04-03-2013 06:59 AM - edited 03-10-2019 08:16 PM
hello,
could anyone please post screen capture of ISE posture configuration ( and remediation )
I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
Authentification and authorizations policies not needed.
posture and remediation policies not needed.
The issue is about ACLs (I guess)
Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
My IOS is 122.55 SE or 52 SE
Thank you by advance.
Best regards.
V.
Solved! Go to Solution.
04-04-2013 06:06 PM
URL Redirect ACL on the access switch
access# conf taccess(config)# ip access-list extended ACL-POSTURE-REDIRECT
access(config-ext-nacl)# deny udp any any eq domain
access(config-ext-nacl)# deny udp any host <> eq 8905
access(config-ext-nacl)# deny udp any host <> eq 8906
access(config-ext-nacl)# deny tcp any host <> eq 8443
access(config-ext-nacl)# deny tcp any host <> eq 8905
access(config-ext-nacl)# deny tcp any host <> eq www
access(config-ext-nacl)# permit ip any any
access(config-ext-nacl
a dACL that restricts network access for endpoints that are not posture compliant.
Name
POSTURE_REMEDIATION
Description
Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.
DACL Content
permit udp any any eq domain
permit icmp any any
permit tcp any host <> eq 8443
ermit tcp any any eq 80
permit tcp any any eq 443
permit tcp any host <> eq 8905
permit udp any host <> eq 8905
permit udp any host <>1 eq 8906
permit tcp any host <> eq 80
04-04-2013 11:15 AM
up up !
:-)
V.
04-04-2013 06:06 PM
URL Redirect ACL on the access switch
access# conf taccess(config)# ip access-list extended ACL-POSTURE-REDIRECT
access(config-ext-nacl)# deny udp any any eq domain
access(config-ext-nacl)# deny udp any host <> eq 8905
access(config-ext-nacl)# deny udp any host <> eq 8906
access(config-ext-nacl)# deny tcp any host <> eq 8443
access(config-ext-nacl)# deny tcp any host <> eq 8905
access(config-ext-nacl)# deny tcp any host <> eq www
access(config-ext-nacl)# permit ip any any
access(config-ext-nacl
a dACL that restricts network access for endpoints that are not posture compliant.
Name
POSTURE_REMEDIATION
Description
Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.
DACL Content
permit udp any any eq domain
permit icmp any any
permit tcp any host <> eq 8443
ermit tcp any any eq 80
permit tcp any any eq 443
permit tcp any host <> eq 8905
permit udp any host <> eq 8905
permit udp any host <>1 eq 8906
permit tcp any host <> eq 80
04-04-2013 11:16 PM
...
04-05-2013 12:46 AM
Hi Venkatesh,
Your the ultimate ISE Guru !!
You're right
Thanks a lot.
See screen captures and Sw config below
-----------------------------------------------------------------------
aaa new-model
!
aaa group server radius ISE
server 192.168.6.10 auth-port 1812 acct-port 1813
server 192.168.6.10 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group ISE
!
!
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
!
ip dhcp snooping
ip device tracking
!
dot1x system-auth-control
dot1x critical eapol
!
interface FastEthernet1/0/1
switchport mode access
ip access-group ACL-ALLOW in
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!
ip http server
ip http secure-server
!
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 192.168.6.10 eq 8905
deny udp any host 192.168.6.10 eq 8906
deny tcp any host 192.168.6.10 eq 8443
deny tcp any host 192.168.6.10 eq 8905
deny tcp any host 192.168.6.10 eq www
permit ip any any
!
snmp-server community snmp RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 public
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
!
V.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: