Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
0
Helpful
5
Replies

Cisco ISE 2.4 and NAC Agent

Go to solution
startx001
Level 1
Level 1

‎10-03-2018 02:04 PM

Hi, 

I need help regarding configuring ISE 2.4 to posture work without ACL redirect. 

In all examples there is ACL that uses to redirect browser to ISE where is NAC agent downloaded an posture performed .

 

What if i dont want to do redirect ? I installed on my test PC NAC Agent v4.9.5.10 and need to make posture to work but it does not work. 

Is there any guide if i want to install NAC agent without redirection and how need to configure then ? 

Im using 802.1x on my wifi. Authentication with my PKI is working , but i want to use posture without redirection and to change VLAN for endpoint.

If endpoint is Non-Complaint then one VLAN , if Compliant then to change VLAN. ( i already done this in authorization policy) , but posture dont work. 

Do i need first to grant access to network with one rule ? and then with second rule to do compliance check ?

 

KR
VZ

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to startx001

‎10-04-2018 04:17 AM

I figured that was the reason you didn't want to do the redirect.  One of the biggest misunderstandings I see with posturing is what the purpose of the redirect is.  If you aren't using the client provisioning portal to install the posture module (you almost never should), then you redirect should only be redirecting the posture discovery traffic. 

 

The posture module uses two each main web calls when doing posture discovery, port 80 to the client's default gateway and port 80 to enroll.cisco.com.  So on you wired switches you use this as your posture discovery ACL:

 

ip access-list extended POSTURE-DISCOVERY
permit tcp any 10.0.0.1 0.255.255.0 eq 80
permit tcp any host 72.163.1.80 eq 80
deny ip any any

 

This only redirect the discovery traffic and won't touch real client web traffic.  This assumes your network is a 10.x.x.x network with gateways ending in .1.  Wireless doesn't support non-standard masks so you would have to specify the default gateway in the ACL or just use the enroll.cisco.com IP.

 

The unknown state is the default state a user is in when posture hasn't been received.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎10-03-2018 02:56 PM

Check this link out:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

 

You would need to install the Posture Module with an XML configuration file that has a Call Home list which are the PSN FQDNs.

 

You need to allow the device onto the network in the posture Unknown state.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to paul

‎10-03-2018 02:56 PM

Also are you not doing redirects because the network devices are non-Cisco?

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to paul

‎10-04-2018 12:15 AM

Hi ,

 

Thanks for this , it helps me much , but where to  allow the device onto the network in the posture Unknown state?

 

KR
VZ

 
 
0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to startx001

‎10-04-2018 12:35 AM

Hi, 

No all network devices are Cisco , Wireless is WLC 5520 , switches are 2960X , but reason why i dont want to redirect , because users would complain whta to do when they open browser and see new steps , so i want to avoid that.

How to install / config that xml file?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to startx001

‎10-04-2018 04:17 AM

I figured that was the reason you didn't want to do the redirect.  One of the biggest misunderstandings I see with posturing is what the purpose of the redirect is.  If you aren't using the client provisioning portal to install the posture module (you almost never should), then you redirect should only be redirecting the posture discovery traffic. 

 

The posture module uses two each main web calls when doing posture discovery, port 80 to the client's default gateway and port 80 to enroll.cisco.com.  So on you wired switches you use this as your posture discovery ACL:

 

ip access-list extended POSTURE-DISCOVERY
permit tcp any 10.0.0.1 0.255.255.0 eq 80
permit tcp any host 72.163.1.80 eq 80
deny ip any any

 

This only redirect the discovery traffic and won't touch real client web traffic.  This assumes your network is a 10.x.x.x network with gateways ending in .1.  Wireless doesn't support non-standard masks so you would have to specify the default gateway in the ACL or just use the enroll.cisco.com IP.

 

The unknown state is the default state a user is in when posture hasn't been received.

0 Helpful
Customers Also Viewed These Support Documents