topic Re: Need help on NAC for VPN in Network Access Control

Need help on NAC for VPN

User_80617 — Fri, 19 Mar 2021 12:58:38 GMT

Hello Guys, Need you help. This will be a long post and i need help in deployment of NAC for vpn users.

Requirement is user shall connect to vpn post some checks that defined on Cisco ISE.

1. What config needed on Cisco ASA

2. What config needed on Cisco ISE

3. Any config related to hostscan, posturing needs to be on Cisco asa?

Need suggesting on parameters to test and things to ensure before rolling out in production.

Re: Need help on NAC for VPN

Rob Ingram — Fri, 19 Mar 2021 13:07:37 GMT

@User_80617

Here is the official Cisco ASA RAVPN and ISE Posture guide, this covers the ASA and ISE config.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

You don't need to use Hostscan if you are doing posture on ISE.

Re: Need help on NAC for VPN

balaji.bandi — Fri, 19 Mar 2021 13:08:48 GMT

This not just few steps, this required some kind of integration expert to imlement things in step by step approach - no from day 0.

you need put some time and understand how these each components works,

https://community.cisco.com/t5/security-documents/nac/ta-p/3114257

here is some resource to start with :

ISE Community Resources

http://cs.co/ise-resources

YouTube Channel: http://cs.co/ise-videos

Integration Guides: http://cs.co/ise-guides

Re: Need help on NAC for VPN

Mike.Cifelli — Fri, 19 Mar 2021 13:14:00 GMT

Also, take a peek at https://labminutes.com/video/sec

Good free tutorials there. HTH!

Re: Need help on NAC for VPN

User_80617 — Mon, 22 Mar 2021 05:19:33 GMT

Hi.. Thanks for revert. But, this didn't work.

Compliance module says no policy server detected and user gets access even after required components missing on his endpoint.

Re: Need help on NAC for VPN

Marcelo Morais — Mon, 22 Mar 2021 10:53:57 GMT

Hi @User_80617

at Operations > RADIUS > Live Logs, check the Authorization Policy of this particular Identity (user).

Use this information and double check at Policy > Policy Set if it should be the correct Authorization Policy.

Hope this helps !!!

Re: Need help on NAC for VPN

Mike.Cifelli — Mon, 22 Mar 2021 12:31:18 GMT

Compliance module says no policy server detected and user gets access even after required components missing on his endpoint.

-This is typically because your module is missing the respective posture profile xml files. The URL redirect should point a new/unprovisioned client to your portal in which ISE will then push down your configured profiles/modules/etc. Another option you could test is manually adding the profiles to your test client. I suspect this may be a missing piece as well as how you have your client provisioning portal setup. That guide shared definitely covers the necessary steps involved. However, its screenshots/demos are from a very old version of ISE. I would suggest taking a look at some lab tutorials from links already shared in this post as well as having a look here: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Re: Need help on NAC for VPN

User_80617 — Fri, 09 Apr 2021 12:35:01 GMT

Hi,

below were the live logs output

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Network Access.NetworkDeviceName

24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory

15036 Evaluating Authorization Policy

24209 Looking up Endpoint in Internal Endpoints IDStore - xxxxx

24211 Found Endpoint in Internal Endpoints IDStore

15048 Queried PIP - Session.PostureStatus

15016 Selected Authorization Profile ASA-Posture

22081 Max sessions policy passed

22080 New accounting session created in Session cache

11002 Returned RADIUS Access-Accept

Authorization Policy Posture_Policy >> Posture_Unknown

Authorization Result ASA-redirect

ASA_redirect should direct user to ise but compliance is failing. Even posture unknow status shall get access rejected (Access Type = ACCESS_REJECT) but user can successfully connect to vpn.

What could be wrong. Followed the cisco config document as it is.

Re: Need help on NAC for VPN

Marcelo Morais — Fri, 09 Apr 2021 19:49:11 GMT

Hi @User_80617

at Policy > Policy Elements > Results > Authorization > Authorization Profiles > select the Authorization Profile that you use in your "Unknown Policy Set" and at Common Task, double check your Web Redirection configuration.

Double check if the name of the ACL (located on the Web Redirection configuration) must exist on your ASA.

Hope this helps !!!

Re: Need help on NAC for VPN

User_80617 — Fri, 30 Apr 2021 09:24:08 GMT

Hi,

The posturing now works ok. but i have 2 queries.

1. It works only when the ise -posture/compliance module is installed on the system. In case when connected from a system having only anyconnect client, vpn gets connected.

2. What should be settings on cisco ise, if i want to apply the posturing, client provisioning only for a certain vpn profile on a perticular asa (there might be many other profiles coming to ise for authentication)

Need some help on this.

Re: Need help on NAC for VPN

Marcelo Morais — Fri, 30 Apr 2021 18:59:22 GMT

Hi @User_80617 ,

you are able to use the Conditions:

Cisco-VPN3000-CVPN3000/ASA/PIX7x-Tunnel-Group-Name equals <Tunnel Group>

or/and

DEVICE.Location equals All Locations#<Location>

Note: remember to add your ASA to the <Location> at Administration > Network Resources > Network Devices.

Hope this helps !!!