Solved: Re: Where does the NAC Agent tries to connect to - Page 2

SHECHTER1 · ‎01-07-2016

Hello,

What URL does the NAC agent tries to connect to before it get redirected?

Thanks, Dan

Cory Peterson · ‎01-29-2016

The dACL is not ignored it is processed after the Redirect takes place. You need to be sure to allow access to the ISE nodes that are used for posture as well as any remediation servers that will be needed when posture is failed.

When building the policy I have found it best to use two rules around posturing.

One that is basically a remediation rule the client is put in while the posture status is NOT EQUAL TO compliant, this rule pushes down the dACL that permits access to ISE and any remediation.

Then a second rule that is used when the client is EQUAL TO compliant, this rule will push down a permit ip any any or what ever access policy is set for the user.

The reason for the not equal to rule is that while a client is running the posture client they are usually in an "unknown" status and this catches anything but a compliant PC.

The ACLs hslai posted are almost identical to my base ACLs I use when starting a new ISE build.

SHECHTER1 · ‎01-29-2016

Are you sure about dACL has no implicit deny?!?!

I just tested it, without posture, and dACL has implicit deny. In the dACL I allowed access to only one host and any other host was denied.

So back to my original question: Assuming your dACL and redirect ACL are in place and assuming there is explicit deny, what would a fresh install of NAC agent will send over the wire?

hslai · ‎01-31-2016

The overall ACL applied to a Cisco IOS interface has an implicit deny. That is likely what you are seeing.

In Re: Where does the NAC Agent tries to connect to mentioned /auth/discovery. Essentially, each potential targets are tested with that.

If you are still using NAC agent with ISE, please consider migrating to AnyConnect ISE posture. See End-of-Sale and End-of-Life Announcement for the Cisco NAC Agent Software - Cisco

SHECHTER1 · ‎01-31-2016

Thank you all for your answers.

At the end, it looks like the only way for a fresh install of AnyConnect (where ISE addresses are not known yet) to be redirected with the above dACL, is to try and access enroll.cisco.com. Otherwise, the above dACL will block any other access

I wonder what HTTP GET to default-gateway:80 is there for? Who would allow this on their dACL?

hslai · ‎01-31-2016

HTTP (80/TCP) GET to default-gateway is permitted in the redirect ACL so it triggers redirect to ISE client provisioning portal and the agent extracts the host info and deduces the policy service node. Thus, it does not need allowed in DACL.

If you meant downloading the AnyConnect binary from Cisco and directly installing it to a client OS, by a fresh install, then we may pre-create a profile for AnyConnect ISE posture module to include DiscoveryHost.

See Locations to Pre-Deploy the AnyConnect Profiles http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/deploy-anyconnect.html#ID-1425-0000015f

and ISE Posture Profile Editor http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/configure-posture.html#reference_288A1C28DF1549DB9CB171E085944379 !

SHECHTER1 · ‎01-31-2016

I am confused.

Are you suggesting that if traffic is hitting "permit" in the redirection ACL, then the dACL is ignored?

hslai · ‎01-31-2016

If you used ACLs for policy-based routing before, this is similar. And, the reverse of regular ACL.

When a packet matches a permit entry in the redirect ACL, the network device will reply with the redirect URL. When a packet matches a deny entry in the redirect ACL, the packet will not be redirected so the per-session DACL, if any, or the interface ACL will apply.

SHECHTER1 · ‎02-01-2016

Is that behaviour documented anywhere?

I have labbed it up, where I denied TCP traffic on the dACL and allowed UDP, and redirection stopped working.

Cory Peterson · ‎02-02-2016

hslai correct me if I am wrong, but you still need to allow the redirected traffic on the dACL, so if your redirect is to the ISE PSN (10.20.30.40) you need to permit traffic to 10.20.30.40 on which ever ports you need, 8905 and 8906 for posture and 8443 (default) for portals.

hslai · ‎02-02-2016

Cory Peterson is correct. That is, the redirected-to URL and other communication with the authenticating ISE policy service node need not only bypassing the URL redirect but also permitted by DACL or the combined interface ACL as a whole.

The redirected-to URL is usually of this pattern:

https://{IsePSN-FQDN}:{IsePSNguestPortalport}/portal/gateway?sessionId={SessionIdValue}&portal={portIdValue}&action=cpp

And, 8905/TCP, 8905/UDP, and 8443/TCP are used together for deliver the ISE posture agent packages and updates, the agent profile, and for sending the posture reports, etc.

8906 UDP/TCP has not been used in recent ISE releases, but might still be applicable in a Cisco NAC deployment (CAS and CAM).

The redirect ACL example from our training lab has no explicit ACE for "deny ip any any" but it's implicitly done. That is how the communication with ISE not explicitly specified there. For example, for the client to go to ISE on 8905/TCP, it's allowed through in the redirect ACL via the implicit deny all and then permitted by the DACL.

Ridma Ransara Jayaweera · ‎08-09-2016

Hi

In case client browser is configured with proxy and different port how we can force Anyconnect of NAC agent to use that ports.