Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
12322
Views
0
Helpful
0
Comments

Configuring posture services with the Cisco Identity Services Engine

Antoine KMEID
Cisco Employee
Cisco Employee

‎06-25-2013 05:55 AM - edited ‎02-21-2020 10:00 PM

Table of Contents
     Introduction
     Prerequesites  
          Requirements
          Components Used
          Conventions
     Understanding ISE Posture Services
          Client Provisioning
          Posture Policy
          Authorization Policy
          Understanding Posture Example Workflow
     Before you start
          Endpoint Checklist
          ISE Checklist and basic configuration for this Example
     Configurations
          ISE Configuration
               Configure and Deploy Client Provisioning Services
               Configure  Authorization Policy for Client Provisioning and Posture :
               Configure  Posture  Policy  :
                    Configure an AV Posture Policy
                    Configure Windows Server Update Services Remediation
          Switch Configuration
               Global Switch Configuration
               Interface Switch Configuration
          WLC Configuration
               Global Configuration
               Employee SSID Configuration
               Guest SSID Configuration
     Final Results
          Employee dot1x Posture (NAC Agent)
          Guest CWA Posture (NAC Web Agent)
     Frequently Asked Questions
          Deployment Options Other then Client Provisioning
          Discovery Host for the NAC agent
          Employees Browsers are configured with Proxy
          DACL VS Redirection ACL
          Nac Agent is not popping up
          Unable to access  WSUS for Remediation
          Don't have an Internal Managed WSUS

Introduction

This  Document  covers a step by step configuration guide for Posture  Services, Client Provisioning, Posture Policy creation, and  configuration of access policies based on endpoint assessment results  for Wired clients (connected to Cisco Switches) as well as Wireless  clients (connected to Cisco Wireless Controllers) .

Prerequesites  

Requirements

Cisco recommends knowledge on these topics:

  • Identity Services Engine (ISE)
  • Cisco IOS® Switch configuration
  • Cisco WLC Wireless Configuration

Components Used

The information in this document is based on these softwares and hardware versions:    
  • Cisco Identity Services Engine (ISE), Release 1.1.3
  • Cisco Catalyst 3560 Series Switch version 15.0(2) SE2
  • Cisco WLC 2504 Series version 7.4.100.0

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

  -----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Understanding ISE Posture Services

Posture Services workflow is comprised of three main configuration sections:

• Client Provisioning

• Posture Subscription and Policy

• Authorization Policy

Client Provisioning

In  order to perform posture assessment and determine the compliance state  of an endpoint, it is necessary to provision it with an agent. ISE Agent  can be persistent whereby the agent is installed and is automatically  loaded each time a user logs in. ISE Agent can also be temporal whereby a  Web-based agent is dynamically downloaded to the user upon each new  session and then removed following the posture assessment process. NAC  Agents are also responsible for facilitating remediation and providing  an optional Acceptable Use Policy (AUP) to the end user. Therefore, one  of the first steps in the workflow is to retrieve the agent files from  the Cisco website and to create policies that determine agent and  configuration files downloaded to endpoints based on their attributes,  for example, user identity and client OS type.

Posture Policy

Defines  the set of requirements for an endpoint to be deemed “Compliant” based  on file presence, registry, process, application, Windows, and AV/AS  checks and rules. Posture policy is applied to endpoints based on  defined set of conditions such as user identity and client OS type. An  endpoint’s compliance (posture) status can be one of the following:

• Unknown (no data collected to determine posture state)

• NonCompliant (posture assessment performed and one or more requirements failed)

• Compliant (compliant with all mandatory requirements)

Posture  requirements are based on a configurable set of one or more conditions.  Simple Conditions include a single assessment check. Compound  Conditions include a logical grouping of one or more Simple Conditions.  Each requirement is associated with a remediation action that assists  endpoint to satisfy the requirement, for example, an AV signature  update.

Authorization Policy

Defines  the levels of network access and optional services to be delivered to  an endpoint based on posture status. Endpoints that are deemed “not  compliant” with Posture Policy may be optionally quarantined until the  endpoint becomes compliant. During this phase, a typical Authorization  Policy may limit a user’s network access to posture and remediation  resources only. If remediation by the agent or end user is successful,  then the Authorization Policy can grant privileged network access to the  user. Policy is often enforced using downloadable ACLs (dACLs) or  dynamic VLAN assignment. In this Configuration Example we will  uses  dACLs for endpoint access enforcement.

Understanding Posture Example Workflow

In  this Configuration Example , we will download both persistent (NAC  Agent) and temporal (Web Agent) agent files to ISE and define client  provisioning policies that require Domain Users  to download the NAC  Agent and Guest users to download the Web Agent.

Before  configuring posture assessment policies and requirements, we will update  the Authorization policy to apply Authorization Profiles to Domain  Users and Guests that are flagged “not compliant”. The new    Authorization Profile  that we'll define will limit access to posture  and remediation resources. Employees and Guest users flagged “compliant”  will be allowed regular network access.Once Client Provisioning  services have been verified, posture requirements will be configured to  check for Antivirus installation ,  Virus definition updates,   as well  as Windows Critical Updates.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Before you start

In order for  posture to work properly for this example you should verify the following :

Endpoint Checklist

  1. ISE FQDN  must be  resolvable by the endpoint device
  1. For Client Provisioning if you are using
        Firefox or Chrome : Java plugin must be enabled on the browsers.

        Internet Explorer : ActiveX must be enabled on the browser settings.         Internet Explorer 10 : Verify the below     
  • Importing Self-Signed Certificate

                       If you  are using self-signed certificates for ISE , then you need to  run Internet Explorer 10 in Administrator

                      mode to install these certificates.

  • Compatibility mode
                     Compatibility mode must be changed on IE 10 settings to allow NAC agent Download.                     To do this you have to right click on the top of the screen of IE10 choose command bar and then                     Tools >compatibility view and then add ISE link or your site to the list
  • Enabling ActiveX Control

                     Cisco ISE  installs the Cisco NAC Agent and Web Agent via ActiveX control. In Internet Explorer 10, the

                      option  to prompt for ActiveX controls is disabled by default. To  enable this option in Internet Explorer 10,

                     perform the following:

                          Step 1    Go to Tools > Internet Options

                          Step 2    Go to the Security tab and click Internet and Custom Level.

                          Step 3    Under ActiveX Controls and Plugins section, enable Automatic Prompting for ActiveX controls.

  1. IF  you have firewall on the endpoint  or between ISE and the endpoint, the  following ports must be opened for ISE NAC communication 

  • udp/tcp 8905   (Used for posture communication between NAC agent and ISE (Swiss port))
  • udp/tcp 8909    (Used for  Client Provisioning)
  • tcp 8443             (Used for Guest and PostureDiscovery )
Note: legacy port udp/8906 is not used anymore with ISE .
  4.   If you are using Proxy Server on your clients you need  to modify your proxy settings in order to exclude the IP address         of  ISE (otherwise CWA and Client Provisioning will not work  ) 

ISE Checklist and basic configuration for this Example

     
  • ISE must be  Joined to your AD
  • Domain Users group is added to configuration under Groups Within the The Active Directory Configuration
  • Switch and WLC are defined as Network devices on ISE
  • ISE Authentication rules are configured as below
    1) Dot1x authentications for wired and wireless clients are sent to AD IDentity Store
    2)  MAB Authentications for wired and wireless devices are sent to internal  endpoints ( be sure to check the option 'continue' if   user not found )

authemab1.jpg

authdot1x.jpg

  -----------------------------------------------------------------------------------------------------------------------------------------------------------------------


Configurations

ISE Configuration

ISE configuration is made up of these three steps:

  1. Configure and deploy Client Provisioning Services
  2. Configure  Compliant and Non compliant  Authorization Policies
  3. Configure Posture Policies
 

Configure and Deploy Client Provisioning Services

  Step 1     Verify the ISE proxy configuration  if any    
  • Navigate to Administration > System > Settings and select Proxy from the left-hand pane and fill on your proxy configuration
Step 2     Download pre-built posture checks for AV/AS and Microsoft Windows.
  • Click the  icon to the left of Posture in the left-hand pane to expand the contents of the Posture settings, and then click Updates. The Update Information in the bottom right- hand pane should be empty since no updates have been downloaded yet.
     Configure the following values:    
AttributeValue
Web( o )
Update Feed URL:https://www.cisco.com/web/secure/pmbu/posture-update.xml
Proxy Address:-
Proxy Port:-
Automatically check  for updates starting from initial delay[ ✓ ]
every 2 hours
    
  • Click Update Now and acknowledge the warning that the updates may take some time to complete.
Note: If ISE does not have internet access you can do Posture Updates offline by downloading the required file from Cisco
           Site
Step 3 (Optional)     Configure general settings for agent behavior:    
  • Select General Settings from the left-hand pane under the Posture settings.
  • Review  the default values for Remediation  Timer, Network Transition Delay,  and Default Posture Status and set the Remediation Timer to 8 minutes
  • Check (enable) the checkbox to “Automatically Close Login Success Screen After” and set time to 5 seconds per the following:
    
AttributeValue
Remediation Timer8 (Minutes)
Network Transition Delay(Seconds)
Default Posture StatusCompliant
Automatically Close Login Success Screen After[✓]
(Seconds)
     
  • Click Save
Note   Values assigned through the agent profile will override these global settings.Note   Default Posture Status define the Status you want for Clients with No NAC Agents . If you are not using Client               Provisioning   set this Value to Non Compliant.  Step 4     Set the location and policy for downloading Client Provisioning updates.    
  • Click Client Provisioning from the left-hand pane and verify the following default values are set:
    
AttributeValue
Enable ProvisioningEnable
Enable Automatic DownloadDisable
Update Feed URLhttp://www.cisco.com/web/secure/pmbu/provisioning
Native Supplicant Provisioning Policy Unavailable:Allow Network Access
Step 5   Download Agent files.    
  • Go to Policy > Policy Elements > Results and click the  fleche.JPG  icon to left of Client Provisioning to expand its contents.
  • Select Resources in the left-hand pane.From the right-hand pane, click Add then click Agent Resources from Cisco site from the drop-down list. A popup window similar to the following should display.
  Capture19.jpg     
  • At a minimum, select the current NAC Agent, Web Agent and Compliance Module (AV/AS support module) from the
          list and click Save.    
  •   Wait until the files are downloaded to the ISE appliance.
   CLIENT PROVISIONING FILE REFERENCE:    
  • NAC Agent: Persistent posture agent for Windows client PCs
    
  • Mac OS X Agent: Persistent posture agent for Mac OS X client PCs
    
  • Web Agent: Temporal posture agent for Windows only PCs.

  • Compliance Module:  OPSWAT module that provides updates to current AV/AS vendor support for  both the NAC Agent and Mac OS X Agent. Not applicable to Web Agent.

  • Profiles:  Agent configuration files for NAC Agent and Mac OS X Agent.  Updates  locally installed XML files on client PCs. Not applicable to Web Agent.

Step 6  (Optional)       Create a NAC Agent configuration profile for your clients .

  • From the right-hand pane, click Add then select  ISE Posture Agent Profile from the drop-down list.
    And Choose the values that answer your needs

        Refer to ISE User guide for detailed description  about all the Values .

        ISE User Guide

Note:     The  “ merge” option updates the current agent profile parameter only if  value not already defined; this option will not update parameters with  an existing value. The “overwrite” option will update a parameter  whether explicitly defined or not .

Step 7    Define Client Provisioning Policy for Domain Users and Guest users.

  • Go to Policy > Client Provisioning. Add two new Client Provisioning rules per the following table values, and then click Save:
  Note   Click    ACTIONS Button to the right of any rule entry to insert or duplicate entries. Note:     If multiple versions of same file type ( NAC Agent/ Web Agent/ Compliance module) were downloaded to the Client               Provisioning repository, select the most current version available .     
Rule NameIdentity Groups OperatingSystems           Conditions ResultsIs UpgradeMandatory?
Employee_WindowsAnyWindows AllAD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain UsersNAC Agent 4.9.0.51+ Profile(optional)+ Compliance  3.5.5767.2[✓ ]
Guest_WindowsGuestWindows All WebAgent 4.9.0.28[✓ ]
  Step 8 Configure web authentication portal to download posture agent per Client Provisioning Policy.           
  • Navigate to Administration > Web Portal Management > Settings and click  the icon to left of Guest (or double-click Guest)
         to expand its contents.    
  •   Select Multi-Portal Configurations from the left-hand pane and then select   DefaultGuestPortal.
  • Under the Operation tab, enable the option to allow guest users to download agents and to Self Register.
    
AttributeValue
Guest users should download the posture clientGuest users should be allowed to do self service[✓][✓]

  • Make sure that the guest role as well as the time profile are assigned for self Registeration Guest roles

Capture3.jpgCapture2.jpg Note   the guest self service is optional,  but in our example we are using it for fast guest authentication without the                   sponsor  intervention    
  • Optionally set the Acceptable Use Policy for guest users as shown below:
    
AttributeValue
Guest users should agree to an acceptable use policy(  ) Not Used(o) First Login(  ) EveryLogin

  • Click Save when finished.

Configure Authorization Policy for Client Provisioning and Posture :

The  Authorization Policy sets the types of access and services to be  granted to endpoints based on their attributes such as identity, access  method, and compliance with posture policies. This example includes  adding Authorization Policies to ensure that endpoints that are not  posture compliant are quarantined (granted limited access sufficient to  provision agent software and to remediate failed requirements), and that  only posture compliant endpoints are granted privileged network access.

Step 1 (Optional).   Define a dACL that restricts network access for endpoints that are not posture compliant.

  • Go to Policy > Policy Elements > Results and click  fleche.JPG  icon to left of Authorization (or double-click Authorization) to expand its contents.
  • Select Downloadable ACLs from the left-hand pane.
  • Click Add from the right-hand pane under DACL Management and enter the following values for the new dACL.
    
AttributeValue
NamePOSTURE_REMEDIATION
DescriptionPermit access to posture and remediation services and deny all other access. Permit general http and https for redirection only.
DACL Content
Fill the DACL Entry in the DACL Content    
Downloadable ACL EntryDescription
permit udp any any eq domainAllow DNS for name resolution
permit udp any eq bootpc any eq bootpsAllow DHCP
permit tcp any host <ISE IP address>  eq 8443Allow CWA/CPP to ISE Policy Service node
permit tcp any host <ISE IP address>  eq 8905Allow Agent discovery direct to Policy Service node
permit udp any host <ISE IP address>  eq 8905Allow Agent discovery and keep-alives
permit tcp any host <ISE IP address>  eq 8909Allow Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation
permit udp any host <ISE IP address>  eq 8909
permit IP  any host <REM Server IP address>Explicit allow to remediation server (Wsus , Antivirus Server ,....)
permit IP  any host 192.230.240.8 Allow Traffic to clamwin definition database server (this entry is specific to our example )
deny ip any anyDeny all other Traffic
  Note:     There is currently NO ACL syntax checking for DACL contents so it is imperative that entries be carefully               reviewed  for errors prior to submitting.    
  • Click Submit when completed.
. Step 2      Define a new Authorization Profile for 802.1X-authenticated/NAC Agent users named Posture_Remediation                   that leverages both the new dACL for port access control and the URL Redirect ACL for traffic redirection.    
  • Click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results > Authorization.
  • Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.
    
AttributeValue
NamePosture_Remediation
DescriptionPermit access to posture and remediation services; redirect traffic to client provisioning and posture services.
Access TypeACCESS_ACCEPT
DACL Name[ ✓ ] POSTURE_REMEDIATION
Web Authentication- Posture Discovery[ ✓ ] ACL-POSTURE-REDIRECT

  • The resultant Attribute Details should appear at the bottom of the page as the following:
       Access Type = ACCESS_ACCEPT DACL = POSTURE_REMEDIA TION      cisco:cisco-av-pair=url-redirect-acl=ACL- POSTURE- REDIR ECT      cisco:cisco-av-pair=url-redirect   =https:// ip:8443/ guestport al/gateway?sessionId=SessionIdValue@action=cpp    
  • Click Submit to apply your changes.
Note:      The ACL- POSTURE- REDIRECT have to be created on the Switch as Well as On WLC ( Refer to Switch and WLC                Configuration )   Step 3     Define a new Authorization Profile for web-Authenticated/Web Agent users named CWA_Posture_Remediation                  that leverages both the new dACL for port access control and the URL Redirect ACL for traffic redirection.    
  • Click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results > Authorization.
  • Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below.
    
AttributeValue
NameCWA_Posture_Remediation
DescriptionPermit access to posture and remediation services; redirect traffic to central web auth services.
Access TypeACCESS_ACCEPT
DACL Name[ ✓ ] POSTURE_REMEDIATION
Web Authentication -Centralized Web Authentication[ ✓ ] ACL-POSTURE-REDIRECT

  • The resultant Attribute Details should appear at the bottom of the page as the following:
Access Type = ACCESS_ACCEPT DACL = POSTURE_REMEDIATIONcisco:cisco-av-pair=url-redirect-acl=ACL- POSTURE- REDIRECTcisco:cisco-av-pair=url-redirect =https:// ip:8443/ guestport al/gatew ay?sessionId=SessionIdValue@action=cwa    
  • Click Submit to apply your changes.
  Note:     The difference between the two profiles is the URL Redirect cisco-av-pair at tribute.  Users that need to be               authenticated using CWA will be initially redirected to the guest portal for web authentication (cwa) and then               automatically redirected to the Client Provisioning Portal (cpp) as needed.               Users authenticated through 802.1 X  will be redirected directly to the Client Provisioning Portal. Step 4     Update the Authorization Policy to support posture compliance.    
  • Go to Policy > Authorization.

Update  the existing Authorization Policy with the following values  using the  selector at the end of a rule entry to insert or duplicate rules:

Rule Name

Identity

Groups

Other Conditions

Permissions

Employee

Any

AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users

PermitAccess

(or Employee Authorization Profile if you  already have one defined )

AND

Session: PostureStatus EQUALS Compliant

Employee_PreCompliant

Any

AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users

Posture_Remediation

AND

Session: PostureStatus NOT EQUALS Compliant

Guest

Guest

Session: PostureStatus EQUALS Compliant

PermitAccess

(or Guest Authorization Profile isf you already have onedefined  )

Default

Any

-

CWA_Posture_Remediation


  • Click Save to apply your changes.
   Note:     In the Above we are using the same authorisation Profile (Permissions ) For Wired and Wireless Access               Be aware that WLC will not take into consideration the DACL, Thus the Redirection ACL Configured on the above                  is enough to deny all Traffic except for (Remediation Server , ISE Posture ) 
  

Configure  Posture Policy  :

Configure an AV Posture Policy

  In this Example we will configure the following    
  • Posture Policy for Domain Users to have ClamWin AV installed and current
  • Posture Policy for Guest users to install ClamWin AV if no Antivirus is installed

Note:      clamwin-0..97.7-setup.exe was uploaded on the default site of the  Remediation Server.

                 For the Definition file update remediation to work , one of  ip of the  Clamwin Server update server must be added

                on the   DACL   as well as the redirection ACL as we did in the previous section.

Step 1     Define an AV posture condition that validates the installation of ClamWin AV on an endpoint.

                 This check will be used in posture requirements applied to Employees.

  • Go to Policy > Policy Elements > Conditions and click the   fleche.JPGicon to right of Posture. Select AV Compound Condition from the left-hand pane and then click Add from the right-hand pane menu. Enter the following values and then click Submit at the bottom of the page:
    
AttributeValue
NameClamWin_AV_Installed
DescriptionCheck ClamWin AV is installed
Operating SystemWindows 7 (All)
VendorClamWin
Check Type( o ) Installation (       ) Definition
Products for Selected Vendor[ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus
Note:     If no AV products appear under Vendor field, then posture updates have not yet been downloaded or download              has not yet completed. Step 2      Define an AV posture condition that validates the signature version of ClamWin AV on an endpoint. This check                   will be used in posture requirements applied to Employees.    
  • Select AV Compound Condition from the left-hand pane and then click Add from the right- hand pane menu. Enter the following values and then click Submit at the bottom of the page:
    
AttributeValue
NameClamWin_AV_Current
DescriptionCheck ClamWin AV is current
Operating SystemWindows 7 (All)
VendorClamWin
Check Type(     ) Installation ( o ) Definition
[✓ ] Allow virus definition files to be
days older than0   days older than
( o ) latest file date(     ) current system date
Products for Selected Vendor[ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus
  Step 3      Define an AV posture condition that validates the installation of any supported AV on an endpoint. This check will                  be used for posture requirements applied to Guest users.    
  • Select AV Compound Condition from the left-hand pane and then click Add from the right- hand pane menu. Enter the following values and then click Submit:
    
AttributeValue
NameAny_AV_Installed
DescriptionCheck Any AV is installed
Operating SystemWindows All
VendorANY
Check Type( o ) Installation
Products for Selected Vendor[ ✓ ] ANY
   Step 4      Define a Posture Remediation Action that installs ClamWin AV on an endpoint.    
  • Go to Policy > Policy Elements > Results and click the  icon to left of Posture (or double- click Posture) in the left-hand pane to expand its contents. Next, expand the contents of Remediation Actions.
    
  • Select Link Remediation and then click Add from the right-hand pane menu. Enter the following values and then click Submit:
    
AttributeValue
NameInstall_ClamWin_AV
DescriptionLink distribution to ClamWin AV install package
Remediation TypeManual
Retry Count0
Interval0
URLhttp://<REM SERVER IP>/clamwin-0..97.7-setup.exe
  Note:     REM SERVER IP  Represents the ip address of your remediation server where the installation of clamwin exists               in our scenario 192.168.1.100 is configured as http remediation server  Step 5     Define a Posture Remediation Action that updates ClamWin AV on an endpoint.    
  • Select AV/AS Remediation from the left-hand pane and then click Add from the right-hand pane menu. Enter the following values and then click Submit:
     
AttributeValue
NameUpdate_ClamWin_AV_Definitions
DescriptionTrigger signature updates for ClamWin AV
AV/AS Remediation TypeAV Definition Update
Remediation TypeManual
Interval0
Retry Count0
Operating System( o ) Windows(     ) Mac
AV Vendor NameClamWin
 
  Step 6     Define Posture Requirements that will be applied to Employees and Guest users.    
  • Select Requirements from the left-hand pane (under Policy > Policy Elements > Results > Posture).

Enter the following entries into the table using the    selector at the end of a rule entry to insert or duplicate rules. Click Save when finished:

NameOperating SystemConditionActionMessage shown to Agent User
Emp_AV_InstalledWindows 7 (All)ClamWin_AV_InstalledInstall_ClamWin_AV(optional)
Emp_AV_CurrentWindows 7 (All)ClamWin_AV_CurrentUpdate_ClamWin_AV_Definitions(optional)
Guest_AV_InstalledWindows AllAny_AV_InstalledInstall_ClamWin_AVAn  approved Antivirus program was NOT detected on your PC. All guest users  must have a current AV program installed before access is granted to  the network. If you would like to install a free version of  ClamAV,please click on the link below

Note: If a preconfigured condition does not display under the list of Conditions, be sure you have selected the appropriate

          Operating System setting for both the condition as well as requirement rule. Only conditions that are the same or

          subset of the OS selected for the rule will display in the Conditions selection list.

Step 7  Configure the Posture Policy to ensure ClamWin AV is installed and current on Employee computers running

                 Windows 7 and that Any supported AV is installed and current on Guest user computers.

  • Go to Policy > Posture and create new policy rules using the values provided in the table, and then click Save to apply your changes:
Rule NameIdentityGroupsOperatingSystemsOther ConditionsRequirements
Employee_Windows_AV_Installed_and_CurrentAnyWindows 7 (All)AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain UsersAV_Installed ( Mandatory) AV_Current ( Mandatory)
Guest_Windows_AV_Installed_and_CurrentGuestWindowsAll-Guest_AV_Installed ( Mandatory)
Note:     To specify a Posture Requirement as Mandatory, Optional, or Audit, click the  icon to the right of the requirement               name and select an option from the drop-down menu:  

Configure Windows Server Update Services Remediation

  In this Example we will configure the following    
  • All Employees running Windows 7 must have the latest Windows Critical Patches installed
  • We are using Internal Managed WSUS with the same ip address as the Antivirus installation remediation server
 Step 1      Define a Posture Remediation Action that Check and install the latest Win7 Patches
    
  • Go to Policy > Policy Elements > Results and click the  icon to left of Posture (or double- click Posture) in the left-hand pane to expand its contents. Next, expand the contents of  Remediation Actions.
    
  • Select Windows Server Update Remediation and then click Add from the right-hand pane menu. Enter the following values and then click Submit:
    
AttributeValue
NameInstall_Win_Critical_Updates
DescriptionCheck and Install missing Critical Windows Updates
Remediation TypeManual
Validate Windows Updates usingSeverity Level
Windows Updates Severity LevelCritical
Windows Updates Installation Source Managed Server
Installation Wizard Interface Setting Show UI
                    Note:       If you want to vaildate WIndows Update using Cisco Rules You must Create your Posture Conditions and                     define  your conditions in Step 2 below.   Step 2     Define Posture Requirements that will be applied to Employees    
  • Select Requirements from the left-hand pane (under Policy > Policy Elements > Results > Posture).
Enter the following entries into the table using the  selector at the end of a rule entry to insert or duplicate rules. Click Save when finished:
NameOperating SystemConditionActionMessage shown to Agent User
Win_Critical_UpdateWindows 7 (All)pr_WSUSRuleInstall_Win_Critical_Updates(optional)
  Note: Condition pr_WSUSRule, you can find it under Cisco Defined Condition > Regular Compound Condition           this is a dummy rule we choose since we are validating Windows update using Security Level .
Step 3  Configure the Posture Policy to ensure that  Employee computers running WIndows 7 have the latest Critical                Windows 7 .patches    
  • Go to Policy > Posture and create new policy rules using the values provided in the table, and then click Save to apply your changes:
Rule NameIdentityGroupsOperatingSystemsOther ConditionsRequirements
Employee_Windows_latest_Critical_Patches_InstalledAnyWindows 7 (All)AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain UsersWin_Critical_Update

     -----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Switch Configuration

 


Global Switch Configuration

This section provides an excerpt of the switch configuration.

and  should be used for reference and not to be copied

Global Radius and Dot1x Configuration

aaa authentication dot1x default group radius            aaa authorization network default group radius         aaa accounting dot1x default start-stop group radiusdot1x system-auth-control

ip radius source-interface Vlan (x)radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server host <ISE IP> key <pre shared key>radius-server vsa send accountingradius-server vsa send authentication Default ACL to be applied on the port
 ip access-list extended permitany
permit ip any any

Enabling Radius Change of Authorisation

aaa server radius dynamic-author client <ISE IP> server-key <pre shared key> Enable URL Redirection and logging
                   Ip device tracking                  Epm logging                  Ip http server                   Ip http secure server     

Redirection ACL

               ip access-list extended ACL-POSTURE-REDIRECT
               deny   udp any eq bootpc any eq bootps               deny   udp any any eq domain               deny   udp any host <ISE IP> eq 8905               deny   tcp any host <ISE IP> eq 8905               deny   tcp any host <ISE IP> eq 8909               deny   udp any host <ISE IP> eq 8909               deny   tcp any host <ISE IP> eq 8443               deny   ip any host <REM SERVER IP>
              deny ip  any host 192.230.240.8           (one of the ip of CLAMwin database virus Definitions)
               permit ip any any

Note:  

Ip address of the Endpoint device must be reachable from the Switch SVI in order for redirection to work

Interface Switch Configuration

  switchport access Vlan xx
switchport voice Vlan yy
switchport mode accessdot1x pae authenticatorauthentication port-control autoauthentication host-mode multi-domain
authentication violation restrictip access-group  permitany in   (Mandatory for DACL Before Cisco IOS Release 12.2(55)SE
dot1x timeout tx-period 7authentication order dot1x mabauthentication priority dot1x mabmab------------------------------------------------------------------------------------------------------------------------------------------------------------- 

WLC Configuration


 

Global Configuration

  • Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default.
   wlccoa.jpg     
  • Create an Access-list on the WLC as per the following Security > Access Control Lists

Name : ACL-POSTURE-REDIRECT

Seq

Action

Source IP/Mask

Destination

IP/Mask

Protocol

Source Port

Dest Port

Direction

1

permit

Any

Any

UDP

DNS

Any

Any

2

permit

Any

Any

UDP

Any

DNS

Any

3

permit

Any

<ISE IP>

UDP

Any

8905

Any

4

permit

<ISE IP>

Any

UDP

8905

Any

Any

5

permit

Any

<ISE IP>

TCP

Any

8905

Any

6

permit

<ISE IP>

Any

TCP

8905

Any

Any

7

permit

Any

<ISE IP>

UDP

Any

8909

Any

8

permit

<ISE IP>

Any

UDP

8909

Any

Any

9

permit

Any

<ISE IP>

TCP

Any

8909

Any

10

permit

<ISE IP>

Any

TCP

8909

Any

Any

11

permit

Any

<ISE IP>

TCP

Any

8443

Any

12

permit

<ISE IP>

Any

TCP

8443

Any

Any

13

permit

Any

<REM SERVER IP>

Any

Any

Any

Any

14

permit

<REM SERVER IP>

Any

Any

Any

Any

Any

15permit192.230.240.8AnyAnyAnyAnyAny
16permitAny192.230.240.8AnyAnyAnyAny

Note:  15 and 16 are  used in our example for CLAMwin antivirus update  where 192.230.240.8 contains  

            the  database definition file .

Note:  For Flex connect with Local Swithing , you have to create a Flexconnect ACL and apply it to the WebPolicy ACL as

             below

                                  1)  The ACL will be named as the ACL above and will have the same attributes

flex1.jpg

                                 2)   Click on External WebAuthentication ACLs

flex2.jpg

                                     3)   Add the Web Policy ACL and Apply

flex3.jpg

Employee SSID Configuration

Create New Employee SSID or Modify the Existing one if already defined

ssidemp1.jpg

ssidemp2.jpg

ssidemp3.jpg

ssidempcor.jpg

Guest SSID Configuration

Create New WLAN with Guest SSID or Modify the existing one if already defined

guest 1.jpg

guest 2.jpg

guest 3.jpg

ssidemp3.jpg

ssidempcor.jpg

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Final Results

Employee dot1x Posture (NAC Agent)

  • Configure  your wireless SSID (Employee) or wired network  for peap Mschap V2 and  connect with an AD user  in the domain users group
  • open a browser and try to navigate to a site
  • you will be prompted with the following

guest3.jpg

Click to Install Agent and then Next

employee 1.jpg

           Click On Next 

employee 2.jpg

                       Accept End  User License Agreement        

employee 3.jpg

            Choose Complete      

employee 4.jpg

             Click on Install

employee 5.jpg

               Selec Finish          

employee7.jpgnew1posture.jpg

        Nac agent will pop up after installationSelect Show details                 We can see that Clamwin is not installed and is not updatewe can notice also that Some Windows Critical Update are not installed         

employee9.jpg

       Click go to link to install the antivirus            

guest6.jpg

     Click on RUNand install clamwin Antivirus                 

employee update.jpg

  After installing the Antivirus ,Nac Agent will prompt for UpdateClick on update to get the latest Virus Definition FileAfter, you will get the same Screen to update your WindowsClick on Update another Time           

Winupdate

      You NAC Agent will contact your WSUS to check and install the latest Critical Updates            

installation complete

        When Installation is completeYou will prompted to restart your Computer         

Temp-Net-Access

employee10.jpg

       After Restart you will have Full Network Access since your system will be compliant             

Guest CWA Posture (NAC Web Agent)

  • Connect to your Guest SSID or don't configure dot1x on your wired network
  • open a browser and try to navigate to a site
  • you will be prompted with the following

guest 1.jpg

guest2.jpgguest3.jpgguest4.jpgguest5.jpgguest6.jpgguest9.jpg

Click on Self registration and proceed with authentication

Accept the use policy

Click on Install Agent

Click on click here to remediate

Click on run and proceed with antivirus installation

Now You have full Network Access

Check  ISE authentication Logs to verify that Dynamic authorisation succeeded  and that you are matching the authorisation profile related to the   compliant Status

guestiselivecomp.jpg

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Frequently Asked Questions

Deployment Options Other then Client Provisioning

You can refer to   ISE User Guide under this Topic

Provisioning Client Machines with the Cisco NAC Agent MSI Installer

Discovery Host for the NAC agent

In order for NAC Agent to reach the right ISE pdp :

1) If no Discovery  host is defined  : Nac agent  will send http request on port 80 to the gateway , this traffic must be

     redirected to the posture discovery link (cpp)  in order for discovery to work properly

2)  If a Discovery host t is defined ,Nac agent will send http request on  port 80 to the host , this traffic must be redirected to

     the posture discovery link (cpp)  in order for discovery to work properly

     if there is a problem with Redirection , the NAC agent will try to contact Directly the Host Discovery  defined, on

     port 8905 ( which does not guarantee the posture validation because the session information may not be available on

     that pdp unless node groups are defined and pdp are within the same group)

Employees Browsers are configured with Proxy

1) If you are not using Client Provisioning and the Employees PCs are configured with Proxy There is no need to do any

     changes since the Posture Discovery Packets are sent on port 80 and bypass the Proxy Settings

2) If you are using the Client Provisioning service , you need to change Switch Configuation and WLC as Below in order to

    intercept HTTP Traffic on the proxy's defined port .

  •   Proxy Configuration on Port 8080 on the swtich

                  ip http port 8080

ip port-map http port 8080

  • Proxy Configuration WLC

       By default WLC intercept HTTP requests with Destination TCP Port 80 only.  The following command must be           configured through CLI if you want to intercept another http traffic on port 8080 per example       

config Network web-auth port 8080 Note:   

Switches will allow redirection on one port , Therefore if you specify another port for Switch Redirection , Posture                 Discovery will fail and Posture Traffic will be sent to the discovery host defined in the NACAgentCFG.xml ( NAC               Agent Profile )    

DACL VS Redirection ACL

1)  Redirection ACL is mandatory for Client Provisioning , Central Web Authentication , and Posture Discovery.2)  DACL is used to limit Network Access and is applied only to non redirected Traffic you have multiple options : 1)  Define only a Redirection ACL and redirect all the Traffic that you want to be dropped ( As we did in our Example)2)  Define Redirection ACL which is less restrictive and Apply DACL which filter the Traffic that are not redirected3)  Define  Redirection ACL and  Apply a VLAN which will restrict Network Access ( Best Approach since VLAN Traffic can      be filtered by Application aware Firewall)   

Nac Agent is not popping up

  1) Check ISE live Authentication  and Verify that authentication is  matching your Posture Authorization  profile2)  From the Client PC , open  cmd .type  nslookup and verify you can resolve ISE  pdp hostname

3)  From your Client  browser  type https://<ise−hostname>:8905/auth/discovery  and make sure you are receiving ISE      FQDN as response If all the steps are working  and your Switch or WLC Configuration are in compliance as per this document

  • Start capture on the PC using Wireshark
  • Restart NAC Agent Service
  • Collect Cisco Log Packager
  • Locate NACAgentCFG.xml in the NAC Agent Directory

Contact  Cisco TAC Providing :  the packet Capture , Nac Agent Logs ,  NACAgentCFG configuration file and Windows Event Viewer Logs.

Unable to access  WSUS for Remediation

If you are using WSUS 3.0 SP2 and the NAC Agent is unable to access WSUS win Updates ,

Verify  that you have the latest patch  of WSUS installed (This Patch is  Mandatory for Windows Clients to browse Update from Wsus)

http://support.microsoft.com/kb/2720211

Verify that you are able to access the following file

http://<ip wsus>/selfupdate/iuident.cab

Refer to the Link Below for better debugging for Wsus Installation


http://technet.microsoft.com/en-us/library/dd939822%28v=ws.10%29.aspx

Don't have an Internal Managed WSUS

You can still use WIndows Update Servers. while configuring your posture Remediation Rule.

Client Must be allowed to these Sites and the following URLsshould not be redirected

http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

http://wustat.windows.com

http://ntservicepack.microsoft.com

http://stats.microsoft.com

https://stats.microsoft.com

When failing the posture check on the NAC agent, no failed authentication is seen in ISE live logs

You  might be tempted to create an authorization policy rule that triggers  on the condition of a non_compliant client in order to restrict his  access. However, no authentication attempt will be seen failing until  the remediation timer expires most particularly when using the web  agent. In fact, the agent notices it is not meeting the requirements and  starts the remediation timer.

Only at the end of it, or if the  user clicks cancel, will ISE be notified that the posture was a failure.  Therefore it is good practice to give a default access to all clients  that allow for remediation but blocks any other form of access.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents