cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4370
Views
0
Helpful
0
Comments
dhr.tech1
Spotlight
Spotlight

In this guide with step by step configuration, we are trying to demonstrate Cisco ISE configuration for Client Provisioning, without Posture validation. For this scenario, we are using a Cisco WLC controller already integrated with FMC

 

Cisco Identity Services Engine (ISE) looks at various elements when classifying the type of login session through which users access the internal network, including:

  • Client machine operating system and version
  • Client machine browser type and version
  • Group to which the user belongs
  • Condition evaluation results (based on applied dictionary attributes)

After Cisco ISE classifies a client machine, it uses client provisioning resource policies to ensure that the client machine is set up with an appropriate agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles, if necessary.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html

For the most part, ISE requires Any-connect client for posture assessment.

1         Topology

 

We will use below topology in the lab.

 

1.jpg

1.1        Setup Client Provisioning Policy

 

Initially we need to ensure, we enable Client Provisioning using below option as shown.

 

 2.JPG

2.       Pre-requisite

Below are the resources available by default on the ISE. We need to add few resources into the ISE, either directly from Cisco’s website or from local drive, as shown below.

 

 3.JPG

 

  • Ensure you have Uploaded “Anyconnect compliance module windows” into the client provisioning resources.

Download from Cisco’s website manually.

https://software.cisco.com/download/home/286281283/type/282364313/release/ISEComplianceModule

 

4.JPG

 

  • Create Native Supplicant Profile

5.JPG

6.JPG

 

  • Anyconnect Posture Profile

This configuration file dictates the compliance settings to be used when the compliance module is started on the end user’s machine.  This dictates configurations such as the length of time the user has to remediate a non-compliant machine, enables additional debug logs for compliance, and specifies the PSN to which the compliance module should reach out to.  The “server name rules” field can be used to specify the domain which the compliance server should exist on, if the end machine will be connecting to multiple domains with overlapping IP addresses.

 

Conditions

Description

Native Supplicant Profile

 

This instructs build-in supplicant (windows/mac book) what to do.

NAM Profile

This instructs the Anyconnect client which network, the client is allowed to, and the associated settings (security, etc…)

Anyconnect Configuration

Tells anyconnect which modules and profiles it should use, as well it should update itself.

Default Posture Status

Compliant: All compliant users will be allowed to access the network.

Non-Compliant: Non-compliant users will never touch your network.

Timers

 

Remediation Timer

If a user’s PC has to do something to become compliant, the device is given X minutes to complete the update before the checks are run again.

Network Transition Delay

How long to wait in between the states.

Continuous Monitoring Interval

How often Anyconnect should send updates to the ISE.

Cache Last known posture compliant status

Grace period between when a device is compliant and then becomes non-compliant, before the posture policy is enforced.

Posture Lease

How often to run a posture check?

 

 7.JPG

Note: Select Server name rules as * , unless you want users connect to a specific PSN unit.

 8.JPG

 

 

  • Anyconnect configuration

 

Select the anyconnect client we plan to push the users and configure the settings.

 

 9.JPG

 

 

3 Steps to configure Client provisioning

3.1       Step 1: Create Redirect ACL on WLC for AP

 

We need to create a redirect ACL (REDIRECT-ACL) on the network device to redirect traffic to the client provisioning portal. Keep in mind that redirect-acl (in this example it’s called REDIRECT-ACL) should be created on NAD (Network Access Device) to have proper redirection. Basic redirect ACL should not intercept traffic to and from ISE PSN nodes, DNS and DHCP. And should redirect HTTP and HTTPS traffic.

  • Below is the sample ACL used for CWA Redirection on the switch where we deny the traffic which should not be redirected.
  • But on WLC, we permit all traffic which should be forwarded without re-direction.

 Refer below screen shot, where we created access control list on a switch:

10.JPG

But in our case, we are using WLC, thus we need to create below ACL

 

11.JPG

 

3.2        Step 2: Configure the Client provisioning conditions

 12.JPG

 

3.1.1       Create Client Provisioning Portal

 

Once the user connects to the portal then they will be directed to the client provisioning policy we created in the previous section

 13.JPG

4.1        Step 3: Access Policy

 

4.1.1       Authorization Profiles

 

Create access policy based on the three possible states of posture compliance:

  • Not Compliant: the device failed the compliance check.
  • Compliant: The device passed the compliance check.
  • Unknown: The device did not run the compliance check yet, this is the rule that will point to the client provisioning portal.

 

  • User_Unknown

We will map the access list we created in step 1

 14.JPG

 15.JPG

 

4.1.2     Authorization Rules

 

Do not modify existing Access Policy, but we will modify authorization policy

  • User Unknown, Employee_Non Compliant & Employee_Compliant

 16.JPG

 

 

 

Thus, we created below authorization policies as shown below. First time employee comes in, he will hit the policy – User Unknown, as ISE doesn’t know his posture validation and thus he will be forwarded to the portal.

 17.JPG

 

 

5       User Testing

 18.JPG

 

19.JPG

 

 20.JPG

 

 21.JPG

 

 

 22.JPG

 

 

6      Logs

 23.JPG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: