Table of Contents Introduction Prerequesites Requirements Components Used Conventions Understanding ISE Posture Services Client Provisioning Posture Policy Authorization Policy Understanding Posture Example Workflow Before you start Endpoint Checklist ISE Checklist and basic configuration for this Example Configurations ISE Configuration Configure and Deploy Client Provisioning Services Configure Authorization Policy for Client Provisioning and Posture : Configure Posture Policy : Configure an AV Posture Policy Configure Windows Server Update Services Remediation Switch Configuration Global Switch Configuration Interface Switch Configuration WLC Configuration Global Configuration Employee SSID Configuration Guest SSID Configuration Final Results Employee dot1x Posture (NAC Agent) Guest CWA Posture (NAC Web Agent) Frequently Asked Questions Deployment Options Other then Client Provisioning Discovery Host for the NAC agent Employees Browsers are configured with Proxy DACL VS Redirection ACL Nac Agent is not popping up Unable to access WSUS for Remediation Don't have an Internal Managed WSUS Introduction This Document covers a step by step configuration guide for Posture Services, Client Provisioning, Posture Policy creation, and configuration of access policies based on endpoint assessment results for Wired clients (connected to Cisco Switches) as well as Wireless clients (connected to Cisco Wireless Controllers) . Prerequesites Requirements Cisco recommends knowledge on these topics: Identity Services Engine (ISE) Cisco IOS ® Switch configuration Cisco WLC Wireless Configuration Components Used The information in this document is based on these softwares and hardware versions: Cisco Identity Services Engine (ISE), Release 1.1.3 Cisco Catalyst 3560 Series Switch version 15.0(2) SE2 Cisco WLC 2504 Series version 220.127.116.11 Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Understanding ISE Posture Services Posture Services workflow is comprised of three main configuration sections: • Client Provisioning • Posture Subscription and Policy • Authorization Policy Client Provisioning In order to perform posture assessment and determine the compliance state of an endpoint, it is necessary to provision it with an agent. ISE Agent can be persistent whereby the agent is installed and is automatically loaded each time a user logs in. ISE Agent can also be temporal whereby a Web-based agent is dynamically downloaded to the user upon each new session and then removed following the posture assessment process. NAC Agents are also responsible for facilitating remediation and providing an optional Acceptable Use Policy (AUP) to the end user. Therefore, one of the first steps in the workflow is to retrieve the agent files from the Cisco website and to create policies that determine agent and configuration files downloaded to endpoints based on their attributes, for example, user identity and client OS type. Posture Policy Defines the set of requirements for an endpoint to be deemed “Compliant” based on file presence, registry, process, application, Windows, and AV/AS checks and rules. Posture policy is applied to endpoints based on defined set of conditions such as user identity and client OS type. An endpoint’s compliance (posture) status can be one of the following: • Unknown (no data collected to determine posture state) • NonCompliant (posture assessment performed and one or more requirements failed) • Compliant (compliant with all mandatory requirements) Posture requirements are based on a configurable set of one or more conditions. Simple Conditions include a single assessment check. Compound Conditions include a logical grouping of one or more Simple Conditions. Each requirement is associated with a remediation action that assists endpoint to satisfy the requirement, for example, an AV signature update. Authorization Policy Defines the levels of network access and optional services to be delivered to an endpoint based on posture status. Endpoints that are deemed “not compliant” with Posture Policy may be optionally quarantined until the endpoint becomes compliant. During this phase, a typical Authorization Policy may limit a user’s network access to posture and remediation resources only. If remediation by the agent or end user is successful, then the Authorization Policy can grant privileged network access to the user. Policy is often enforced using downloadable ACLs (dACLs) or dynamic VLAN assignment. In this Configuration Example we will uses dACLs for endpoint access enforcement. Understanding Posture Example Workflow In this Configuration Example , we will download both persistent (NAC Agent) and temporal (Web Agent) agent files to ISE and define client provisioning policies that require Domain Users to download the NAC Agent and Guest users to download the Web Agent. Before configuring posture assessment policies and requirements, we will update the Authorization policy to apply Authorization Profiles to Domain Users and Guests that are flagged “not compliant”. The new Authorization Profile that we'll define will limit access to posture and remediation resources. Employees and Guest users flagged “compliant” will be allowed regular network access.Once Client Provisioning services have been verified, posture requirements will be configured to check for Antivirus installation , Virus definition updates, as well as Windows Critical Updates. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Before you start In order for posture to work properly for this example you should verify the following : Endpoint Checklist ISE FQDN must be resolvable by the endpoint device For Client Provisioning if you are using Firefox or Chrome : Java plugin must be enabled on the browsers. Internet Explorer : ActiveX must be enabled on the browser settings. Internet Explorer 10 : Verify the below Importing Self-Signed Certificate If you are using self-signed certificates for ISE , then you need to run Internet Explorer 10 in Administrator mode to install these certificates. Compatibility mode Compatibility mode must be changed on IE 10 settings to allow NAC agent Download. To do this you have to right click on the top of the screen of IE10 choose command bar and then Tools >compatibility view and then add ISE link or your site to the list Enabling ActiveX Control Cisco ISE installs the Cisco NAC Agent and Web Agent via ActiveX control. In Internet Explorer 10, the option to prompt for ActiveX controls is disabled by default. To enable this option in Internet Explorer 10, perform the following: Step 1 Go to Tools > Internet Options Step 2 Go to the Security tab and click Internet and Custom Level. Step 3 Under ActiveX Controls and Plugins section, enable Automatic Prompting for ActiveX controls. IF you have firewall on the endpoint or between ISE and the endpoint, the following ports must be opened for ISE NAC communication udp/tcp 8905 (Used for posture communication between NAC agent and ISE (Swiss port)) udp/tcp 8909 (Used for Client Provisioning) tcp 8443 (Used for Guest and PostureDiscovery ) Note: legacy port udp/8906 is not used anymore with ISE . 4. If you are using Proxy Server on your clients you need to modify your proxy settings in order to exclude the IP address of ISE (otherwise CWA and Client Provisioning will not work ) ISE Checklist and basic configuration for this Example ISE must be Joined to your AD Domain Users group is added to configuration under Groups Within the The Active Directory Configuration Switch and WLC are defined as Network devices on ISE ISE Authentication rules are configured as below 1) Dot1x authentications for wired and wireless clients are sent to AD IDentity Store 2) MAB Authentications for wired and wireless devices are sent to internal endpoints ( be sure to check the option 'continue' if user not found ) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Configurations ISE Configuration ISE configuration is made up of these three steps: Configure and deploy Client Provisioning Services Configure Compliant and Non compliant Authorization Policies Configure Posture Policies Configure and Deploy Client Provisioning Services Ste p 1 Verify the ISE proxy configuration if any Navigate to Administration > System > Settings and select Proxy from the left-hand pane and fill on your proxy configuration Ste p 2 Download pre-built posture checks for AV/AS and Microsoft Windows. Click the icon to the left of Posture in the left-hand pane to expand the contents of the Posture settings, and then click Updates. The Update Information in the bottom right- hand pane should be empty since no updates have been downloaded yet. Configure the following values: Attribute Value Web ( o ) Update Feed URL: https://www.cisco.com/web/secure/pmbu/posture-update.xml Proxy Address: - Proxy Port: - Automatically check for updates starting from initial delay [ ✓ ] every 2 hours Click Update Now and acknowledge the warning that the updates may take some time to complete. Note: If ISE does not have internet access you can do Posture Updates offline by downloading the required file from Cisco Site Ste p 3 (Optional) Configure general settings for agent behavior: Select General Settings from the left-hand pane under the Posture settings. Review the default values for Remediation Timer, Network Transition Delay, and Default Posture Status and set the Remediation Timer to 8 minutes Check (enable) the checkbox to “Automatically Close Login Success Screen After” and set time to 5 seconds per the following: Attribute Value Remediation Timer 8 (Minutes) Network Transition Delay 3 (Seconds) Default Posture Status Compliant Automatically Close Login Success Screen After [✓] 5 (Seconds) Click Save Note : Values assigned through the agent profile will override these global settings. Note : Default Posture Status define the Status you want for Clients with No NAC Agents . If you are not using Client Provisioning set this Value to Non Compliant. Step 4 Set the location and policy for downloading Client Provisioning updates. Click Client Provisioning from the left-hand pane and verify the following default values are set: Attribute Value Enable Provisioning Enable Enable Automatic Download Disable Update Feed URL http://www.cisco.com/web/secure/pmbu/provisioning Native Supplicant Provisioning Policy Unavailable: Allow Network Access Ste p 5 Download Agent files. Go to Policy > Policy Elements > Results and click the icon to left of Client Provisioning to expand its contents. Select Resources in the left-hand pane.From the right-hand pane, click Add then click Agent Resources from Cisco site from the drop-down list. A popup window similar to the following should display. At a minimum, select the current NAC Agent, Web Agent and Compliance Module (AV/AS support module) from the list and click Save. Wait until the files are downloaded to the ISE appliance. CLIENT PROVISIONING FILE REFERENCE: NAC Agent: Persistent posture agent for Windows client PCs Mac OS X Agent: Persistent posture agent for Mac OS X client PCs Web Agent: Temporal posture agent for Windows only PCs. Compliance Module: OPSWAT module that provides updates to current AV/AS vendor support for both the NAC Agent and Mac OS X Agent. Not applicable to Web Agent. Profiles: Agent configuration files for NAC Agent and Mac OS X Agent. Updates locally installed XML files on client PCs. Not applicable to Web Agent. Step 6 (Optional) Create a NAC Agent configuration profile for your clients . From the right-hand pane, click Add then select ISE Posture Agent Profile from the drop-down list. And Choose the values that answer your needs Refer to ISE User guide for detailed description about all the Values . ISE User Guide Note : The “ merge” option updates the current agent profile parameter only if value not already defined; this option will not update parameters with an existing value. The “overwrite” option will update a parameter whether explicitly defined or not . Step 7 Define Client Provisioning Policy for Domain Users and Guest users. Go to Policy > Client Provisioning. Add two new Client Provisioning rules per the following table values, and then click Save: Note : Click ACTIONS Button to the right of any rule entry to insert or duplicate entries. Note : If multiple versions of same file type ( NAC Agent/ Web Agent/ Compliance module) were downloaded to the Client Provisioning repository, select the most current version available . Rule Name Identity Groups OperatingSystems Conditions Results Is UpgradeMandatory? Employee_Windows Any Windows All AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users NAC Agent 18.104.22.168+ Profile(optional)+ Compliance 3.5.5767.2 [✓ ] Guest_Windows Guest Windows All WebAgent 22.214.171.124 [✓ ] Step 8 Configure web authentication portal to download posture agent per Client Provisioning Policy. Navigate to Administration > Web Portal Management > Settings and click the icon to left of Guest (or double-click Guest) to expand its contents. Select Multi-Portal Configurations from the left-hand pane and then select DefaultGuestPortal. Under the Operation tab, enable the option to allow guest users to download agents and to Self Register. Attribute Value Guest users should download the posture clientGuest users should be allowed to do self service [✓][✓] Make sure that the guest role as well as the time profile are assigned for self Registeration Guest roles Note : the guest self service is optional, but in our example we are using it for fast guest authentication without the sponsor intervention Optionally set the Acceptable Use Policy for guest users as shown below: Attribute Value Guest users should agree to an acceptable use policy ( ) Not Used(o) First Login( ) EveryLogin Click Save when finished. Configure A u t h o r ization Policy for Client Provisioning and Posture : The Authorization Policy sets the types of access and services to be granted to endpoints based on their attributes such as identity, access method, and compliance with posture policies. This example includes adding Authorization Policies to ensure that endpoints that are not posture compliant are quarantined (granted limited access sufficient to provision agent software and to remediate failed requirements), and that only posture compliant endpoints are granted privileged network access. Step 1 (Optional). Define a dACL that restricts network access for endpoints that are not posture compliant. Go to Policy > Policy Elements > Results and click icon to left of Authorization (or double-click Authorization) to expand its contents. Select Downloadable ACLs from the left-hand pane. Click Add from the right-hand pane under DACL Management and enter the following values for the new dACL. Attribute Value Name POSTURE_REMEDIATION Description Permit access to posture and remediation services and deny all other access. Permit general http and https for redirection only. DACL Content Fill the DACL Entry in the DACL Content Downloadable ACL Entry Description permit udp any any eq domain Allow DNS for name resolution permit udp any eq bootpc any eq bootps Allow DHCP permit tcp any host <ISE IP address> eq 8443 Allow CWA/CPP to ISE Policy Service node permit tcp any host <ISE IP address> eq 8905 Allow Agent discovery direct to Policy Service node permit udp any host <ISE IP address> eq 8905 Allow Agent discovery and keep-alives permit tcp any host <ISE IP address> eq 8909 Allow Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation permit udp any host <ISE IP address> eq 8909 permit IP any host <REM Server IP address> Explicit allow to remediation server (Wsus , Antivirus Server ,....) permit IP any host 126.96.36.199 Allow Traffic to clamwin definition database server (this entry is specific to our example ) deny ip any any Deny all other Traffic Note : There is currently NO ACL syntax checking for DACL contents so it is imperative that entries be carefully reviewed for errors prior to submitting. Click Submit when completed. . Ste p 2 Define a new Authorization Profile for 802.1X-authenticated/NAC Agent users named Posture_Remediation that leverages both the new dACL for port access control and the URL Redirect ACL for traffic redirection. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results > Authorization. Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below. Attribute Value Name Posture_Remediation Description Permit access to posture and remediation services; redirect traffic to client provisioning and posture services. Access Type ACCESS_ACCEPT DACL Name [ ✓ ] POSTURE_REMEDIATION Web Authentication- Posture Discovery [ ✓ ] ACL-POSTURE-REDIRECT The resultant Attribute Details should appear at the bottom of the page as the following: Access Type = ACCESS_ACCEPT DACL = POSTURE_REMEDIA TION cisco:cisco-av-pair=url-redirect-acl=ACL- POSTURE- REDIR ECT cisco:cisco-av-pair=url-redirect = https:// ip:8443/ guestport al/gateway?sessionId=SessionIdValue@action=cpp Click Submit to apply your changes. Note : The ACL- POSTURE- REDIRECT have to be created on the Switch as Well as On WLC ( Refer to Switch and WLC Configuration ) Ste p 3 Define a new Authorization Profile for web-Authenticated/Web Agent users named CWA_Posture_Remediation that leverages both the new dACL for port access control and the URL Redirect ACL for traffic redirection. Click Authorization Profiles from the left-hand pane under Policy > Policy Elements > Results > Authorization. Click Add from the right-hand pane and enter the values for the Authorization Profile as shown below. Attribute Value Name CWA_Posture_Remediation Description Permit access to posture and remediation services; redirect traffic to central web auth services. Access Type ACCESS_ACCEPT DACL Name [ ✓ ] POSTURE_REMEDIATION Web Authentication -Centralized Web Authentication [ ✓ ] ACL-POSTURE-REDIRECT The resultant Attribute Details should appear at the bottom of the page as the following: Access Type = ACCESS_ACCEPT DACL = POSTURE_REMEDIATIONcisco:cisco-av-pair=url-redirect-acl=ACL- POSTURE- REDIRECTcisco:cisco-av-pair=url-redirect = https:// ip:8443/ guestport al/gatew ay?sessionId=SessionIdValue@action=cwa Click Submit to apply your changes. Note : The difference between the two profiles is the URL Redirect cisco-av-pair at tribute. Users that need to be authenticated using CWA will be initially redirected to the guest portal for web authentication (cwa) and then automatically redirected to the Client Provisioning Portal (cpp) as needed. Users authenticated through 802.1 X will be redirected directly to the Client Provisioning Portal. Ste p 4 Update the Authorization Policy to support posture compliance. Go to Policy > Authorization. Update the existing Authorization Policy with the following values using the selector at the end of a rule entry to insert or duplicate rules: Rule Name Identity Groups Other Conditions Permissions Employee Any AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users PermitAccess (or Employee Authorization Profile if you already have one defined ) AND Session: PostureStatus EQUALS Compliant Employee_PreCompliant Any AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users Posture_Remediation AND Session: PostureStatus NOT EQUALS Compliant Guest Guest Session: PostureStatus EQUALS Compliant PermitAccess (or Guest Authorization Profile isf you already have onedefined ) Default Any - CWA_Posture_Remediation Click Save to apply your changes. Note : In the Above we are using the same authorisation Profile (Permissions ) For Wired and Wireless Access Be aware that WLC will not take into consideration the DACL, Thus the Redirection ACL Configured on the above is enough to deny all Traffic except for (Remediation Server , ISE Posture ) Configure Posture Policy : Configure an AV Posture Policy In this Example we will configure the following Posture Policy for Domain Users to have ClamWin AV installed and current Posture Policy for Guest users to install ClamWin AV if no Antivirus is installed Note : clamwin-0..97.7-setup.exe was uploaded on the default site of the Remediation Server. For the Definition file update remediation to work , one of ip of the Clamwin Server update server must be added on the DACL as well as the redirection ACL as we did in the previous section. Ste p 1 Define an AV posture condition that validates the installation of ClamWin AV on an endpoint. This check will be used in posture requirements applied to Employees. Go to Policy > Policy Elements > Conditions and click the icon to right of Posture. Select AV Compound Condition from the left-hand pane and then click Add from the right-hand pane menu. Enter the following values and then click Submit at the bottom of the page: Attribute Value Name ClamWin_AV_Installed Description Check ClamWin AV is installed Operating System Windows 7 (All) Vendor ClamWin Check Type ( o ) Installation ( ) Definition Products for Selected Vendor [ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus Note : If no AV products appear under Vendor field, then posture updates have not yet been downloaded or download has not yet completed. Ste p 2 Define an AV posture condition that validates the signature version of ClamWin AV on an endpoint. This check will be used in posture requirements applied to Employees. Select AV Compound Condition from the left-hand pane and then click Add from the right- hand pane menu. Enter the following values and then click Submit at the bottom of the page: Attribute Value Name ClamWin_AV_Current Description Check ClamWin AV is current Operating System Windows 7 (All) Vendor ClamWin Check Type ( ) Installation ( o ) Definition [✓ ] Allow virus definition files to be days older than 0 days older than ( o ) latest file date( ) current system date Products for Selected Vendor [ ✓ ] ClamWin Antivirus[ ✓ ] ClamWin FREE Antivirus Ste p 3 Define an AV posture condition that validates the installation of any supported AV on an endpoint. This check will be used for posture requirements applied to Guest users. Select AV Compound Condition from the left-hand pane and then click Add from the right- hand pane menu. Enter the following values and then click Submit: Attribute Value Name Any_AV_Installed Description Check Any AV is installed Operating System Windows All Vendor ANY Check Type ( o ) Installation Products for Selected Vendor [ ✓ ] ANY Ste p 4 Define a Posture Remediation Action that installs ClamWin AV on an endpoint. Go to Policy > Policy Elements > Results and click the icon to left of Posture (or double- click Posture) in the left-hand pane to expand its contents. Next, expand the contents of Remediation Actions. Select Link Remediation and then click Add from the right-hand pane menu. Enter the following values and then click Submit: Attribute Value Name Install_ClamWin_AV Description Link distribution to ClamWin AV install package Remediation Type Manual Retry Count 0 Interval 0 URL http:// < REM SERVER IP>/clamwin-0..97.7-setup.exe Note : REM SERVER IP Represents the ip address of your remediation server where the installation of clamwin exists in our scenario 192.168.1.100 is configured as http remediation server Ste p 5 Define a Posture Remediation Action that updates ClamWin AV on an endpoint. Select AV/AS Remediation from the left-hand pane and then click Add from the right-hand pane menu. Enter the following values and then click Submit: Attribute Value Name Update_ClamWin_AV_Definitions Description Trigger signature updates for ClamWin AV AV/AS Remediation Type AV Definition Update Remediation Type Manual Interval 0 Retry Count 0 Operating System ( o ) Windows( ) Mac AV Vendor Name ClamWin Ste p 6 Define Posture Requirements that will be applied to Employees and Guest users. Select Requirements from the left-hand pane (under Policy > Policy Elements > Results > Posture). Enter the following entries into the table using the selector at the end of a rule entry to insert or duplicate rules. Click Save when finished: Name Operating System Condition Action Message shown to Agent User Emp_AV_Installed Windows 7 (All) ClamWin_AV_Installed Install_ClamWin_AV (optional) Emp_AV_Current Windows 7 (All) ClamWin_AV_Current Update_ClamWin_AV_Definitions (optional) Guest_AV_Installed Windows All Any_AV_Installed Install_ClamWin_AV An approved Antivirus program was NOT detected on your PC. All guest users must have a current AV program installed before access is granted to the network. If you would like to install a free version of ClamAV,please click on the link below Note: If a preconfigured condition does not display under the list of Conditions, be sure you have selected the appropriate Operating System setting for both the condition as well as requirement rule. Only conditions that are the same or subset of the OS selected for the rule will display in the Conditions selection list. Step 7 Configure the Posture Policy to ensure ClamWin AV is installed and current on Employee computers running Windows 7 and that Any supported AV is installed and current on Guest user computers. Go to Policy > Posture and create new policy rules using the values provided in the table, and then click Save to apply your changes: Rule Name IdentityGroups OperatingSystems Other Conditions Requirements Employee_Windows_AV_Installed_and_Current Any Windows 7 (All) AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users AV_Installed ( Mandatory) AV_Current ( Mandatory) Guest_Windows_AV_Installed_and_Current Guest WindowsAll - Guest_AV_Installed ( Mandatory) Note : To specify a Posture Requirement as Mandatory, Optional, or Audit, click the icon to the right of the requirement name and select an option from the drop-down menu: Configure Windows Server Update Services Remediation In this Example we will configure the following All Employees running Windows 7 must have the latest Windows Critical Patches installed We are using Internal Managed WSUS with the same ip address as the Antivirus installation remediation server Ste p 1 Define a Posture Remediation Action that Check and install the latest Win7 Patches Go to Policy > Policy Elements > Results and click the icon to left of Posture (or double- click Posture) in the left-hand pane to expand its contents. Next, expand the contents of Remediation Actions. Select Windows Server Update Remediation and then click Add from the right-hand pane menu. Enter the following values and then click Submit: Attribute Value Name Install_Win_Critical_Updates Description Check and Install missing Critical Windows Updates Remediation Type Manual Validate Windows Updates using Severity Level Windows Updates Severity Level Critical Windows Updates Installation Source Managed Server Installation Wizard Interface Setting Show UI Note : If you want to vaildate WIndows Update using Cisco Rules You must Create your Posture Conditions and define your conditions in Step 2 below. Ste p 2 Define Posture Requirements that will be applied to Employees Select Requirements from the left-hand pane (under Policy > Policy Elements > Results > Posture). Enter the following entries into the table using the selector at the end of a rule entry to insert or duplicate rules. Click Save when finished: Name Operating System Condition Action Message shown to Agent User Win_Critical_Update Windows 7 (All) pr_WSUSRule Install_Win_Critical_Updates (optional) Note: Condition pr_WSUSRule, you can find it under Cisco Defined Condition > Regular Compound Condition this is a dummy rule we choose since we are validating Windows update using Security Level . Step 3 Configure the Posture Policy to ensure that Employee computers running WIndows 7 have the latest Critical Windows 7 .patches Go to Policy > Posture and create new policy rules using the values provided in the table, and then click Save to apply your changes: Rule Name IdentityGroups OperatingSystems Other Conditions Requirements Employee_Windows_latest_Critical_Patches_Installed Any Windows 7 (All) AD1:ExternalGroups EQUALS <AD Domain Name>/Users/Domain Users Win_Critical_Update ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Switch Configuration Global Switch Configuration This section provides an excerpt of the switch configuration. and should be used for reference and not to be copied Global Radius and Dot1x Configuration aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radiusdot1x system-auth-control ip radius source-interface Vlan (x)radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server host <ISE IP> key <pre shared key>radius-server vsa send accountingradius-server vsa send authentication Default ACL to be applied on the port ip access-list extended permitany permit ip any any Enabling Radius Change of Authorisation aaa server radius dynamic-author client <ISE IP> server-key <pre shared key> Enable URL Redirection and logging Ip device tracking Epm logging Ip http server Ip http secure server Redirection ACL ip access-list extended ACL-POSTURE-REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny udp any host <ISE IP> eq 8905 deny tcp any host <ISE IP> eq 8905 deny tcp any host <ISE IP> eq 8909 deny udp any host <ISE IP> eq 8909 deny tcp any host <ISE IP> eq 8443 deny ip any host <REM SERVER IP> deny ip any host 188.8.131.52 (one of the ip of CLAMwin database virus Definitions) permit ip any any Note : Ip address of the Endpoint device must be reachable from the Switch SVI in order for redirection to work Interface Switch Configuration switchport access Vlan xx switchport voice Vlan yy switchport mode accessdot1x pae authenticatorauthentication port-control autoauthentication host-mode multi-domain authentication violation restrictip access-group permitany in ( Mandatory for DACL Before Cisco IOS Release 12.2(55)SE dot1x timeout tx-period 7authentication order dot1x mabauthentication priority dot1x mabmab------------------------------------------------------------------------------------------------------------------------------------------------------------- WLC Configuration Global Configuration Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default. Create an Access-list on the WLC as per the following Security > Access Control Lists Name : ACL-POSTURE-REDIRECT Seq Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port Direction 1 permit Any Any UDP DNS Any Any 2 permit Any Any UDP Any DNS Any 3 permit Any <ISE IP> UDP Any 8905 Any 4 permit <ISE IP> Any UDP 8905 Any Any 5 permit Any <ISE IP> TCP Any 8905 Any 6 permit <ISE IP> Any TCP 8905 Any Any 7 permit Any <ISE IP> UDP Any 8909 Any 8 permit <ISE IP> Any UDP 8909 Any Any 9 permit Any <ISE IP> TCP Any 8909 Any 10 permit <ISE IP> Any TCP 8909 Any Any 11 permit Any <ISE IP> TCP Any 8443 Any 12 permit <ISE IP> Any TCP 8443 Any Any 13 permit Any <REM SERVER IP> Any Any Any Any 14 permit <REM SERVER IP> Any Any Any Any Any 15 permit 184.108.40.206 Any Any Any Any Any 16 permit Any 220.127.116.11 Any Any Any Any Note : 15 and 16 are used in our example for CLAMwin antivirus update where 18.104.22.168 contains the database definition file . Note : For Flex connect with Local Swithing , you have to create a Flexconnect ACL and apply it to the WebPolicy ACL as below 1) The ACL will be named as the ACL above and will have the same attributes 2) Click on External WebAuthentication ACLs 3) Add the Web Policy ACL and Apply Employee SSID Configuration Create New Employee SSID or Modify the Existing one if already defined Guest SSID Configuration Create New WLAN with Guest SSID or Modify the existing one if already defined ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Final Results Employee dot1x Posture (NAC Agent) Configure your wireless SSID (Employee) or wired network for peap Mschap V2 and connect with an AD user in the domain users group open a browser and try to navigate to a site you will be prompted with the following Click to Install Agent and then Next Click On Next Accept End User License Agreement Choose Complete Click on Install Selec Finish Nac agent will pop up after installationSelect Show details We can see that Clamwin is not installed and is not updatewe can notice also that Some Windows Critical Update are not installed Click go to link to install the antivirus Click on RUNand install clamwin Antivirus After installing the Antivirus ,Nac Agent will prompt for UpdateClick on update to get the latest Virus Definition FileAfter, you will get the same Screen to update your WindowsClick on Update another Time You NAC Agent will contact your WSUS to check and install the latest Critical Updates When Installation is completeYou will prompted to restart your Computer After Restart you will have Full Network Access since your system will be compliant Guest CWA Posture (NAC Web Agent) Connect to your Guest SSID or don't configure dot1x on your wired network open a browser and try to navigate to a site you will be prompted with the following Click on Self registration and proceed with authentication Accept the use policy Click on Install Agent Click on click here to remediate Click on run and proceed with antivirus installation Now You have full Network Access Check ISE authentication Logs to verify that Dynamic authorisation succeeded and that you are matching the authorisation profile related to the compliant Status ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Frequently Asked Questions Deployment Options Other then Client Provisioning You can refer to ISE User Guide under this Topic Provisioning Client Machines with the Cisco NAC Agent MSI Installer Discovery Host for the NAC agent In order for NAC Agent to reach the right ISE pdp : 1) If no Discovery host is defined : Nac agent will send http request on port 80 to the gateway , this traffic must be redirected to the posture discovery link (cpp) in order for discovery to work properly 2) If a Discovery host t is defined ,Nac agent will send http request on port 80 to the host , this traffic must be redirected to the posture discovery link (cpp) in order for discovery to work properly if there is a problem with Redirection , the NAC agent will try to contact Directly the Host Discovery defined, on port 8905 ( which does not guarantee the posture validation because the session information may not be available on that pdp unless node groups are defined and pdp are within the same group) Employees Browsers are configured with Proxy 1) If you are not using Client Provisioning and the Employees PCs are configured with Proxy There is no need to do any changes since the Posture Discovery Packets are sent on port 80 and bypass the Proxy Settings 2) If you are using the Client Provisioning service , you need to change Switch Configuation and WLC as Below in order to intercept HTTP Traffic on the proxy's defined port . Proxy Configuration on Port 8080 on the swtich ip http port 8080 ip port-map http port 8080 Proxy Configuration WLC By default WLC intercept HTTP requests with Destination TCP Port 80 only. The following command must be configured through CLI if you want to intercept another http traffic on port 8080 per example config Network web-auth port 8080 Note : Switches will allow redirection on one port , Therefore if you specify another port for Switch Redirection , Posture Discovery will fail and Posture Traffic will be sent to the discovery host defined in the NACAgentCFG.xml ( NAC Agent Profile ) DACL VS Redirection ACL 1) Redirection ACL is mandatory for Client Provisioning , Central Web Authentication , and Posture Discovery.2) DACL is used to limit Network Access and is applied only to non redirected Traffic you have multiple options : 1) Define only a Redirection ACL and redirect all the Traffic that you want to be dropped ( As we did in our Example)2) Define Redirection ACL which is less restrictive and Apply DACL which filter the Traffic that are not redirected3) Define Redirection ACL and Apply a VLAN which will restrict Network Access ( Best Approach since VLAN Traffic can be filtered by Application aware Firewall) Nac Agent is not popping up 1) Check ISE live Authentication and Verify that authentication is matching your Posture Authorization profile2) From the Client PC , open cmd .type nslookup and verify you can resolve ISE pdp hostname 3) From your Client browser type https:// <ise−hostname>:8905/auth/discovery and make sure you are receiving ISE FQDN as response If all the steps are working and your Switch or WLC Configuration are in compliance as per this document Start capture on the PC using Wireshark Restart NAC Agent Service Collect Cisco Log Packager Locate NACAgentCFG.xml in the NAC Agent Directory Contact Cisco TAC Providing : the packet Capture , Nac Agent Logs , NACAgentCFG configuration file and Windows Event Viewer Logs. Unable to access WSUS for Remediation If you are using WSUS 3.0 SP2 and the NAC Agent is unable to access WSUS win Updates , Verify that you have the latest patch of WSUS installed (This Patch is Mandatory for Windows Clients to browse Update from Wsus) http://support.microsoft.com/kb/2720211 Verify that you are able to access the following file http:// <ip wsus>/selfupdate/iuident.cab Refer to the Link Below for better debugging for Wsus Installation http://technet.microsoft.com/en-us/library/dd939822%28v=ws.10%29.aspx Don't have an Internal Managed WSUS You can still use WIndows Update Servers. while configuring your posture Remediation Rule. Client Must be allowed to these Sites and the following URLsshould not be redirected http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://stats.microsoft.com https://stats.microsoft.com When failing the posture check on the NAC agent, no failed authentication is seen in ISE live logs You might be tempted to create an authorization policy rule that triggers on the condition of a non_compliant client in order to restrict his access. However, no authentication attempt will be seen failing until the remediation timer expires most particularly when using the web agent. In fact, the agent notices it is not meeting the requirements and starts the remediation timer. Only at the end of it, or if the user clicks cancel, will ISE be notified that the posture was a failure. Therefore it is good practice to give a default access to all clients that allow for remediation but blocks any other form of access.
... View more
Hello Michel You cannot for the moment Management is restricted to Gig0 You can refer to this document for better understanding http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html Tony
... View more