Re: Posture Redirect ACL and DACL

ryanbess · ‎06-11-2024

Hi all,

My org is starting to move from ForeScout to Cisco ISE for Wired NAC. As we start this journey we're having some internal discussions around what things should be included in the various ACL's that Posture Requires. The Cisco staff we're talking to says we should only include something like the below in the redirect ACL and not even include a DACL. All mentioned IP's in the below are a PSN.

Extended IP access list ACL-AGENT-REDIRECT
10 deny udp any any eq domain bootps
20 deny tcp any host 172.16.255.102
30 deny tcp any host 172.16.255.104
40 deny tcp any host 172.16.255.110
50 deny udp any host 172.16.255.102
60 deny udp any host 172.16.255.104
70 deny udp any host 172.16.255.110
80 permit ip any any (1392810 matches)

While I can understand not wanting to allow an unpostured endpoint to connect to anything other than ISE, in practice I'm not sure how this works. As an example, how would a user log into a workstation if there's no Domain Controller in the list?

This shows the use of an redirect ACL and a DACL https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

What are others doing?

MHM Cisco World · ‎06-11-2024

Protocols you need to allow in Redirect ACL

1- DNS

2- DHCP

3- https/http to ise IP

Other need to deny

Redirect ACL is add temporary and then remove when ISE send CoA

After CoA the SW will use dACL

Here you can filter access of host to which prefix

MHM

Rob Ingram · ‎06-11-2024

@ryanbess You would authorise a Domain Computer without running a posture assessment at this point. Posture assessment is run when the user logins in and is authenticated/authorised by ISE. During authorisation ISE returns the posture URL, the redirect ACL and optionally a restrictive DACL (which permits limited access, enough to determine the posture of the device during this initial assessment posture phase). The redirect ACL is statically configured on the switches allows DHCP/DNS and HTTP to redirect traffic to ISE, it's typically not a good idea to redirect on HTTPS as this would return a certificate error.

Once the posture assessment is complete, ISE will know if the device is compliant or non-compliant, at which point a CoA is automatically sent and the device is re-authorised. You will have different ISE policies depending on whether the device is compliant or non-compliant. If the device is compliant you may wish to assign a DACL to allow full access to your internal resources such as AD etc. If the device is non-Compliant you may not wish to allow access to critical resources and apply a more restrictive DACL.

ryanbess · ‎06-11-2024

@Rob Ingram, To get past the posture redirect state, the user needs to log in. If the user puts in their username and password on the computer, but the Redirect ACL doesn't permit the ability for access to Domain Controllers, how would that person be able to log in (lets put cached credentials to the side for now).

Rob Ingram · ‎06-11-2024

@ryanbess No, you don't run posture assessment at computer authentication (pre user login), the computer has network access in order to authenticate the user. You can apply a different DACL to limit what the computer can communicate with, such as AD, DNS, ISE etc.

Posture assessment is run when the user logs into the computer, the users are authenticated and authorised. During this first authorisation you return the redirect url, redirect ACL and optionally DACL which restricts the access during this initial phase. Once posture assessment is complete, they are re-authorised and get the appropriate level of access depending on your rules.

ryanbess · ‎06-11-2024

@Rob Ingram so you are agreeing that the computer needs line of site to AD services as as part of the ACL redirect and DACL. Without this line of site a user may not be able to login and thus never become postured. Do i understand what you are saying correctly? If you could, could you please provide a sample of what your Redirect ACL config looks like and what your DACL looks like.

Rob Ingram · ‎06-11-2024

@ryanbess Yes the computer needs access to the network, but no you don't apply the redirect url/acl when the computer authenticates/authorises. Apply a DACL to the computer permitting enough communication to authenticate to the domain, AD/DNS/DHCP etc.

You only apply the redirect url/acl/dacl etc via authorisation when the user logs in.

You need separate authorisation policies, one for computer authorisation and 3 for user compliance states - unknown, noncompliant and compliant. The redirect url/acl is returned in the user unknown state - with a DACL permitting whatever traffic you want the user in the unknown state to access. Separate DACLs can be returned in the noncompliant or compliant state, whatever your policies dicate.

MHM Cisco World · ‎06-11-2024

Friend no need to allow AD in redirect ACL

The user send it password to ISE and ISE forward it to AD

There is no direct connect between AD and endpoint (except case of some DUO).

So no need to allow AD only http direct to ISE and DNS/DHCP

MHM

ryanbess · ‎06-11-2024

@MHM Cisco World How would ise provide a TGT back to the workstation? How would ISE provide group policy configs / login configs without having direct access to AD?

ryanbess · ‎06-11-2024

Another thing is in our environment we're only looking to authenticate the computer (for a number of reasons...mainly because not all accounts have PIV cards so we have to support username/password and PIV auth on the same workstation).

Rob Ingram · ‎06-11-2024

@ryanbess that won't work as expected if using traditional posture assessment with redirect, as posture assessment is designed to run when the user authenticates to ISE (if user authentication is configured) and not if only the computer is authenticated to ISE.

You may be able to use agentless posture for just computer authentication, I've not tried it tbh. https://www.youtube.com/watch?v=mjaJxP0E_NM

ryanbess · ‎06-11-2024

No it works. Plug computer in > Computer presents it's Cert > gets authenticated. User logs in with username/password OR with PIV. THe 802.1x windows supplicant is only configured to do Cert for computer, posture still happens.

Rob Ingram · ‎06-11-2024

@ryanbess if the computer is authorised before the user logs in and fails compliance checks, reauthorised, a DACL is applied to restrict access and then a user that has not logged in before, they would be unable to login (depending on what the DACL permits). So you could find yourself blocking the users from logging in to windows and not allowing them to remediate, which is one reason you wouldn't do posture for computer authentication. Also the design guides do not perform posture checks for computers, only for users.

MHM Cisco World · ‎06-11-2024

Friend redirect ACL and dACL config in ISE but it use by NAD (SW or WLC or FW)

So redirect ACL allow workstation to get IP and try use DNS and allow connect to http/https of ISE

The ISE itself dont effect by this ACL it must direct connect to AD.

MHM

MHM Cisco World · ‎06-11-2024

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Check this for mor3 info

MHM