06-25-2013 05:55 AM - edited 02-21-2020 10:00 PM
Table of Contents
Introduction
Prerequesites
Requirements
Components Used
Conventions
Understanding ISE Posture Services
Client Provisioning
Posture Policy
Authorization Policy
Understanding Posture Example Workflow
Before you start
Endpoint Checklist
ISE Checklist and basic configuration for this Example
Configurations
ISE Configuration
Configure and Deploy Client Provisioning Services
Configure Authorization Policy for Client Provisioning and Posture :
Configure Posture Policy :
Configure an AV Posture Policy
Configure Windows Server Update Services Remediation
Switch Configuration
Global Switch Configuration
Interface Switch Configuration
WLC Configuration
Global Configuration
Employee SSID Configuration
Guest SSID Configuration
Final Results
Employee dot1x Posture (NAC Agent)
Guest CWA Posture (NAC Web Agent)
Frequently Asked Questions
Deployment Options Other then Client Provisioning
Discovery Host for the NAC agent
Employees Browsers are configured with Proxy
DACL VS Redirection ACL
Nac Agent is not popping up
Unable to access WSUS for Remediation
Don't have an Internal Managed WSUS
This Document covers a step by step configuration guide for Posture Services, Client Provisioning, Posture Policy creation, and configuration of access policies based on endpoint assessment results for Wired clients (connected to Cisco Switches) as well as Wireless clients (connected to Cisco Wireless Controllers) .
Cisco recommends knowledge on these topics:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Posture Services workflow is comprised of three main configuration sections:
• Client Provisioning
• Posture Subscription and Policy
• Authorization Policy
In order to perform posture assessment and determine the compliance state of an endpoint, it is necessary to provision it with an agent. ISE Agent can be persistent whereby the agent is installed and is automatically loaded each time a user logs in. ISE Agent can also be temporal whereby a Web-based agent is dynamically downloaded to the user upon each new session and then removed following the posture assessment process. NAC Agents are also responsible for facilitating remediation and providing an optional Acceptable Use Policy (AUP) to the end user. Therefore, one of the first steps in the workflow is to retrieve the agent files from the Cisco website and to create policies that determine agent and configuration files downloaded to endpoints based on their attributes, for example, user identity and client OS type.
Defines the set of requirements for an endpoint to be deemed “Compliant” based on file presence, registry, process, application, Windows, and AV/AS checks and rules. Posture policy is applied to endpoints based on defined set of conditions such as user identity and client OS type. An endpoint’s compliance (posture) status can be one of the following:
• Unknown (no data collected to determine posture state)
• NonCompliant (posture assessment performed and one or more requirements failed)
• Compliant (compliant with all mandatory requirements)
Posture requirements are based on a configurable set of one or more conditions. Simple Conditions include a single assessment check. Compound Conditions include a logical grouping of one or more Simple Conditions. Each requirement is associated with a remediation action that assists endpoint to satisfy the requirement, for example, an AV signature update.
Defines the levels of network access and optional services to be delivered to an endpoint based on posture status. Endpoints that are deemed “not compliant” with Posture Policy may be optionally quarantined until the endpoint becomes compliant. During this phase, a typical Authorization Policy may limit a user’s network access to posture and remediation resources only. If remediation by the agent or end user is successful, then the Authorization Policy can grant privileged network access to the user. Policy is often enforced using downloadable ACLs (dACLs) or dynamic VLAN assignment. In this Configuration Example we will uses dACLs for endpoint access enforcement.
In this Configuration Example , we will download both persistent (NAC Agent) and temporal (Web Agent) agent files to ISE and define client provisioning policies that require Domain Users to download the NAC Agent and Guest users to download the Web Agent.
Before configuring posture assessment policies and requirements, we will update the Authorization policy to apply Authorization Profiles to Domain Users and Guests that are flagged “not compliant”. The new Authorization Profile that we'll define will limit access to posture and remediation resources. Employees and Guest users flagged “compliant” will be allowed regular network access.Once Client Provisioning services have been verified, posture requirements will be configured to check for Antivirus installation , Virus definition updates, as well as Windows Critical Updates.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
In order for posture to work properly for this example you should verify the following :
If you are using self-signed certificates for ISE , then you need to run Internet Explorer 10 in Administrator
mode to install these certificates.
Cisco ISE installs the Cisco NAC Agent and Web Agent via ActiveX control. In Internet Explorer 10, the
option to prompt for ActiveX controls is disabled by default. To enable this option in Internet Explorer 10,
perform the following:
Step 1 Go to Tools > Internet Options
Step 2 Go to the Security tab and click Internet and Custom Level.
Step 3 Under ActiveX Controls and Plugins section, enable Automatic Prompting for ActiveX controls.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
ISE configuration is made up of these three steps:
Attribute | Value |
Web | ( o ) |
Update Feed URL: | https://www.cisco.com/web/secure/pmbu/posture-update.xml |
Proxy Address: | - |
Proxy Port: | - |
Automatically check for updates starting from initial delay | [ ✓ ] |
every 2 hours |
Attribute | Value |
Remediation Timer | 8 (Minutes) |
Network Transition Delay | 3 (Seconds) |
Default Posture Status | Compliant |
Automatically Close Login Success Screen After | [✓] |
5 (Seconds) |
Attribute | Value |
Enable Provisioning | Enable |
Enable Automatic Download | Disable |
Update Feed URL | http://www.cisco.com/web/secure/pmbu/provisioning |
Native Supplicant Provisioning Policy Unavailable: | Allow Network Access |
Step 6 (Optional) Create a NAC Agent configuration profile for your clients .
Refer to ISE User guide for detailed description about all the Values .
Note: The “ merge” option updates the current agent profile parameter only if value not already defined; this option will not update parameters with an existing value. The “overwrite” option will update a parameter whether explicitly defined or not .
Step 7 Define Client Provisioning Policy for Domain Users and Guest users.
Rule Name | Identity Groups | OperatingSystems | Conditions | Results | Is UpgradeMandatory? |
Employee_Windows | Any | Windows All | AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users | NAC Agent 4.9.0.51+ Profile(optional)+ Compliance 3.5.5767.2 | [✓ ] |
Guest_Windows | Guest | Windows All | WebAgent 4.9.0.28 | [✓ ] |
Attribute | Value |
Guest users should download the posture clientGuest users should be allowed to do self service | [✓][✓] |
Attribute | Value |
Guest users should agree to an acceptable use policy | ( ) Not Used(o) First Login( ) EveryLogin |
The Authorization Policy sets the types of access and services to be granted to endpoints based on their attributes such as identity, access method, and compliance with posture policies. This example includes adding Authorization Policies to ensure that endpoints that are not posture compliant are quarantined (granted limited access sufficient to provision agent software and to remediate failed requirements), and that only posture compliant endpoints are granted privileged network access.
Step 1 (Optional). Define a dACL that restricts network access for endpoints that are not posture compliant.
Attribute | Value |
Name | POSTURE_REMEDIATION |
Description | Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only. |
DACL Content |
Downloadable ACL Entry | Description |
permit udp any any eq domain | Allow DNS for name resolution |
permit udp any eq bootpc any eq bootps | Allow DHCP |
permit tcp any host <ISE IP address> eq 8443 | Allow CWA/CPP to ISE Policy Service node |
permit tcp any host <ISE IP address> eq 8905 | Allow Agent discovery direct to Policy Service node |
permit udp any host <ISE IP address> eq 8905 | Allow Agent discovery and keep-alives |
permit tcp any host <ISE IP address> eq 8909 | Allow Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation |
permit udp any host <ISE IP address> eq 8909 | |
permit IP any host <REM Server IP address> | Explicit allow to remediation server (Wsus , Antivirus Server ,....) |
permit IP any host 192.230.240.8 | Allow Traffic to clamwin definition database server (this entry is specific to our example ) |
deny ip any any | Deny all other Traffic |
Attribute | Value |
Name | Posture_Remediation |
Description | Permit access to posture and remediation services; redirect traffic to client provisioning and posture services. |
Access Type | ACCESS_ACCEPT |
DACL Name | [ ✓ ] POSTURE_REMEDIATION |
Web Authentication- Posture Discovery | [ ✓ ] ACL-POSTURE-REDIRECT |
Attribute | Value |
Name | CWA_Posture_Remediation |
Description | Permit access to posture and remediation services; redirect traffic to central web auth services. |
Access Type | ACCESS_ACCEPT |
DACL Name | [ ✓ ] POSTURE_REMEDIATION |
Web Authentication -Centralized Web Authentication | [ ✓ ] ACL-POSTURE-REDIRECT |
Update the existing Authorization Policy with the following values using the selector at the end of a rule entry to insert or duplicate rules:
Rule Name | Identity Groups | Other Conditions | Permissions |
Employee | Any | AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users | PermitAccess (or Employee Authorization Profile if you already have one defined ) |
AND Session: PostureStatus EQUALS Compliant | |||
Employee_PreCompliant | Any | AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users | Posture_Remediation |
AND Session: PostureStatus NOT EQUALS Compliant | |||
Guest | Guest | Session: PostureStatus EQUALS Compliant | PermitAccess (or Guest Authorization Profile isf you already have onedefined ) |
Default | Any | - | CWA_Posture_Remediation |
Note: clamwin-0..97.7-setup.exe was uploaded on the default site of the Remediation Server.
For the Definition file update remediation to work , one of ip of the Clamwin Server update server must be added
on the DACL as well as the redirection ACL as we did in the previous section.
Step 1 Define an AV posture condition that validates the installation of ClamWin AV on an endpoint.
This check will be used in posture requirements applied to Employees.
Attribute | Value |
Name | ClamWin_AV_Installed |
Description | Check ClamWin AV is installed |
Operating System | Windows 7 (All) |
Vendor | ClamWin |
Check Type | ( o ) Installation ( ) Definition |
Products for Selected Vendor | [ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus |
Attribute | Value |
Name | ClamWin_AV_Current |
Description | Check ClamWin AV is current |
Operating System | Windows 7 (All) |
Vendor | ClamWin |
Check Type | ( ) Installation ( o ) Definition |
[✓ ] Allow virus definition files to be | |
days older than | 0 days older than |
( o ) latest file date( ) current system date | |
Products for Selected Vendor | [ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus |
Attribute | Value |
Name | Any_AV_Installed |
Description | Check Any AV is installed |
Operating System | Windows All |
Vendor | ANY |
Check Type | ( o ) Installation |
Products for Selected Vendor | [ ✓ ] ANY |
Attribute | Value |
Name | Install_ClamWin_AV |
Description | Link distribution to ClamWin AV install package |
Remediation Type | Manual |
Retry Count | 0 |
Interval | 0 |
URL | http://<REM SERVER IP>/clamwin-0..97.7-setup.exe |
Attribute | Value |
Name | Update_ClamWin_AV_Definitions |
Description | Trigger signature updates for ClamWin AV |
AV/AS Remediation Type | AV Definition Update |
Remediation Type | Manual |
Interval | 0 |
Retry Count | 0 |
Operating System | ( o ) Windows( ) Mac |
AV Vendor Name | ClamWin |
Enter the following entries into the table using the selector at the end of a rule entry to insert or duplicate rules. Click Save when finished:
Name | Operating System | Condition | Action | Message shown to Agent User |
Emp_AV_Installed | Windows 7 (All) | ClamWin_AV_Installed | Install_ClamWin_AV | (optional) |
Emp_AV_Current | Windows 7 (All) | ClamWin_AV_Current | Update_ClamWin_AV_Definitions | (optional) |
Guest_AV_Installed | Windows All | Any_AV_Installed | Install_ClamWin_AV | An approved Antivirus program was NOT detected on your PC. All guest users must have a current AV program installed before access is granted to the network. If you would like to install a free version of ClamAV,please click on the link below |
Note: If a preconfigured condition does not display under the list of Conditions, be sure you have selected the appropriate
Operating System setting for both the condition as well as requirement rule. Only conditions that are the same or
subset of the OS selected for the rule will display in the Conditions selection list.
Step 7 Configure the Posture Policy to ensure ClamWin AV is installed and current on Employee computers running
Windows 7 and that Any supported AV is installed and current on Guest user computers.
Rule Name | IdentityGroups | OperatingSystems | Other Conditions | Requirements |
Employee_Windows_AV_Installed_and_Current | Any | Windows 7 (All) | AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users | AV_Installed ( Mandatory) AV_Current ( Mandatory) |
Guest_Windows_AV_Installed_and_Current | Guest | WindowsAll | - | Guest_AV_Installed ( Mandatory) |
Attribute | Value |
Name | Install_Win_Critical_Updates |
Description | Check and Install missing Critical Windows Updates |
Remediation Type | Manual |
Validate Windows Updates using | Severity Level |
Windows Updates Severity Level | Critical |
Windows Updates Installation Source | Managed Server |
Installation Wizard Interface Setting | Show UI |
Name | Operating System | Condition | Action | Message shown to Agent User |
Win_Critical_Update | Windows 7 (All) | pr_WSUSRule | Install_Win_Critical_Updates | (optional) |
Rule Name | IdentityGroups | OperatingSystems | Other Conditions | Requirements |
Employee_Windows_latest_Critical_Patches_Installed | Any | Windows 7 (All) | AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users | Win_Critical_Update |
and should be used for reference and not to be copied
Global Radius and Dot1x Configuration
aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radiusdot1x system-auth-control
ip radius source-interface Vlan (x)radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server host <ISE IP> key <pre shared key>radius-server vsa send accountingradius-server vsa send authentication Default ACL to be applied on the port
ip access-list extended permitany
permit ip any any
Enabling Radius Change of Authorisation
aaa server radius dynamic-author client <ISE IP> server-key <pre shared key> Enable URL Redirection and logging
Ip device tracking Epm logging Ip http server Ip http secure server
Redirection ACL
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any eq bootpc any eq bootps deny udp any any eq domain deny udp any host <ISE IP> eq 8905 deny tcp any host <ISE IP> eq 8905 deny tcp any host <ISE IP> eq 8909 deny udp any host <ISE IP> eq 8909 deny tcp any host <ISE IP> eq 8443 deny ip any host <REM SERVER IP>
deny ip any host 192.230.240.8 (one of the ip of CLAMwin database virus Definitions)
permit ip any any
Note:
Ip address of the Endpoint device must be reachable from the Switch SVI in order for redirection to work
Name : ACL-POSTURE-REDIRECT
Seq | Action | Source IP/Mask | Destination IP/Mask | Protocol | Source Port | Dest Port | Direction |
1 | permit | Any | Any | UDP | DNS | Any | Any |
2 | permit | Any | Any | UDP | Any | DNS | Any |
3 | permit | Any | <ISE IP> | UDP | Any | 8905 | Any |
4 | permit | <ISE IP> | Any | UDP | 8905 | Any | Any |
5 | permit | Any | <ISE IP> | TCP | Any | 8905 | Any |
6 | permit | <ISE IP> | Any | TCP | 8905 | Any | Any |
7 | permit | Any | <ISE IP> | UDP | Any | 8909 | Any |
8 | permit | <ISE IP> | Any | UDP | 8909 | Any | Any |
9 | permit | Any | <ISE IP> | TCP | Any | 8909 | Any |
10 | permit | <ISE IP> | Any | TCP | 8909 | Any | Any |
11 | permit | Any | <ISE IP> | TCP | Any | 8443 | Any |
12 | permit | <ISE IP> | Any | TCP | 8443 | Any | Any |
13 | permit | Any | <REM SERVER IP> | Any | Any | Any | Any |
14 | permit | <REM SERVER IP> | Any | Any | Any | Any | Any |
15 | permit | 192.230.240.8 | Any | Any | Any | Any | Any |
16 | permit | Any | 192.230.240.8 | Any | Any | Any | Any |
Note: 15 and 16 are used in our example for CLAMwin antivirus update where 192.230.240.8 contains
the database definition file .
Note: For Flex connect with Local Swithing , you have to create a Flexconnect ACL and apply it to the WebPolicy ACL as
below
1) The ACL will be named as the ACL above and will have the same attributes
2) Click on External WebAuthentication ACLs
3) Add the Web Policy ACL and Apply
Create New Employee SSID or Modify the Existing one if already defined
Create New WLAN with Guest SSID or Modify the existing one if already defined
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Click to Install Agent and then Next
Click On Next
Accept End User License Agreement
Choose Complete
Click on Install
Selec Finish
Nac agent will pop up after installationSelect Show details We can see that Clamwin is not installed and is not updatewe can notice also that Some Windows Critical Update are not installed
Click go to link to install the antivirus
Click on RUNand install clamwin Antivirus
After installing the Antivirus ,Nac Agent will prompt for UpdateClick on update to get the latest Virus Definition FileAfter, you will get the same Screen to update your WindowsClick on Update another Time
You NAC Agent will contact your WSUS to check and install the latest Critical Updates
When Installation is completeYou will prompted to restart your Computer
After Restart you will have Full Network Access since your system will be compliant
Click on Self registration and proceed with authentication
Accept the use policy
Click on Install Agent
Click on click here to remediate
Click on run and proceed with antivirus installation
Now You have full Network Access
Check ISE authentication Logs to verify that Dynamic authorisation succeeded and that you are matching the authorisation profile related to the compliant Status
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
You can refer to ISE User Guide under this Topic
Provisioning Client Machines with the Cisco NAC Agent MSI Installer
In order for NAC Agent to reach the right ISE pdp :
1) If no Discovery host is defined : Nac agent will send http request on port 80 to the gateway , this traffic must be
redirected to the posture discovery link (cpp) in order for discovery to work properly
2) If a Discovery host t is defined ,Nac agent will send http request on port 80 to the host , this traffic must be redirected to
the posture discovery link (cpp) in order for discovery to work properly
if there is a problem with Redirection , the NAC agent will try to contact Directly the Host Discovery defined, on
port 8905 ( which does not guarantee the posture validation because the session information may not be available on
that pdp unless node groups are defined and pdp are within the same group)
1) If you are not using Client Provisioning and the Employees PCs are configured with Proxy There is no need to do any
changes since the Posture Discovery Packets are sent on port 80 and bypass the Proxy Settings
2) If you are using the Client Provisioning service , you need to change Switch Configuation and WLC as Below in order to
intercept HTTP Traffic on the proxy's defined port .
ip http port 8080
ip port-map http port 8080
By default WLC intercept HTTP requests with Destination TCP Port 80 only. The following command must be configured through CLI if you want to intercept another http traffic on port 8080 per example
config Network web-auth port 8080 Note:
Switches will allow redirection on one port , Therefore if you specify another port for Switch Redirection , Posture Discovery will fail and Posture Traffic will be sent to the discovery host defined in the NACAgentCFG.xml ( NAC Agent Profile )
1) Redirection ACL is mandatory for Client Provisioning , Central Web Authentication , and Posture Discovery.2) DACL is used to limit Network Access and is applied only to non redirected Traffic you have multiple options : 1) Define only a Redirection ACL and redirect all the Traffic that you want to be dropped ( As we did in our Example)2) Define Redirection ACL which is less restrictive and Apply DACL which filter the Traffic that are not redirected3) Define Redirection ACL and Apply a VLAN which will restrict Network Access ( Best Approach since VLAN Traffic can be filtered by Application aware Firewall)
1) Check ISE live Authentication and Verify that authentication is matching your Posture Authorization profile2) From the Client PC , open cmd .type nslookup and verify you can resolve ISE pdp hostname
3) From your Client browser type https://<ise−hostname>:8905/auth/discovery and make sure you are receiving ISE FQDN as response If all the steps are working and your Switch or WLC Configuration are in compliance as per this document
Contact Cisco TAC Providing : the packet Capture , Nac Agent Logs , NACAgentCFG configuration file and Windows Event Viewer Logs.
If you are using WSUS 3.0 SP2 and the NAC Agent is unable to access WSUS win Updates ,
Verify that you have the latest patch of WSUS installed (This Patch is Mandatory for Windows Clients to browse Update from Wsus)
http://support.microsoft.com/kb/2720211
Verify that you are able to access the following file
http://<ip wsus>/selfupdate/iuident.cab
Refer to the Link Below for better debugging for Wsus Installation
http://technet.microsoft.com/en-us/library/dd939822%28v=ws.10%29.aspx
You can still use WIndows Update Servers. while configuring your posture Remediation Rule.
Client Must be allowed to these Sites and the following URLsshould not be redirected
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
http://download.windowsupdate.com
http://*.download.windowsupdate.com
http://ntservicepack.microsoft.com
You might be tempted to create an authorization policy rule that triggers on the condition of a non_compliant client in order to restrict his access. However, no authentication attempt will be seen failing until the remediation timer expires most particularly when using the web agent. In fact, the agent notices it is not meeting the requirements and starts the remediation timer.
Only at the end of it, or if the user clicks cancel, will ISE be notified that the posture was a failure. Therefore it is good practice to give a default access to all clients that allow for remediation but blocks any other form of access.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: