Solved: Windows virtual machine is Posture COMPLIANT without checking

Lubo1 · ‎07-10-2024

Hi, we are testing wired 802.1X with ISE Posture. The goal is to limit access to enterprise network only for computers with AV/EDR installed. Setup works fine on regular PCs (Windows) and MACs (OS).

For computers with VMware workstation installed, 802.1X works as well for Windows 10 guest virtual machines (network adapter in bridged mode, multi-auth on switchport), but Posture check on guest ends up in COMPLIANT state even without Cisco AnyConnect client installed, what is an outcome of "Posture General Settings > Default Posture Status" set to "Compliant" on ISE. Of course, when virtual machine first connects, the browser is redirected to ISE Client provisioning portal (POSTURE UNKNOWN). After pressing START button, the Success message "You now have Internet access through this network" appears, guest goes to COMPLIANT state and full connectivity is allowed. This happens regardless of the Host Posture state - can be COMPLIANT or NON-COMPLIANT: guest is always COMPLIANT.

(When I set Default Posture Status" to "NonCompliant", VM goes to non compliant state, despite of misleading "You now have Internet access through this network" message in browser. But this is not a good solution in general, because a) we have some Linux machines, which need to be Allowed/Compliant without posture check. b) we want Windows VMs to be allowed, but they must comply with company policy.)

Why does not ISE recognise regular Windows operating system on virtual machine, for which it has Posture Policy configured? Why does not Posture check start at all and "Default Posture Status" is applied immediately? Has anyone encountered this? How to solve it? It is a serious security hole to have uncontrolled VMs in the network. Prohibit their usage is not possible - we have programmers and developers, who need them for their work. Thank you.

ISE ver. 3.0.0 (I did not find any related bugs)

Host OS: Windows 11 Ent

VMware Workstation 17 Pro

Guest OS: Windows 10 Pro

Lubo1 · ‎08-06-2024

Hi everyone, the problem is solved, it was my mistake in ISE configuration. I had a specific machine certificate subject condition in Client Provisioning Policy as a remnant of the previous configuration, when I used 802.1X with machine authentication, which is still used on Host computer, but on virtual machine guest, I am using PEAP with user authentication. That was the reason why Client Provisioning Policy was not activated for guest. Sorry about that and thank you all for help!

View solution in original post

Arne Bier · ‎07-23-2024

If I understand what you are saying, you expect ISE to understand the Host->GuestVM relationship, so that ISE mandates that the Host MUST be compliant, prior to the Guest VM being considered at all? But each operating system is seen by ISE as just an operating system and it has no knowledge of the fact that the VM is a guest on the host. Perhaps you should rather NAT the VM through the host and concentrate on the securing the host. Why are you doing 802.1X and Posture on VMs?

Lubo1 · ‎07-23-2024

If I use NAT mode, 802.1X does not nedd to be configured on guest and network access is allowed using authenticated host. That's why bridge mode is necessary. If anyone can instal malitious software on guest (even on authenticated), without Posture enforcement the network is weak. As you write, I need ISE to check host and guests independently. But ISE does not run Posture check on guest at all. I need to know, if this is 'normal', or a bug, or if I have incomplete configuration. Thank you.

Arne Bier · ‎07-23-2024

Not sure why Posture on VM hosts has this behaviour. I have never tested it myself and unlikely to do so. If you get no joy on this Community forum then reach out to Cisco via TAC case or try the Webex ISE Bar.

To join that chat, put this in your browser: https://eurl.io/#ryJFrhiBW

Lubo1 · ‎08-06-2024

Hi everyone, the problem is solved, it was my mistake in ISE configuration. I had a specific machine certificate subject condition in Client Provisioning Policy as a remnant of the previous configuration, when I used 802.1X with machine authentication, which is still used on Host computer, but on virtual machine guest, I am using PEAP with user authentication. That was the reason why Client Provisioning Policy was not activated for guest. Sorry about that and thank you all for help!