cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6851
Views
17
Helpful
9
Replies

ISE and WLC for posture remediation

Nicholas Poole
Level 1
Level 1

Please can anybody clarify a few things in relation to ISE and wireless posture.

1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?

2) Can/Should a dACL/wACL be specified as a remediation ACL?

3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)

4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?

5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation

thanks

Nick

1 Accepted Solution

Accepted Solutions

Yes,

This means that your client provision policy doesnt have a rule that will match a contractor that joins the network. Can you post a screenshot of the client provisioning policies?

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

9 Replies 9

Tarik Admani
VIP Alumni
VIP Alumni

Nick,

Answers are inline:

1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation

2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.

3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit

source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.

4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.

5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.

  1. You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  2. Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  3. Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  4. Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks for the quick response.

Remediation.  I would consider this to be fixing the problem, e.g downloading an update.  But I dont believe ISE does any proxy of any kind for AV or patch updates?  So why would remediation be done over the SWISS port?

I knew that the WLC didnt support dACL as such, and it had to be named ACLs, but i had thought if the dACL had the same name as the preconfigured wACL it would work.  OK I will look to test the Airepsace ACL tomorrow, thanks.  So should this ACL be allowing anything, if all remediation is covered in the redirect ACL?

So your screenshot is for your ACL-POSTURE-REDIRECT then?  What is the 74.x.x.x address at the bottom?  Do you need that as a deny if it has an implicit deny at the end anyway?

All other bits already done, thanks again.

Nick,

Remediation is a term used for when a client isnt compliant basically its uncertainty of the device's state, its the process that starts off before the client is "quarantined" or marked "compliant".

In your "remediation ACL" you will have to exclude redirection for remediation traffic. ISE is able to execute the services for remediation (i.e. start the service that allows av definition update to mcafee) however the "update" traffic isnt proxied through the swiss traffic.

The ACL you pointed out for the google play store for android clients, so that when they get redirected to the ISE portal, ISE can then redirect the client to the google play store to download the Cisco network setup assistant.

Thanks,

Tarik Admani
*Please rate helpful posts*

So do I need an Airepace ACL to be downloaded during posture or not?  I have set the profile to send an AirACL and I can see the client association with it as an IPv4 ACL on the WLC, while the NAC agent does its posture check.  But, I never see any hits on this ACL and no matter what I put in it doesnt seem to affect traffic or not.

So the underlying question is in what ACL do I create a permit statement for to allow a laptop to access the windows update server or AV server so it can be 'remediated' by the 'ISE remediation' service?

thanks again

Yes you need the airespace acl to be referenced (meaning the same ACL exists on the controller itself). During the posture (agent download...client provisioning...etc) that is when the service for definition checks takes place. So you in this Airespace ACL you will have to allow the client access to remediation serivices...a/v servers, wsus, whatever you can think of that you are requiring for clients. That is what this acl needs to permit so they can be repaired before gaining full network connectivity once they meet all requirements.

Thanks,

Tarik Admani
*Please rate helpful posts*

Is the screenshot you provided is the ACL for redirection or remediation?  (the image was cropped not to show the ACL name)  I see you have hits on this ACL.

I am still testing the Airespace ACL and I am not getting any hits on this 'remediation' acl even though I get hits on the redirect acl.  Should I be getting hits?

Can you provide screen shots of both the rediect and remediation acl for comparson?

I want to be able to restrict what temporary access the user gets whilst they are 'remediating' but without logs i cant work out if an ACL is working or not.

So how should the logic to this work?

My REDIRECT-ACL has permit anything to and from ISE and permit anything to and from DNS.  So everything else should be redirected, correct?

So My REMEDIATE-ACL should have what in it?  Should it still be permitting ISE or is that unnecessary as the REDIRECT-ACL already allows this?  Should I then be permitting access to my update server?  or does that fact that my REDIRECT-ACL redirects everything but ISE nothing will ever get to match the remediate?

thanks again

thanks

OK So it seems the redirect ACL on a WLC is the actual ACL that you use to allow traffic for 'remediation' such as AV and AS update servers (other than the ISE)

Which seems quite different to the wired switch method where there is a seperate ACL for remediation in addition to redirection.

n.lavender
Level 1
Level 1

We're currently attemtping to test contractor posture access and are experiencing the below response. However, full access is still granted without the NAC agent being ran.The authentication log on the ISE shows the device as posture compliant.

This happens both when a new contractor laptop is connected whereby they should be redirected to download the nac client and/or web client. If a contractor has the nac client manually installed then NAC posture is processed as expected.

Has anyone experienced this before??

Yes,

This means that your client provision policy doesnt have a rule that will match a contractor that joins the network. Can you post a screenshot of the client provisioning policies?

Thanks,

Tarik Admani
*Please rate helpful posts*