View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 1)

SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video looks at posture assessment on Cisco ISE 1.3. We will continue from the wired EAP-TLS video and add configuration for Cisco NAC agent, and then later replace it with Cisco AnyConnect ISE posture module. Antivirus installation, and signature definition update checks using ClamWin Antivirus will be performed before allowing a domain user onto the network. Using wired Windows 7, we will step through the posture assessment process, starting with Posture Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access. 
 
Part 1 of this video shows configuration on ISE with Cisco NAC Agent, and tests posture assessment without posture policy
 
Topic:
  • Authorization Policies
  • Posture Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Posture Agent Profile
  • AnyConnect Agent Profile and Configuration
  • Cisco NAC Agent (Windows)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus

Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)

Tag: 
ISE
ise 1.3
wired
posture
nac agent
anyconnect
posture module

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

32 comments

Submitted by Ditmar Tavares on Wed, 06/24/2015 - 08:00

I am stuck on this video.
I'm getting redirected to the provisioning portal, but first the switch is asking me to accept the Switch-certificate..... am I suppose to install cert on the switch ?
I enabled ip http server and ip http secure-server on the switch.

the biggest issue, after accepting the switch-cert and after getting the provisioning portal. I click on start to download the agent. but I am getting this error:
"An error occurred. Contact the help desk for assistance. "
this is when I am in unknown posture state.

did I miss anything ?

Submitted by admin on Thu, 06/25/2015 - 21:37

We have never seen a cert being presented by a switch before so curious to see what that looks like. You should not have to install any cert on the switch. Please double check your client provisioning policy and make sure there is a matching policy for the session. May be try with NAC agent first and get that to work before switching to AnyConnect ISE Posture Module

Submitted by JOOkondo_02 on Thu, 07/09/2015 - 05:46

the NAC AGENT does not pop up automatically after the PC boots up and machine and user authentication happens.
i have to clear the auth sessions or bounce the port for the NAC AGENT to pop up for remediation.
i have followed all the steps here over and over again but i cant get it right

Submitted by admin on Sat, 07/11/2015 - 17:15

What state was the switchport in (as far as show auth session) after PC boot up and login? Is the PC physical or VM?

Submitted by JOOkondo_02 on Thu, 07/23/2015 - 14:55

my PCs are physical machine. i am put on the unknown state. however, i realized it was a bug issue with 2960X IOS 15.0.2-EX5. i downgraded the ios to IOS 15.2(2)E and the agent could now pop-up

Submitted by admin on Sat, 07/25/2015 - 22:28

When you said downgraded, do you mean upgraded? Glad the problem is resolved for you.

Submitted by JOOkondo_02 on Thu, 07/23/2015 - 14:58

i can not find anti-virus vendors on the vendor drop-down when defining posture compound conditions ..

Submitted by admin on Sat, 07/25/2015 - 22:30

Do you mean you cannot see ANY vendor, or a specific one that you need? Try to run the online update manually and make sure you also have it setup to periodically update.

Submitted by JOOkondo_02 on Wed, 07/29/2015 - 13:30

Thanks Metha,
i was able to get the anti-virus after running the online update manually and setting the updates periodically

Submitted by Jimocon on Mon, 08/10/2015 - 09:21

Hi Metha,

At 06.41 do you actually mean permit instead of deny on the ACL? You do actually say permit and that would make sense as that would create a captive environment forcing access to the ISE server?

Thanks,

Jim

Submitted by admin on Thu, 08/13/2015 - 00:09

Redirect ACL uses Deny to allow traffic you want to pass through (eg. DNS, ISE, remediation server) and uses Permit to match traffic that you want to have redirected to ISE portal page.

Submitted by JOOkondo_02 on Wed, 01/27/2016 - 12:34

when redirected to the client provisioning portal to download the NAC Agent, when i click the 'start' button to start downloading the agent, i get a success page instead of the agent download.
Could this be a bug or there is a configuration i am missing ? i am running ise 1.4.0.253
Regards,
Justus

Submitted by admin on Fri, 01/29/2016 - 20:29

That is certainly strange. We are not aware of any bug with such behavior. Please make sure that you have configured Client Provisioning policy properly and there is rule that matches the user session. Also you might want to restart service/server is not already.

Submitted by ranray on Tue, 02/09/2016 - 21:51

Hi Metha,

I want to start by saying I love this Site!

What do you mean by this statement? "Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)" I have the ISE APEX license, I can get the Anyconnect APEX license but where would I apply those licenses? Are they applied on the ISE? Thanks!

Submitted by admin on Tue, 02/09/2016 - 23:00

AnyConnect APEX gives you a right to use AnyConnect client with ISE posture module. You just need to purchase it to match your total number of users. There is no need to apply license anywhere. If you also have an ASA and want to enable AnyConnect VPN, the PAK can be fufilled agasint the ASA serial.

We are glad you like our site :-)

Submitted by behrouz on Fri, 02/19/2016 - 09:21

hello
My configuration for dot1x include GPO on server 2008 and PEAP authentication with MSCHAPv2 and uncheck validate certificate .
My configuration for unknown posture . when my PC try to download NAC Agent in unknown state its prompt to accept and install certificate . but i no want to install and validate
any certificate. what do i do ?

Submitted by admin on Sun, 02/21/2016 - 21:23

dot1x GPO config has nothing to do with the cert encountered during NAC agent download. That cert is from the https connection to ISE. To avoid that cert, you need to have proper cert selected for Client Provisioning portal. The cert need to have ISE hostname as common name (or wildcard) and either be signed by a trusted public CA, or enterprise CA that the clients trust.

Submitted by sherief on Sat, 03/12/2016 - 09:40

Hi metha,
Great Job, but why did you leave the discovery host empty?
i think we should put the PSN IP.
2- what is difference betw the 2 ACL calm redirect and ACL-redirect ?

Thanks man,.

Submitted by admin on Sun, 03/13/2016 - 22:22

There is no particular reason. You can hardcode it is your like. Here we let the client automatically discover the PSN from the redirect URL. You can see this field is not mandatory.

The Clam redirect ACL allow client contacting Clam server to download the software, in this case, on the internet, while the ACL-redirect catches all traffic

Submitted by sherief on Sat, 03/12/2016 - 13:57

can i distribute the NAM module also using ise along with the posture ?, if so, how i will confure client provisionning policy to distribute both of NAM Module and Posture module ?

Submitted by admin on Sun, 03/13/2016 - 22:24

Yes you can. This is under the AnyConnect config profile. In addition to VPN and ISE posture, you can check the NAM check box and upload the corresponding .xml file you want to distribute to your users.

Submitted by mannix on Sun, 08/21/2016 - 19:52

Guys, do you encounter this issue in ISE 1.3?

Submitted by admin on Mon, 08/22/2016 - 21:33

What exact issue are you encountering?

Submitted by lnhquang1993 on Mon, 04/30/2018 - 05:30

Hi labminutes,
I want to ask can ISE keep tracking endpoint compliance after endpoint pass the first check. Let say that Endpoint has install and update anti-virus, so it pass the compliance policy and get access to network. But after that, User turn off or uninstall Anti-virus. Can ISE discover that and deny Endpoint to access untill it compliance again ?

Submitted by admin on Mon, 04/30/2018 - 21:50

You should be able to configure posture agent to periodically perform reassessment while endpoints remains connected to the network and issue CoA should endpoint becomes non-compliant. There is no way to do it real-time. Obviously if endpoint lose connection and reconnect, it will immediately be reassessed. 

Submitted by grasshopper13 on Tue, 05/08/2018 - 05:39

Hi Metha,

I am configuring in a client the posture functionality. I started with the simplest way, just trying to pop up the NAC Agent and be compliant.

The thing is that, the NAC Agent is already installed (and executed) in the PC because the users don't have admin permissions. When the redirection occurs to the posture portal, instead of recognizing the agent, a new window appears asking for repair or uninstall the agent.

As far as I checked, NAC Agents have the same versions (the one installed in the PC and the one provided by ISE), 4.9.5.10. ISE version is 2.1 (patch 3).

Am I missing something?

Thank you!

Submitted by admin on Thu, 05/10/2018 - 21:42

It looks like the NAC Agent is not installed properly on the client. Our suggestion is to move to AnyConnect ISE Posture Agent as NAC Agent is now considered obsolete. 

Submitted by grasshopper13 on Fri, 05/11/2018 - 01:39

Thank you! I will do that.

Submitted by grasshopper13 on Thu, 06/07/2018 - 02:34

Finally, I established the Anyconnect ISE Posture VPN solution with no issues. I had to play with the ISEPostureCFG.xml file in order to my PC reaching the PSN (no internet access and no default-gateway replay in port 80) by using IP private address.

I have a new question, I hope you can help me. When the System Scan is working an Anyconnect certificate warning (of the PSN) appears: "certificate not match the server name!. Where does Anyconnect search for the Certificate? Personal Store name?

I have read that may be is a problem to have defined an IP in the SAN?

Thank you in advance.

Submitted by admin on Mon, 06/11/2018 - 21:21

We never ran into this cert issue. What type of cert do you have installed on ISE and does it match hostname in the the posture redirect URL?

Submitted by grasshopper13 on Mon, 06/11/2018 - 23:48

It is a certificate validated by the CA of the client and the CN and one attribute of the SAN has the hostname of the posture redirect URL. Also in the SAN is defined the IP of the server.

I have read that the ASA doesn't like very much the multi-SAN but I don't know if it has anything to do with this.

Submitted by admin on Tue, 06/26/2018 - 11:36

That is strange. This should have nothing to do with the ASA. If you never get cert warning/error for web admin portal or 802.1X, this should not be a problem.