10-15-2020 05:08 AM - edited 10-15-2020 10:02 AM
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. Cisco ISE supports posturing of endpoints with different Anyconnect deployment methods so far. With increase in market demand and need for Agentless posture functionality, Cisco ISE 3.0 onwards supports Agentless posture functionality. With this functionality, there is no user-intervention required to download Anyconnect agent and install on the system. While Agent and Agentless gives different flexibility/control, this document describes configuration required for Agentless posture functionality from scratch, required configuration on windows 10 Endpoints and validate the Agentless posture functionality with a roundtrip.
Cisco Identity Services Engine 3.0
Windows 10 Client
Access Switch
Wireless Lan Controller
Cisco Identity Services Engine Release 3.0 supports windows 10 and macOS endpoints.
Cisco Identity Services Engine is able to assess posture using Agentless functionality by connecting to the connected endpoints. Below are the requirements for successful Agentless posture functionality on windows and macOS Endpoints.
As per criteria above, PowerShell Remoting has to be enabled and we will have to ensure local firewall is allowing incoming PowerShell port over TCP. We will see how to achieve it.
Enabling PowerShell Remoting Locally on endpoint:
NOTE: By default 5985 is the port Microsoft uses for PowerShell remoting purpose. You can customize to new port on both Cisco ISE and Windows endpoints. Please refer to Microsoft documentation on configuring different port for PowerShell Remoting. In Cisco ISE, you can modify default port number from Administration > System > Settings > Endpoint Scripts > Settings menu.
NOTE: You can also achieve this from GPO. Refer to Microsoft documentation to allow PowerShell Remoting and setting firewall to allow incoming connection from GPO.
Below GPO configuration would allow you to configure PowerShell Remoting and firewall exceptions on managed Windows endpoints. GPO is a powerful tool for the managing Windows endpoints in an organization. Organization Units (OUs) would be flexible to limit the scope of GPO policies rather than applying on entire organization.
Above GPO configuration is going to be helpful in enabling PowerShell remoting on your windows machine and allow incoming PowerShell connection from ISE on your managed Windows endpoints.
Note: You can also setup 802.1X and Wired/Wireless Network Profiles on your managed Windows endpoints from GPO. Refer to Microsoft documentation.
For demo purpose, Standalone Cisco ISE is being used here. It has default configuration. In order to achieve Agentless Posture functionality without agent installation on endpoint, Cisco ISE requires to communicate to endpoints as described in Prerequisites section above.
NOTE:
NOTE: In above snapshot, restricted-access authorization profile was given where endpoints has restricted privileges.
NOTE: Endpoint gets compliant access as you haven’t configured any posture policies in above demonstration. You can configure posture policies as per your organizational needs.
For successful Agentless posture flow, prerequisites mentioned above should be met. Agentless posture flow might fail because of reasons such as endpoint login credentials or privileges issue configured on Cisco ISE, port might not be reachable, client IP might not be reachable…etc. so, if that happens, in order to come out of Agentless posture initial state itself, Cisco ISE gives you flexibility to configure different policies when Agentless posture flow is broken with condition called Session:AgentlessFlowStatus. Below section describes about taking endpoint to different flow such as redirecting him to client provisioning page where client can download temporal agent to do posture assessment instead of stuck in Agentless posture flow itself.
Below are the ways that are available for you to troubleshoot Agentless posture failures in your deployment.
Agentless Posture Troubleshooting Tool:
If the endpoint connected is failing for Agentless posture flow, Cisco Identity Services Engine provides inhouse tool for troubleshooting purpose. There are two methods to do this.
Method1: From live logs, find the endpoint live log for which Agentless posture is failing(filter based on MAC address/Userid..etc fields). From Posture Status column of that endpoint live log entry, by clicking onadjacent to PostureStatus, it will automatically take you to Operations > Troubleshoot > Diagnostic Tools > Agentless Posture Troubleshooting section populated with endpoint MAC address.
Method2: Second method is to manually navigate to Operations > Troubleshoot > Diagnostic Tools > Agentless Posture Troubleshooting, provide the MAC address of endpoint for which Agentless posture flow is failin
NOTE: MAC address provided here should be connected to the system in order to troubleshoot the endpoint where Agentless posture flow is failing
By either of the method mentioned above, you will have to options gather Agentless posture logs from the system.
Run Agentless Posture Flow – By selecting this option and providing the MAC address where Agentless posture is failing, Cisco Identity services Engine automatically runs the Agentless posture flow on the endpoint and allows you to download all interaction happened between Cisco Identity Services Engine and Client in zip file.
Only Download Client Logs – By selecting this option and providing the MAC address where Agentless posture is failing, Cisco Identity Services Engine lets you to download all previous interactions happened between Cisco Identity Services Engine and client in zip file.
Click on Export, to download the logs in zip file to your local computer for troubleshooting purposes.
Troubleshooting from downloaded logs or debugging logs from CLI
Case1: If endpoint’s firewall isn’t allowing incoming connections to PowerShell port or PowerShell port isn’t allowed in ACLs/DACLs
When the Cisco ISE is not able to connect to the endpoints to PowerShell port, below log snippets are going to give you an idea why is it failing. You can rectify this problem by allowing PowerShell port so that Agentless Posture is going to be successful.
You can take a look at the logs (ise-psc.log) downloaded from Agentless Posture Troubleshooting page or if you want to debug the issue in a live environment, From the Cisco ISE PSN CLI, execute command show logging application ise-psc.log to identify the root cause.
---------------------------
2020-08-22 21:30:38,071 INFO [pool-235-thread-96][] cpm.es.service.posture.ESGenericConsumer -::::- Received endpont: 192.168.105.100 from queue: POSTURE-INPUT
----------------------------------------------
2020-08-22 21:33:40,242 INFO [pool-235-thread-97][] cisco.cpm.posture.runtime.AgentlessPostureErrorHandler -::::- Handle error for sessionId=0A7E6B64000015D43F03632E, AgentlessFlowStatus=Failure
----------------------------------------------
2020-08-22 21:33:40,242 INFO [pool-235-thread-97][] cisco.cpm.posture.runtime.AgentlessPostureErrorHandler -::::- Calling triggerPostureCoA for sessionId=0A7E6B64000015D43F03632E
----------------------------------------------
2020-08-22 21:33:40,249 DEBUG [pool-235-thread-97][] cisco.cpm.posture.events.PostureMessagesConsumer -::::- Sending auditLog for sessionId=0A7E6B64000015D43F03632E with attributes: [Posture.MacAddress, 00-50-56-01-02-03, Posture.IpAddress, 192.168.105.100, Posture.OperatingSystem, null, Posture.FailureReason, Endpoint not reachable, Posture.SessionId, 0A7E6B64000015D43F03632E]
2020-08-22 21:33:42,247 DEBUG [Posture-CoA][] cisco.cpm.posture.runtime.PostureCoA -::::- Posture CoA is triggered for endpoint [00-50-56-01-02-03] with session [0A7E6B64000015D43F03632E]
Case2: If credentials are wrong or credentials provided doesn’t have administrative privileges on the endpoint.
When the Cisco ISE is not able to connect to the endpoints because of administrative privileges missing to run the Agentless Posture flow, below log snippets are going to give you an idea why is it failing. You can rectify this problem by providing proper login credentials again so that Agentless Posture is going to be successful.
You can take a look at the logs (ise-psc.log) downloaded from Agentless Posture Troubleshooting page or if you want to debug the issue in a live environment, From the Cisco ISE PSN CLI, execute command show logging application ise-psc.log to identify the root cause.
----------------------------------------------
2020-08-22 21:44:18,033 DEBUG [PrRTEvents-Executor-2][] cisco.cpm.posture.events.NetAccessEventHandler -::::- Published message to POSTURE-INPUT for Agentless session 0A7E6B64000015D83F0FEA54
----------------------------------------------
2020-08-22 21:47:20,163 INFO [pool-3627-thread-5][] cpm.es.service.posture.ESDiscoveryTask -::::- Publishing result for: 192.168.105.100. Task Status: false
----------------------------------------------
2020-08-22 21:47:21,167 INFO [pool-235-thread-99][] cisco.cpm.posture.runtime.AgentlessPostureErrorHandler -::::- Handle error for sessionId=0A7E6B64000015D83F0FEA54, AgentlessFlowStatus=Failure
----------------------------------------------
2020-08-22 21:47:21,167 INFO [pool-235-thread-99][] cisco.cpm.posture.runtime.AgentlessPostureErrorHandler -::::- Calling triggerPostureCoA for sessionId=0A7E6B64000015D83F0FEA54
----------------------------------------------
2020-08-22 21:47:23,170 DEBUG [Posture-CoA][] cisco.cpm.posture.runtime.PostureCoA -:DOMINION\addot1xposture:::- Posture CoA is triggered for endpoint [00-50-56-01-02-03] with session [0A7E6B64000015D83F0FEA54]
Case3: If the endpoint IP isn’t reachable ..
When the Cisco ISE is not able to connect to the endpoints with IP address learned from RADIUS accounting, below log snippets are going to give you an idea why is it failing. You can rectify this problem by modifying your network so that Cisco ISE could reach the endpoint IP address learned from RADIUS accounting.
You can take a look at the logs (ise-psc.log) downloaded from Agentless Posture Troubleshooting page or if you want to debug the issue in a live environment, From the Cisco ISE PSN CLI, execute command show logging application ise-psc.log to identify the root cause.
----------------------------------------------
2020-08-22 22:46:49,057 DEBUG [PrRTEvents-Executor-2][] cisco.cpm.posture.events.NetAccessEventHandler -::::- Published message to POSTURE-INPUT for Agentless session 0A7E6B64000015F83F49274C
----------------------------------------------
2020-08-22 22:49:00,348 INFO [pool-235-thread-107][] cisco.cpm.posture.runtime.AgentlessPostureErrorHandler -::::- Handle error for sessionId=0A7E6B64000015F83F49274C, AgentlessFlowStatus=Failure
----------------------------------------------
2020-08-22 22:49:00,354 DEBUG [pool-235-thread-107][] cisco.cpm.posture.runtime.AgentlessTroubleshootingManager -::::- Started the Collect log process for MacAddress - 00:50:56:01:02:03
----------------------------------------------
2020-08-22 22:49:02,351 DEBUG [Posture-CoA][] cisco.cpm.posture.runtime.PostureCoA -:DOMINION\addot1xposture:::- Posture CoA is triggered for endpoint [00-50-56-01-02-03] with session [0A7E6B64000015F83F49274C]
Running scripts from "Run Endpoint Scripts" feature to find the root cause
Cisco Identity services engine 3.0 onwards supports Run Endpoint scripts feature. Through this feature, administrator can run scripts against the connected endpoints. When Agentless Posture is failing for a connected endpoint, you can make use of Run Endpoint Scripts feature to troubleshoot the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: