58:35 GMT

Hello,

What URL does the NAC agent tries to connect to before it get redirected?

Thanks, Dan

Re: Where does the NAC Agent tries to connect to

Timothy Abbott — Mon, 11 Jan 2016 17:22:55 GMT

Hi Dan,

By default, the NAC agent requests the default gateway IP address. For example, http://192.168.1.1/auth/discovery. The network access device then redirects this request one of the ISE PSN nodes.

Regards,

Tim

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Mon, 11 Jan 2016 17:32:41 GMT

Thanks Tim,

Can it be changed?

Re: Where does the NAC Agent tries to connect to

Timothy Abbott — Mon, 11 Jan 2016 17:35:45 GMT

No problem, Dan. I don't believe the default behavior can be changed as that is hard coded but you can specify which PSN you want it to connect to via the discovery host attribute in the client provisioning profile.

Regards,

Tim

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Mon, 11 Jan 2016 17:42:46 GMT

If I'll "hard code" the PSN in the client profile, when would the agent try to connect to the PSN? Would the agent wait for redirection? Or any other trigger to cause the agent to contact the PSN?

Re: Where does the NAC Agent tries to connect to

Timothy Abbott — Mon, 11 Jan 2016 17:52:31 GMT

Dan,

I'm pretty sure that if you set a discovery host, the NAC agent will attempt to connect to it once it detects network access. Here is the NAC agent discovery sequence to ISE:

1. http discovery probe on port 80 to default gateway if no discovery host

2. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)

3. https discovery probe on port 8905 to discovery host, if configured

4. http discovery probe on port 80 to default gateway (via HTTP Redirect)

5. https reconnect probe on port 8905 to previously contacted ISE Policy Services node

6. GoTo 1

Regards,

Tim

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Wed, 13 Jan 2016 17:44:25 GMT

What is a "discovery host"? Is that a PSN?

Re: Where does the NAC Agent tries to connect to

Timothy Abbott — Wed, 13 Jan 2016 17:47:47 GMT

Yes, a PSN.

Regards,

Tim

Re: Where does the NAC Agent tries to connect to

hslai — Wed, 13 Jan 2016 17:52:31 GMT

Actually, it needs not be a PSN. I usually recommend one other than PSN but it depends on the web redirect ACL.

A Discovery Host is a DNS-resoluable FQDN or IP address by the client machine and by accessing it at HTTP port 80 will trigger web redirects to ISE PSN client provisioning portal along with a session ID from the network access device.

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Thu, 28 Jan 2016 15:48:33 GMT

Something still bothers me...

How would the client get to the default gateway if the posture dACL denies access to anything other than DCHP/DNS/ISE and/or maybe non-RFC1918 addresses?

Re: Where does the NAC Agent tries to connect to

Cory Peterson — Thu, 28 Jan 2016 19:31:52 GMT

It does not actually need access to the Default Gateway, it is just sending a request out that is intercepted by the Switch/Controller that is then redirected using a redirect URL to the PSN (or other specified Discovery host).

Think Guest portal redirect, it may not have access to the website but it is still redirected to the portal.

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Thu, 28 Jan 2016 20:02:37 GMT

What would be the destination IP address of the first HTTP(S) packet that the posture client sends?

EDIT: Maybe I should have also asked this: What is the order of operation on incoming packet to the switch? dACL -> WEB_redirec_ACL or is it WEB_Redirect_acl and only if its a deny, then dACL?

Re: Where does the NAC Agent tries to connect to

hslai — Sat, 30 Jan 2016 01:16:16 GMT

NAC agent or ISE posture module in AnyConnect will try a couple of different targets (DiscoveryHost, default gateway, previously connected ISE policy service nodes, and (AnyConnect only) enroll.cisco.com) to try discovering the current ISE policy service node that authenticating the client. The first one is likely the DiscoveryHost, but AnyConnect ISE posture does parallel probing.

The redirect ACL takes precedence over the DACL (per-user/-session), that over the port ACL configured in "ip access-group <ACL-name> in" per interface. Please note that "redirect ACL" works differently, so that a permit entry will trigger potentially trigger redirect while a deny entry will allow the traffic through.

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Sat, 30 Jan 2016 01:19:57 GMT

So if redirect is happening then the dACL is ignored?

Re: Where does the NAC Agent tries to connect to

hslai — Sat, 30 Jan 2016 01:33:08 GMT

Not exactly. I use an example below to explain this.

We use a redirect ACL to redirect certain connections. A sample redirect ACL from our ISE compliant training lab is as below:

ip access-list extended ISE-URL-REDIRECT

deny tcp any host 10.1.129.8 eq www

permit tcp any any eq www

where 10.1.129.8 is a web server to provide AUP and other packages used for remediation.

Then, what not being redirected (e.g. all non-TCP-80) will subject to DACL, so we may have a DACL like this:

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit tcp any host 10.1.100.21 eq 8443

permit tcp any host 10.1.100.21 eq 8905

permit udp any host 10.1.100.21 eq 8905

permit tcp any host 10.1.129.8 eq 80

where 10.1.100.21 is the ISE PSN.

Since this sample DACL does not end with "deny ip any any" so what permitted in the interface port ACL will allow through.

Re: Where does the NAC Agent tries to connect to

Cory Peterson — Sat, 30 Jan 2016 01:39:38 GMT

The dACL is not ignored it is processed after the Redirect takes place. You need to be sure to allow access to the ISE nodes that are used for posture as well as any remediation servers that will be needed when posture is failed.

When building the policy I have found it best to use two rules around posturing.

One that is basically a remediation rule the client is put in while the posture status is NOT EQUAL TO compliant, this rule pushes down the dACL that permits access to ISE and any remediation.

Then a second rule that is used when the client is EQUAL TO compliant, this rule will push down a permit ip any any or what ever access policy is set for the user.

The reason for the not equal to rule is that while a client is running the posture client they are usually in an "unknown" status and this catches anything but a compliant PC.

The ACLs hslai posted are almost identical to my base ACLs I use when starting a new ISE build.

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Sat, 30 Jan 2016 01:57:14 GMT

Are you sure about dACL has no implicit deny?!?!

I just tested it, without posture, and dACL has implicit deny. In the dACL I allowed access to only one host and any other host was denied.

So back to my original question: Assuming your dACL and redirect ACL are in place and assuming there is explicit deny, what would a fresh install of NAC agent will send over the wire?

Re: Where does the NAC Agent tries to connect to

hslai — Mon, 01 Feb 2016 00:49:01 GMT

The overall ACL applied to a Cisco IOS interface has an implicit deny. That is likely what you are seeing.

In Re: Where does the NAC Agent tries to connect to mentioned /auth/discovery. Essentially, each potential targets are tested with that.

If you are still using NAC agent with ISE, please consider migrating to AnyConnect ISE posture. See End-of-Sale and End-of-Life Announcement for the Cisco NAC Agent Software - Cisco

Re: Where does the NAC Agent tries to connect to

SHECHTER1 — Mon, 01 Feb 2016 05:15:23 GMT

Thank you all for your answers.

At the end, it looks like the only way for a fresh install of AnyConnect (where ISE addresses are not known yet) to be redirected with the above dACL, is to try and access enroll.cisco.com. Otherwise, the above dACL will block any other access

I wonder what HTTP GET to default-gateway:80 is there for? Who would allow this on their dACL?

Re: Where does the NAC Agent tries to connect to

hslai — Mon, 01 Feb 2016 07:08:38 GMT

HTTP (80/TCP) GET to default-gateway is permitted in the redirect ACL so it triggers redirect to ISE client provisioning portal and the agent extracts the host info and deduces the policy service node. Thus, it does not need allowed in DACL.

If you meant downloading the AnyConnect binary from Cisco and directly installing it to a client OS, by a fresh install, then we may pre-create a profile for AnyConnect ISE posture module to include DiscoveryHost.

See Locations to Pre-Deploy the AnyConnect Profiles http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/deploy-anyconnect.html#ID-1425-0000015f

and ISE Posture Profile Editor http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/configure-posture.html#reference_288A1C28DF1549DB9CB171E085944379 !