In this guide with step by step configuration, we are trying to demonstrate Cisco ISE configuration for Client Provisioning, without Posture validation. For this scenario, we are using a Cisco WLC controller already integrated with FMC
Cisco Identity Services Engine (ISE) looks at various elements when classifying the type of login session through which users access the internal network, including:
- Client machine operating system and version
- Client machine browser type and version
- Group to which the user belongs
- Condition evaluation results (based on applied dictionary attributes)
After Cisco ISE classifies a client machine, it uses client provisioning resource policies to ensure that the client machine is set up with an appropriate agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles, if necessary.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html
For the most part, ISE requires Any-connect client for posture assessment.
1 Topology
We will use below topology in the lab.
1.1 Setup Client Provisioning Policy
Initially we need to ensure, we enable Client Provisioning using below option as shown.
2. Pre-requisite
Below are the resources available by default on the ISE. We need to add few resources into the ISE, either directly from Cisco’s website or from local drive, as shown below.
- Ensure you have Uploaded “Anyconnect compliance module windows” into the client provisioning resources.
Download from Cisco’s website manually.
https://software.cisco.com/download/home/286281283/type/282364313/release/ISEComplianceModule
- Create Native Supplicant Profile
- Anyconnect Posture Profile
This configuration file dictates the compliance settings to be used when the compliance module is started on the end user’s machine. This dictates configurations such as the length of time the user has to remediate a non-compliant machine, enables additional debug logs for compliance, and specifies the PSN to which the compliance module should reach out to. The “server name rules” field can be used to specify the domain which the compliance server should exist on, if the end machine will be connecting to multiple domains with overlapping IP addresses.
Conditions | Description |
Native Supplicant Profile
| This instructs build-in supplicant (windows/mac book) what to do. |
NAM Profile | This instructs the Anyconnect client which network, the client is allowed to, and the associated settings (security, etc…) |
Anyconnect Configuration | Tells anyconnect which modules and profiles it should use, as well it should update itself. |
Default Posture Status | Compliant: All compliant users will be allowed to access the network. Non-Compliant: Non-compliant users will never touch your network. |
Timers
| |
Remediation Timer | If a user’s PC has to do something to become compliant, the device is given X minutes to complete the update before the checks are run again. |
Network Transition Delay | How long to wait in between the states. |
Continuous Monitoring Interval | How often Anyconnect should send updates to the ISE. |
Cache Last known posture compliant status | Grace period between when a device is compliant and then becomes non-compliant, before the posture policy is enforced. |
Posture Lease | How often to run a posture check? |
Note: Select Server name rules as * , unless you want users connect to a specific PSN unit.
- Anyconnect configuration
Select the anyconnect client we plan to push the users and configure the settings.
3 Steps to configure Client provisioning
3.1 Step 1: Create Redirect ACL on WLC for AP
We need to create a redirect ACL (REDIRECT-ACL) on the network device to redirect traffic to the client provisioning portal. Keep in mind that redirect-acl (in this example it’s called REDIRECT-ACL) should be created on NAD (Network Access Device) to have proper redirection. Basic redirect ACL should not intercept traffic to and from ISE PSN nodes, DNS and DHCP. And should redirect HTTP and HTTPS traffic.
- Below is the sample ACL used for CWA Redirection on the switch where we deny the traffic which should not be redirected.
- But on WLC, we permit all traffic which should be forwarded without re-direction.
Refer below screen shot, where we created access control list on a switch:
But in our case, we are using WLC, thus we need to create below ACL
3.2 Step 2: Configure the Client provisioning conditions
3.1.1 Create Client Provisioning Portal
Once the user connects to the portal then they will be directed to the client provisioning policy we created in the previous section
4.1 Step 3: Access Policy
4.1.1 Authorization Profiles
Create access policy based on the three possible states of posture compliance:
- Not Compliant: the device failed the compliance check.
- Compliant: The device passed the compliance check.
- Unknown: The device did not run the compliance check yet, this is the rule that will point to the client provisioning portal.
- User_Unknown
We will map the access list we created in step 1
4.1.2 Authorization Rules
Do not modify existing Access Policy, but we will modify authorization policy
- User Unknown, Employee_Non Compliant & Employee_Compliant
Thus, we created below authorization policies as shown below. First time employee comes in, he will hit the policy – User Unknown, as ISE doesn’t know his posture validation and thus he will be forwarded to the portal.
5 User Testing
6 Logs
