Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2072
Views
0
Helpful
4
Replies

ISE 2.7 AnyConnect Posture Exception for Linux

Go to solution
Bernd Nies
Level 1
Level 1

‎10-27-2021 05:59 AM

Hello,

 

We're running ISE 2.7 and want to implement posture compliance checking. Most of our users are running Windows and MacOS which is supported for posture. However, some have to use Linux for development reasons and I am trying to make an exception for Linux so that access is granted, although posture can't run. I wonder how this works. Could not find any example. I tried so far the following conditions in the local exceptions:

 

EndPoints·OperatingSystem Matches [Ll]inux

Session·Device-OS Equals Other

Session·Device-OS Equals Unknown

Cisco·cisco-av-pair Matches device-platform *= *linux

Cisco·cisco-av-pair Matches profile-name *= *Linux-Workstation

 

But with no luck. The Linux notebook ends up in unknown state. On the ISE the endpoints profile is Linux-Workstation and it detects the following attributes:

 

ac-user-agentAnyConnect Linux_64 4.10.03104
device-platformlinux-64
device-platform-versionRed Hat Enterprise Linux 8.4 (Ootpa)

 

The ASA gets the following information from the client:

 

Client OS : Linux_64
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Linux 4.10.03104

So how can one match on that in the authorization policy on ISE?

 

Thanks in advance,

Bernd

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Bernd Nies

‎10-27-2021 11:02 PM

Ah.. apologies, I didn't quite understand what you were trying to do.

If the Endpoint Profile is being detected as 'Linux-Workstation' you should be able to create a Logical Profile that uses that Endpoint Profiling Policy and use that as a matching condition in an AuthZ Policy above the ones with your Posture states.

Example:

Screen Shot 2021-10-28 at 5.02.08 pm.png

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-27-2021 02:41 PM

Posture support for Linux has only recently been added in ISE version 3.1. This feature is not available in prior ISE versions.

See the Release Notes for versions of Linux and Posture features supported.

0 Helpful

Go to solution
Bernd Nies
Level 1
Level 1
In response to Greg Gibbs

‎10-27-2021 08:09 PM - edited ‎10-27-2021 08:12 PM

I know. Thats why I want to make an authorization exception to bypass posture. Authentication works and ISE 2.7 also detects that endpoint is Linux. 

Don‘t want to update to ISE 3.1 yet. There is no patch out yet and the new UI is buggy and the web designer probably had a super large screen. 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Bernd Nies

‎10-27-2021 11:02 PM

Ah.. apologies, I didn't quite understand what you were trying to do.

If the Endpoint Profile is being detected as 'Linux-Workstation' you should be able to create a Logical Profile that uses that Endpoint Profiling Policy and use that as a matching condition in an AuthZ Policy above the ones with your Posture states.

Example:

Screen Shot 2021-10-28 at 5.02.08 pm.png

0 Helpful

Go to solution
Bernd Nies
Level 1
Level 1
In response to Greg Gibbs

‎10-28-2021 01:33 AM

Thanks. That worked.

 

Under Work Centers -> Profiler -> Policy Elements -> Logical Profiles I created a new logical profile containing all the various Linux flavours. Then under Policy -> Policy sets in the authorization policy I created

 

Session·PostureStatus EQUALS Compliant

OR

EndPoints·LogicalProfile EQUALS Linux Workstation

 

Best regards,

Bernd

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents