cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1808
Views
0
Helpful
4
Replies

NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

vrz rrr
Level 1
Level 1

hello,

could anyone please post screen capture of ISE posture configuration ( and remediation )

I need urgently a dACL and a redirection ACL that work at least in a mockup lab.

Authentification and authorizations policies not needed.

posture and remediation policies not needed.

The issue is about ACLs (I guess)

Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.

My IOS is 122.55 SE or 52 SE

Thank you by advance.

Best regards.

V.

1 Accepted Solution

Accepted Solutions

Venkatesh Attuluri
Cisco Employee
Cisco Employee

URL Redirect ACL on the access switch

access# conf taccess(config)# ip access-list extended ACL-POSTURE-REDIRECT

access(config-ext-nacl)# deny udp any any eq domain

access(config-ext-nacl)# deny udp any host <> eq 8905

access(config-ext-nacl)# deny udp any host <> eq 8906

access(config-ext-nacl)# deny tcp any host <> eq 8443

access(config-ext-nacl)# deny tcp any host <> eq 8905

access(config-ext-nacl)# deny tcp any host <> eq www

access(config-ext-nacl)# permit ip any any

access(config-ext-nacl

a dACL that restricts network access for endpoints that are not posture compliant.

Name

POSTURE_REMEDIATION

Description

Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.

DACL Content

permit udp any any eq domain

permit icmp any any

permit tcp any host <> eq 8443

ermit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host <> eq 8905

permit udp any host <> eq 8905

permit udp any host <>1 eq 8906

permit tcp any host <> eq 80

View solution in original post

4 Replies 4

vrz rrr
Level 1
Level 1

up up !

:-)

V.

Venkatesh Attuluri
Cisco Employee
Cisco Employee

URL Redirect ACL on the access switch

access# conf taccess(config)# ip access-list extended ACL-POSTURE-REDIRECT

access(config-ext-nacl)# deny udp any any eq domain

access(config-ext-nacl)# deny udp any host <> eq 8905

access(config-ext-nacl)# deny udp any host <> eq 8906

access(config-ext-nacl)# deny tcp any host <> eq 8443

access(config-ext-nacl)# deny tcp any host <> eq 8905

access(config-ext-nacl)# deny tcp any host <> eq www

access(config-ext-nacl)# permit ip any any

access(config-ext-nacl

a dACL that restricts network access for endpoints that are not posture compliant.

Name

POSTURE_REMEDIATION

Description

Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.

DACL Content

permit udp any any eq domain

permit icmp any any

permit tcp any host <> eq 8443

ermit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host <> eq 8905

permit udp any host <> eq 8905

permit udp any host <>1 eq 8906

permit tcp any host <> eq 80

...

Hi Venkatesh,

Your the ultimate ISE Guru !!

You're right

Thanks a lot.

See screen captures and Sw config below

-----------------------------------------------------------------------

aaa new-model

!

aaa group server radius ISE

server 192.168.6.10 auth-port 1812 acct-port 1813

server 192.168.6.10 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa authorization network auth-list group ISE

aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group ISE

!

!

aaa server radius dynamic-author

client 192.168.6.10 server-key 123456789

!

ip dhcp snooping

ip device tracking

!

dot1x system-auth-control

dot1x critical eapol

!

interface FastEthernet1/0/1

switchport mode access

ip access-group ACL-ALLOW in

authentication port-control auto

authentication periodic

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

!

ip http server

ip http secure-server

!

ip access-list extended ACL-ALLOW

permit ip any any

ip access-list extended ACL-POSTURE-REDIRECT

deny   udp any any eq domain

deny   udp any host 192.168.6.10 eq 8905

deny   udp any host 192.168.6.10 eq 8906

deny   tcp any host 192.168.6.10 eq 8443

deny   tcp any host 192.168.6.10 eq 8905

deny   tcp any host 192.168.6.10 eq www

permit ip any any

!

snmp-server community snmp RO

snmp-server community RO RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.6.10 public

snmp-server host 192.168.6.10 version 2c snmp  mac-notification

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789

radius-server vsa send accounting

radius-server vsa send authentication

!

V.