Solved: Cisco ISE 1.1.1 with Windows Posturing

Pranav Gade · ‎09-25-2012

Hi ,

We have tired to configured windows posturing here is the scenario

we having five ise boxes 3315 with version 1.1.1 out of them 2 is admin , 2 is PS and 1 is MNT

and we having local Symantec as well as WSUS Server.

We need to do posturing for Windows where I have some queries

1) Is there any integration there of local WSUS server with Cisco ISE where ,Cisco ISE can automatically take all required update from WSUS as per crititcality of WSUS Server.

2) What is best practice to configure Posture policy of windows posture in Cisco ISE and if are manually configuring windows posture policy by using particular KB and if there is any update available on Microsoft will we be able to configure the policy for new update.

3) We have configured dot1x authentication in cisco ise and as well as on switch port where once user gets connected to dot1x port of switch it asked for dot1x username and password prompt and accordingly authorization policy it gives suitable dynamic vlan.

But what are the ways where we can restrict the machine which is rather than company asset and even if user is aware about employee username and password in short how we can restrict user who carry's machine rather than company asset ?

4) Can we configure posture policy for antivirus which we will keep in normal mode and simultaneously we can put posturing for windows which in monioring mode which only monitor the posture policy and reflect in monitoring log in which not restrict the network for windows posturing

That will be great if any one can please help me to get resolve these above issues

Thanks

Pranav

dirkmelvin · ‎06-14-2013

The following is located under POLICY -> POLICY ELEMENTS -> POSTURE -> REQUIREMENTS

The following is lcoated under

POLICY -> POLICY ELEMENTS -> POSTURE ->

REMEDIATION ACTIONS -> WINDOWS SERVER UPDATE SERVICES REMEDIATION

The following is under POLICY -> POSTURE

These settings work ALMOST flawlessly for me in forcing any updates the we have approved on our WSUS server to our workstations group (which all of our laptops are memebers of) that meet the EXPRESS severity level criteria (Critical and Important). Now what I have discovered in the last few days is that...MS seems somewhat random in their identification of what severity level they assign to their updates. For example...I would think that an OS service pack would be considered IMPORTANT if nor CRITICAL...however....look at this from the WSUS server identification of the Windows 7 Service Pack 1:

So, those updates that you removed, I would go throgh your WSUS server and identify how they are identified by severity, and then depending on your needs adjust the ISE settings accordingly to make sure you are getting the updates that you are expecting.

Hope this helps everyone out there that has similar issues.

Thanks,

Dirk

View solution in original post

dirkmelvin · ‎01-24-2013

I can't believe you haven't had an answer to this query.

I too am trying to get the ISE deployment to posture, but I am doing it for only VPN users at this time.

We have the VM ISE for the management, but we have to have the physical ISE for Inline-Posture from the ASA for our VPN users.

So far we are doing great with it detecting whether there is an approved AV installed, up-to-date and running, (not sure about the forced remediation if it isn't already up-to-date) but we are trying to get the WSUS posturing going, and at this time, we have tested with a specific Critical update and ISE detects that it isn't installed, but doesn't allow the auto remediation to take affect, it automatically pulls up a webpage (supposed to be the URL for the internal WSUS server) but the webpage is the redirect to install the NAC agent.

Would like to get ISE to some how talk to our WSUS server to discover only the APPROVED updates and to posture based on that, without having to specify a specific random update every month manually within the ISE policies.

I have a TAC case opened, but haven't had response yet. It has been almost 24 hours.

Thanks,

Dirk

ali-imran · ‎02-26-2013

Hi dirk

any luck with your TAC case. I'm stuck in the same scnerio.

Regards

Ali Imran

dirkmelvin · ‎02-26-2013

No real progress.

TAC has been referred to BU for the 2nd or 3rd time now.

This is what I am seeing at the moment.

On the WSUS_Remediation setup if I have:

Validate Windows updates using

Set to SEVERITY level, when the VPN connects, NAC agent gives a WSUS SEARCH failed error and we never get compliant.

If I have it set to CISCO RULES but have the POSTURE POLICY pointed to the pr_WSUSRule; NAC agent gives the all green COMPLIANT even though I have missing WSUS updates and it doesn't kick off the WindowsClientUpdate process on the VPN connected device.

If I have it set to CISCO RULES but leave the POSTURE POLICY pointed to pr_Win7_64_Hotfixes;

NAC agent gives the all green COMPLIANT even though I have missing WSUS updates and it doesn't kick off the WindowsClientUpdate process on the VPN connected device.

The good news is after speaking with MS support we did fid a way to get the updates to INSTALL immediately and automatically.

Quote from email:

"One of the developers on the WSUS role has mentioned that if we have the Allow Automatic Updates immediate installation (this is the group policy that specifies installing if it does not interrupt Windows services or reboot the machine) in place, we can set a deadline way back in the past and this will force the updates to install and then reboot if it is an update that requires rebooting.

In essence, it will override the GPO. On average it tries to reboot the machine around 2 minutes or so after the update has been installed."

So I have a feeling once we get the "WSUS Search failed" error figured out/fixed the updates will download as needed from our internal WSUS server, and the WSUS settings will force any of our approved updates to install on the VPN connected device, and prompt for reboot as required.

Still working on the TAC case about this, and will try to keep this post updated.

Thanks,

Dirk

dirkmelvin · ‎02-26-2013

I think I may have just made a HUGE breakthrough. It appears as though the original DACL had incorrectly blocked all port 80 traffic at the very beginning of the list....and this is what was blocking access to WSUS.

Once I moved that entry to the bottom of the list it all started talking.

Am testing scenarios now.

dirkmelvin · ‎02-26-2013

Ok, so we definitely have the WSUS updates working through the VPN connection with AnyConnect and NAC/ISE.

Once the VPN is connected the NAC agent pops up and says "Your Windows patches are not up to date."

And proceeds to kick off the WUAUCLT /DETECTNOW operation.

Since we have the SHOW GUI option set we see the window popup showing the download operation, of the different required windows updates. Now, in line with what our MS support person detailed above, it only installs the specific updates that we have given a deadline in the past. However, I also have the

"Windows Update Setting" in our "Windows Update Remediation" "Remediation Action" set to "Automatically download and install" but I don't have the checkbox for "Override User's Windows Update setting with administrator's" enabled.

Octavian Szolga · ‎04-19-2013

Ok, so regarding the automated updates in a Remote Access VPN everything works fine, but only because the VPN user is administrator on the PC it uses.

What about a corporate user from an Active Directory deployment? He's only a restricted user, that has no rights to modify the OS. Will automatic updates work?

Has anybody managed to create a list of automatic remediation actions that can be applied to a corporate network, meaning restricted users?

dirkmelvin · ‎04-19-2013

For Windows Updates(Win7+), there is an option (checkbox) that says ALLOW ANY USER TO INSTALL UPDATES. I would make sure that is correct for your installs.

Octavian Szolga · ‎05-01-2013

Ok, did that for Windows7.

I uninstalled a lot of windows updates, configured a posture requirement for Cisco predefined rules of Win7 hotfixes, configured an automatic remediation action of using WSUS (managed server checkbox) and guess what?

Every PC is windows update compliant.

The conclusion that I came up to (according to the locally windows updates logs) is that WSUS is saying to the client that he has no update to offer as if the client has all the updates needed, so this is a up to date OS.

Any thoughts? Are there any special settings that need to be made on WSUS so that clients receive a list with updates needed to be downloaded?

I noticed that if I use the online/official WindowsUpdate service, the client will get the full list of missing updates.

Furthermore, I haven't found an explination of what pr_WSUS rule does giving the fact that I'm not able to find it in the posture conditions..

dirkmelvin · ‎05-02-2013

You are looking at two different settings.

There is the CISCO PREDEFINED rule which requires the pr_WSUS....but this is ONLY updates that CISCO defines as required. This makes no reference to your or to MS update servers. In the ISE documentation where it discusses Windows Updates there is a specific note that discusses REQUIRING pr_WSUS for the Cisco Defined updates.

But if you use SEVERITY LEVEL this polls your server or the MS server (depending on your client registry settings) and then depending on "Windows Updates Severity Level" that you select (Critical, Express, Medium, All) will determine which updates are deemed required.

So based on this, it isn't really the WSUS server saying there are no updates, but it might just be that the required updates defined in the CISCO RULES are all installed.

Octavian Szolga · ‎05-14-2013

There is the CISCO PREDEFINED rule which requires the pr_WSUS....but this is ONLY updates that CISCO defines as required.

You got it wrong. In documentation is stated that if you need to validate windows updates using severity level (and not Cisco pr conditions), you need pr_WSUS condition. You don't need pr_WSUS condition for validating updates against cisco predefined conditions. This was my misunderstanding.

I didn't understood why I'm able to configure a windows update remediation using severity level for a condition that is using Cisco predefined rules. And here comes the user guide:

Furthermore regarding the use cases of cisco rules vs severity level as remediation:

In a nutshell, the posture rules for windows updates would be:

1. condition - Cisco predefined rules (WIN OS hotfixes) / remediation - WSUS remediation with checkbox on Cisco rules using either Microsoft update either a local WSUS.

2. condition - pr_WSUS / remediation - WSUS remediation with checkbox severity level using either Microsoft update either a local WSUS.

Still I haven't figured out how to force local WSUS to send me updates when I don't have them. Can you please explain the WSUS settings that were done regarding that time limit/install time set on updates?

dirkmelvin · ‎06-14-2013

The following is located under POLICY -> POLICY ELEMENTS -> POSTURE -> REQUIREMENTS

The following is lcoated under

POLICY -> POLICY ELEMENTS -> POSTURE ->

REMEDIATION ACTIONS -> WINDOWS SERVER UPDATE SERVICES REMEDIATION

The following is under POLICY -> POSTURE

These settings work ALMOST flawlessly for me in forcing any updates the we have approved on our WSUS server to our workstations group (which all of our laptops are memebers of) that meet the EXPRESS severity level criteria (Critical and Important). Now what I have discovered in the last few days is that...MS seems somewhat random in their identification of what severity level they assign to their updates. For example...I would think that an OS service pack would be considered IMPORTANT if nor CRITICAL...however....look at this from the WSUS server identification of the Windows 7 Service Pack 1:

So, those updates that you removed, I would go throgh your WSUS server and identify how they are identified by severity, and then depending on your needs adjust the ISE settings accordingly to make sure you are getting the updates that you are expecting.

Hope this helps everyone out there that has similar issues.

Thanks,

Dirk

Octavian Szolga · ‎06-22-2013

Precisely! This was my problem: the diffrence between those two conditions and remediation actions

Regarding the functionality of the WSUS server and the tests that I did, I've recently discovered that my customer hasn't approved any windows updates for a very long time giving the business requirements not to interrupt (restart) any employee PC...

Anyway, if I remember well I read in some Cisco docs that the Win OS (it didn't specified win7, winXP, etc) can install the updates if the option of 'show GUI' is not checkboxed, so that it won't require user intervention...

I'll test it out and return with feedback reagrding a restricted WinXP user.