In this guide with step by step configuration, we are trying to demonstrate Cisco ISE configuration for Client Provisioning, without Posture validation. For this scenario, we are using a Cisco WLC controller already integrated with FMC Cisco Identity Services Engine (ISE) looks at various elements when classifying the type of login session through which users access the internal network, including: Client machine operating system and version Client machine browser type and version Group to which the user belongs Condition evaluation results (based on applied dictionary attributes) After Cisco ISE classifies a client machine, it uses client provisioning resource policies to ensure that the client machine is set up with an appropriate agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles, if necessary. https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html For the most part, ISE requires Any-connect client for posture assessment. 1 Topology We will use below topology in the lab. 1.1 Setup Client Provisioning Policy Initially we need to ensure, we enable Client Provisioning using below option as shown. 2. Pre-requisite Below are the resources available by default on the ISE. We need to add few resources into the ISE, either directly from Cisco’s website or from local drive, as shown below. Ensure you have Uploaded “Anyconnect compliance module windows” into the client provisioning resources. Download from Cisco’s website manually. https://software.cisco.com/download/home/286281283/type/282364313/release/ISEComplianceModule Create Native Supplicant Profile Anyconnect Posture Profile This configuration file dictates the compliance settings to be used when the compliance module is started on the end user’s machine. This dictates configurations such as the length of time the user has to remediate a non-compliant machine, enables additional debug logs for compliance, and specifies the PSN to which the compliance module should reach out to. The “server name rules” field can be used to specify the domain which the compliance server should exist on, if the end machine will be connecting to multiple domains with overlapping IP addresses. Conditions Description Native Supplicant Profile This instructs build-in supplicant (windows/mac book) what to do. NAM Profile This instructs the Anyconnect client which network, the client is allowed to, and the associated settings (security, etc…) Anyconnect Configuration Tells anyconnect which modules and profiles it should use, as well it should update itself. Default Posture Status Compliant: All compliant users will be allowed to access the network. Non-Compliant: Non-compliant users will never touch your network. Timers Remediation Timer If a user’s PC has to do something to become compliant, the device is given X minutes to complete the update before the checks are run again. Network Transition Delay How long to wait in between the states. Continuous Monitoring Interval How often Anyconnect should send updates to the ISE. Cache Last known posture compliant status Grace period between when a device is compliant and then becomes non-compliant, before the posture policy is enforced. Posture Lease How often to run a posture check? Note: Select Server name rules as * , unless you want users connect to a specific PSN unit. Anyconnect configuration Select the anyconnect client we plan to push the users and configure the settings. 3 Steps to configure Client provisioning 3.1 Step 1: Create Redirect ACL on WLC for AP We need to create a redirect ACL (REDIRECT-ACL) on the network device to redirect traffic to the client provisioning portal. Keep in mind that redirect-acl (in this example it’s called REDIRECT-ACL) should be created on NAD (Network Access Device) to have proper redirection. Basic redirect ACL should not intercept traffic to and from ISE PSN nodes, DNS and DHCP. And should redirect HTTP and HTTPS traffic. Below is the sample ACL used for CWA Redirection on the switch where we deny the traffic which should not be redirected. But on WLC, we permit all traffic which should be forwarded without re-direction. Refer below screen shot, where we created access control list on a switch: But in our case, we are using WLC, thus we need to create below ACL 3.2 Step 2: Configure the Client provisioning conditions 3.1.1 Create Client Provisioning Portal Once the user connects to the portal then they will be directed to the client provisioning policy we created in the previous section 4.1 Step 3: Access Policy 4.1.1 Authorization Profiles Create access policy based on the three possible states of posture compliance: Not Compliant: the device failed the compliance check. Compliant: The device passed the compliance check. Unknown: The device did not run the compliance check yet, this is the rule that will point to the client provisioning portal. User_Unknown We will map the access list we created in step 1 4.1.2 Authorization Rules Do not modify existing Access Policy, but we will modify authorization policy User Unknown, Employee_Non Compliant & Employee_Compliant Thus, we created below authorization policies as shown below. First time employee comes in, he will hit the policy – User Unknown, as ISE doesn’t know his posture validation and thus he will be forwarded to the portal. 5 User Testing 6 Logs
... View more
I went through below link and it describes how we can create sub interfaces and how we could use them when configuring our IPS in route mode and transparent mode interfaces. But I want to configure them in Inline mode. Please help.
Configure VLAN Subinterfaces and 802.1Q Trunking
Firepower Threat Defense
Access Admin Administrator Network Admin
VLAN subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or devices.
Before You Begin
Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair and for EtherChannel links. Because the physical, redundant, or EtherChannel interface must be enabled for the subinterface to pass traffic, ensure that the physical, redundant, or EtherChannel interface does not pass traffic by not naming the interface. If you want to let the physical, redundant, or EtherChannel interface pass untagged packets, you can name the interface as usual.
Select Devices > Device Management and click the edit icon ( ) for your Firepower Threat Defense device. The Interfaces tab is selected by default.
Click Add Interfaces > Sub Interface .
On the General tab, set the following parameters:
Interface —Choose the physical, redundant, or port-channel interface to which you want to add the subinterface.
Sub-Interface ID —Enter the subinterface ID as an integer between 1 and 4294967295. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.
VLAN ID —Enter the VLAN ID between 1 and 4094 that will be used to tag the packets on this subinterface.
Click OK .
Click Save .
You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.
Configure the routed or transparent mode interface parameters. See Configure Routed Mode Interfaces or Configure Transparent Mode Interfaces.
... View more
I just need to confirm if Cisco Firepower Interfaces configured in inline group can be configured and paired as sub interfaces and then mapped to the zones or I need to map physical interfaces only for inline interfaces ?
Current : S1, S2 - > Inline Pair
Required : S1.1, S2.1 ( VLAN100) - > Inline Pair
Required : S1.2, S2.2 (VLAN 200) -> Inline Pair
My main objective is create access policies based on the specific VLAN rather than complete physical interfaces.
Thank you in advance.
... View more