ISE 2.4 Remediation

latenaite2011 · ‎05-24-2018

Does anyone know a good doc or video on ISE 2.4 Remediation for Windows Update and McAfee? Customer has SCCM running with Anyconnect and that checks for compliance. Customer wants to use ISE to remediate the SCCM/Anyconnect's noncompliance machines.

I am new to posturing and remeidation on ISE and SCCM/Anyconnect. So basically the compliance checks is done already and ISE is a new implementation and want to use it for remediation only of Windows Update and Antivirus.

Thank you!

RichardAtkin · ‎05-25-2018

Posture in 2.4 isn't significantly different from 2.2 or 2.3 so there's plenty for you to be reading...

Try these for a starter;

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

https://communities.cisco.com/docs/DOC-69831

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html

latenaite2011 · ‎05-25-2018

Thank you RichardAtkin for your response.

We don't have access to to the Corp ASA and not allowed to configure
anything there.

Is there anyway to just configure ISE's posture check (Anyconnect has
already been installed via SCCM we assume by the time they connect and
don't need to check for this). Is there a way to still configure ISE to
posture the state of client's antivrus and windows update without
configuring anything and all posture related config only on the ISE server?

Thank you!

latenaite2011 · ‎05-25-2018

So in otherwise, can we start with the client provisioning compliance
module portion (and all related steps for this) and use ISE to configure
and push the Anyconnect configuration to the client with the setting?

That way, we will not have to configure anything on the ASA.

RichardAtkin · ‎05-25-2018

Yep :) You do not need an ASA. ISE can push the Posture Module and the necessary config files all on its own. You can also push out AnyConnect & the Posture Module using SCCM if you're a Corporate environment... just remember to install the "CoreVPN" msi before the "iseposture" msi.

latenaite2011 · ‎05-25-2018

Awesome, thank you so much for the quick response.

Will try this today.

RichardAtkin · ‎05-25-2018

Check this out - mostly shows you everything you'll need to do to get the basics up and running - https://youtu.be/fJTho1FvtPM

latenaite2011 · ‎05-25-2018

Thank you RichardAtkin.

I saw that video but we're moving away from NAC agent because is end of
Life and will just be using Anyconnect Compliance module and Anyconnect.

I tested this today and didn't see much happening, but we're waiting to
confirm if the ISE ports are open (port 8905, 8905, 8443) to see if that
might be blocking the browser from popping-up.

I am just curious how the ISE configuration would integrate the the
Anyconnect configuration that they have setup with the Corporate ASA.

thank you!

RichardAtkin · ‎05-25-2018

The ports you need are 8905, 8909 and whatever the CPP portal port is... usually 8443 or 8445 but you can set whatever you want in the CPP page.

Stick with the video and I think it will show you the anyconnect way too. It’s pretty easy, just make sure you get your ACLs the right way around...

Named ACL on the switch = permit TCP any any eq 80/443

Downloadable ACL in ISE = Permit ISE ports, posture remediation stuff, etc.

latenaite2011 · ‎06-01-2018

Hi RichardAtikin,

thank you for this. Just saw your last response.

I was trying to replicate this and when I scanned my ISE server using Zenmap, I don't see ports 8905, 89095, 8443, or 8445 listen. I just see port 80, 427, 443, 8000 ( see attached)

I have enabled posturing under the admin settings. Are these ports supposed to be listening? How to enable them?

thank you!

latenaite2011 · ‎06-01-2018

Hi RichardAtkin,

Also, I was wondering if there is a way to test this (at least the wired part) without having a WLC? I am trying to see if I can get a vWLC set up but need to get the image first. I already have a switch and an ISE server.

thank you,

LN

hslai · ‎06-02-2018

Sure, WLC not required. ISE posture works for wired, wireless, and VPN connections.

latenaite2011 · ‎06-03-2018

Hi Hslai,

Thank you for this.

Is there a good example for posturing using the Anyconnect without the WLC
for wired and wireless?

Thank you!

hslai · ‎06-03-2018

ISE posture policy does not depend on the connection types unless we specify conditions based based on how the endpoints connect.

Please see Posture & Compliance for a collection of ISE design guides on that area.

latenaite2011 · ‎06-04-2018

Hi Hslai,

Ok, how can test a Wireless Posture without a WLC?

thank you!