![Meddane_0-1693816640743.png Meddane_0-1693816640743.png](https://community.cisco.com/t5/image/serverpage/image-id/196030iB042D36CEA4CE65F/image-size/large?v=v2&px=999)
Step 1: Configure posture conditions
Windows Assets can be marked as ‘Compliant’ when:
- Windows update agent is running
- Any Firewall product is running
- Any Anti-Malware software is installed
Create a condition for Anti-Malware, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Anti-Malware and press Add.
Click Submit to save the new condition.
![Meddane_1-1693816640815.png Meddane_1-1693816640815.png](https://community.cisco.com/t5/image/serverpage/image-id/196031iE87B61C392FBC1C5/image-size/large?v=v2&px=999)
Create a condition for Firewall check, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Firewall Condition and press Add.
Click Submit to save the new condition.
![Meddane_2-1693816640871.png Meddane_2-1693816640871.png](https://community.cisco.com/t5/image/serverpage/image-id/196032i727C7304DEB3ED3D/image-size/large?v=v2&px=999)
Create a condition for Windows update check, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Patch Management and press Add.
Click Submit to save the new condition.
![Meddane_3-1693816640982.png Meddane_3-1693816640982.png](https://community.cisco.com/t5/image/serverpage/image-id/196033i4E6D3166A73826F0/image-size/large?v=v2&px=999)
Step 2: Configure posture requirements
Posture requirement is a configuration item on ISE which connects Posture Conditions with Posture Remediation actions. In other words, we define what the agent needs to check (Requirement) and what the agent needs to do in case the specified posture conditions have not been met (Remediation) such as'Message text only' remediation which could be defined directly in the posture requirement.
To create Posture Requirements, navigate to (1)Work Centers → (2)Posture → (3) Policy Elements → (4)Requirements.
- Define a requirement name – TEST-AM
- As OS select – Windows All
- For compliance module select – 4.x or later
- Select as agent – AnyConnect
- Define a posture condition - Select the previously created TEST-AM condition from the list
- Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt
The final configuration of the Anti-Malware requirement should look like the below example.
- Define a requirement name – TEST-FW
- As OS select – Windows All
- For compliance module select – 4.x or later
- Select as agent – AnyConnect
- Define a posture condition - Select the previously created TEST-FW condition from the list
- Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt
The final configuration of the Firewall requirement should look like the below example.
![Meddane_5-1693816641510.png Meddane_5-1693816641510.png](https://community.cisco.com/t5/image/serverpage/image-id/196034i3F3DB2D86D1ACF29/image-size/large?v=v2&px=999)
- Define a requirement name – TEST-PATCH
- As OS select – Windows All
- For compliance module select – 4.x or later
- Select as agent – AnyConnect
- Define a posture condition - Select the previously created TEST-PATCH condition from the list
- Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt
The final configuration of the Windows Update requirement should look like the below example.
![Meddane_6-1693816641806.png Meddane_6-1693816641806.png](https://community.cisco.com/t5/image/serverpage/image-id/196037iEA376F5ABEFBE4ED/image-size/large?v=v2&px=999)
![Meddane_7-1693816642140.png Meddane_7-1693816642140.png](https://community.cisco.com/t5/image/serverpage/image-id/196038i97A7A78A265B563C/image-size/large?v=v2&px=999)
Step 3: Configure a posture policy
We need to define a posture policy which will be used for both redirect and non-redirect flows.
To create a new posture policy, navigate to (1)Work Centers → (2)Posture → (3) Posture Policy.
- Policy name – TEST-Win-Posture
- Operation Systems – Windows All
- Compliance Module – 4.x or later
- Posture Type – AnyConnect
- Requirements – Select all three requirements created in Step 2 (TEST-AM, TEST-FW and TEST-PATCH)
Final configuration of the posture policy should look like the below example.
![Meddane_8-1693816642182.png Meddane_8-1693816642182.png](https://community.cisco.com/t5/image/serverpage/image-id/196036i03A427619424FF8B/image-size/large?v=v2&px=999)
![Meddane_9-1693816642213.png Meddane_9-1693816642213.png](https://community.cisco.com/t5/image/serverpage/image-id/196039iBE0C6FD67ECE473C/image-size/large?v=v2&px=999)
Step 4: Configure AnyConnect ISE posture profile
ISE posture profile is an essential part of client provisioning configuration on ISE. Basically, we only need to define a profile name and specify the server name rules.
Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Resources.
Click Add and select “NAC Agent or AnyConnect Posture Profile”.
- Choose agent type – AnyConnect
- Define a profile name – POSTURE-REDIRECT
- Specify Server name rules – put ‘*’ here. Server name rules instructs the AnyConnect ISE posture module to which PSNs it is allowed to connect. Validation happens based on PSN name provided during the posture process from ISE to the agent.
![Meddane_10-1693816642316.png Meddane_10-1693816642316.png](https://community.cisco.com/t5/image/serverpage/image-id/196041i6EF82ECEB4FEA2A5/image-size/large?v=v2&px=999)
![Meddane_11-1693816642472.png Meddane_11-1693816642472.png](https://community.cisco.com/t5/image/serverpage/image-id/196040iA71EC710829F297F/image-size/large?v=v2&px=999)
Step 5: Create AnyConnect configuration
We need to create an AnyConnect configuration which conbines together AnyConnect pkg version, compliance module version and posture profile. This is the place where an administrator can define which AnyConnect modules should be provisioned and with which profiles.
On the same page Click Add and select – AnyConnect Configuration as shown below.
![Meddane_12-1693816642598.png Meddane_12-1693816642598.png](https://community.cisco.com/t5/image/serverpage/image-id/196042i05167ECEA28BFCB6/image-size/large?v=v2&px=999)
Step 6: Create Client Provisioning Policy
The Client Provisioning policy in ISE specifies which Resources (BYOD/Posture) should be provisioned to the end-user.
Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Policy.
The scenario has the following requirements for provisioning of the AC configuration which you've just created for the redirect-based flow:
- User should belong to Internal Identity Group Employee (You can AD Group if you have Active Directory integrated)
- VPN authentication should be performed over – MS-CHAPv2
![Meddane_13-1693816642730.png Meddane_13-1693816642730.png](https://community.cisco.com/t5/image/serverpage/image-id/196043iCAFF1D7DB30B298E/image-size/large?v=v2&px=999)
![Meddane_14-1693816642805.png Meddane_14-1693816642805.png](https://community.cisco.com/t5/image/serverpage/image-id/196044i52A1BF17D5ABFAC4/image-size/large?v=v2&px=999)
![Meddane_15-1693816642897.png Meddane_15-1693816642897.png](https://community.cisco.com/t5/image/serverpage/image-id/196046i773D773F071ED420/image-size/large?v=v2&px=999)
Step 7: Create Authorization Profiles
The first Authorization Profile must be applied to VPN User during the posture assessment, the goal is to provide limited access to internal ressources and redirection to the Client Provisioning Portal.
Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Portal. Create a Client Provisioning Portal named CP_PORTAL_REDIRECT.
![Meddane_16-1693816643099.png Meddane_16-1693816643099.png](https://community.cisco.com/t5/image/serverpage/image-id/196047i42811BAF3F226AE4/image-size/large?v=v2&px=999)
Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Downloadable ACLs to create a Downloadable ACL with some restriction (for example allow DNS, DHCP and SWISS protocol UDP and TCP Ports.
![Meddane_17-1693816643205.png Meddane_17-1693816643205.png](https://community.cisco.com/t5/image/serverpage/image-id/196045i9870A551CAFE4079/image-size/large?v=v2&px=999)
Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles to create an Authorization Profile that must be applied during posture assessment. Associate the previous dACL.
![Meddane_18-1693816643244.png Meddane_18-1693816643244.png](https://community.cisco.com/t5/image/serverpage/image-id/196050i5F985A964086ED4C/image-size/large?v=v2&px=999)
In the Common Task, select Client Provisioning (Posture) for web redirection, then the Redirection ACL (the name must match the name configured on the ASA), finally select the Client Provisioning Portal created previously CP_PORTAL_REDIRECT.
![Meddane_19-1693816643272.png Meddane_19-1693816643272.png](https://community.cisco.com/t5/image/serverpage/image-id/196048i057A5FD94AEADA90/image-size/large?v=v2&px=999)
Once the end user's PC is compliant, we need to change the authorization to provice full access to the internal ressources. This is the second authorization profile.
Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Downloadable ACLs to create a Downloadable ACL with permit ip any any.
![Meddane_20-1693816643306.png Meddane_20-1693816643306.png](https://community.cisco.com/t5/image/serverpage/image-id/196049i6A210FE735B7D77B/image-size/large?v=v2&px=999)
Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles to create an Authorization Profile that must be applied after posture assessment. Associate the previous dACL.
![Meddane_21-1693816643395.png Meddane_21-1693816643395.png](https://community.cisco.com/t5/image/serverpage/image-id/196052i376E073D249AF614/image-size/large?v=v2&px=999)
Finally we have two Authorization Profiles.
The Authorization Profile POSTURE_CPP_REDIRECT for pre-assesssment.
The Authorization Profile VPN-COMPLIANTE-ACCESS for post-assesssment.
Step 8: Create two Authorization Policies
In this step, we need to associate the Authorization Profiles created in step 7 to two Authorization Policies.
Navigate to (1)Work Centers → (2)Posture → (3)Policy Sets. Edit the Policy Set of VPN Access.
Under this this Policy Set, create two Authoriztion Policies.
Authorization Policy for compliant PCs.
- Name: POSTURE_COMPLIANT
- Conditions: InternalUser:IdentityGroup EQUALS User Identity Groups:Employee AND Session:PostureStatus EQUALS Compliant
- Profiles: VPN_COMPLIANT_ACCESS
Authorization Policy for redirection.
- Name: CPP_REDIRECT
- Conditions: InternalUser:IdentityGroup EQUALS User Identity Groups:Employee AND Session:PostureStatus NOT_EQUALS Compliant
- Profiles: POSTURE_CPP_REDIRECT
![Meddane_22-1693816643628.png Meddane_22-1693816643628.png](https://community.cisco.com/t5/image/serverpage/image-id/196053iA26E5CEAE35B6130/image-size/large?v=v2&px=999)
Step 9: Test Posture
Let’s test from the remote user Employee PC.
Access the VPN AnyConnect.
![Meddane_23-1693816643671.png Meddane_23-1693816643671.png](https://community.cisco.com/t5/image/serverpage/image-id/196051iED85D6286452CE28/image-size/large?v=v2&px=999)
Open a web browser and type any URL.
The ISE redirects the http request to the Client Provisioning Portal. Click the Start Button.
![Meddane_24-1693816643679.png Meddane_24-1693816643679.png](https://community.cisco.com/t5/image/serverpage/image-id/196054i2BA0814B549C236C/image-size/large?v=v2&px=999)
Click the This is my first time here button.
![Meddane_25-1693816643747.png Meddane_25-1693816643747.png](https://community.cisco.com/t5/image/serverpage/image-id/196055i53C5E1447152B8EB/image-size/large?v=v2&px=999)
The posture module is not provisioned yet on the remote PC. The purpose of the Client Provisioning Portal is to allow end users to download the AnyConnect Posture Module. Click on Click here to download and install AnyConnect button.
![Meddane_26-1693816643842.png Meddane_26-1693816643842.png](https://community.cisco.com/t5/image/serverpage/image-id/196056i784FB41E0FC6F2F8/image-size/large?v=v2&px=999)
The Network Setup Assistant is launched to download the posture module.
![Meddane_27-1693816643895.png Meddane_27-1693816643895.png](https://community.cisco.com/t5/image/serverpage/image-id/196057i27DC3D0C73062BE8/image-size/large?v=v2&px=999)
AnyConnect Posture module and compliance module will start the download and installation process. The scan starts as shown below.
A warning indicates that the Firewall on the PC is not enabled.
![Meddane_28-1693816644030.png Meddane_28-1693816644030.png](https://community.cisco.com/t5/image/serverpage/image-id/196059i0D1849A0D161BF59/image-size/large?v=v2&px=999)
![Meddane_29-1693816644085.png Meddane_29-1693816644085.png](https://community.cisco.com/t5/image/serverpage/image-id/196058iA3E4562543A884F1/image-size/large?v=v2&px=999)
On the PC, enable the Firewall Windows.
The user will gain access to the network with a Compliant status.
![Meddane_30-1693816644150.png Meddane_30-1693816644150.png](https://community.cisco.com/t5/image/serverpage/image-id/196060i82382A880F198FFE/image-size/large?v=v2&px=999)