You are here
SEC0055 - ISE 1.1 Posture Assessment with NAC Agent (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video looks at posture assessment configuration on Cisco ISE. We will be performing Antivirus installation, and signature definition update checks before allowing a domain user onto the network. Using wired Windows 7 and ClamWin Antivirus as an example, we will step through the posture assessment process, starting from NAC Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access.
In part 1, we will be configuring authentication, authorization, and client provisioning policies to allow client to download a NAC Agent.
Topic:
- Authorization Policies
- Posture Policies
- Client Provisioning Policies
-
Policy Elements
- Conditions (Authorization)
- Results (Authorization Profile, dACL, VLAN)
- Posture Agent Profile
- Cisco NAC Agent (Windows)
- NAC Compliant/Non-Compliant/Unknown States
- ClamWin Antivirus
Note:
- NAC Agent uses SWISS protocol (UDP/8905) to communicate with ISE
8 comments
Multiple discovery hosts
Hello, if there are multiple PSNs, how do you add them without manually changing the NAC agent profile to point to a particular PSN. In other words, how can I make the NAC agent to point to whichever PSN responds first.
Multiple discovery hosts
My understanding is there is nothing you really need to do on the NAC agent side. The PSN server should be automatically selected based on the RADIUS server config on the switch/WLC. Are you experiencing something different?
Limit user access ISE web portal
Default everyone (any IP address) with right username and pasword can access ISE web portal. I want to limit that only specific IP can access ISE web portal. Please show me how to do that !
Limit user access ISE web portal
Are you talking about the web GUI admin? If so, there should be a section under Administration > Admin that allow you restrict IP that can access the GUI.
Authorization Profiles
About VLAN check box in Authorization Profiles, Tag ID : 1, Edit Tag ID/Name : 63 mean if match the rule have this Authorization Profiles, then vlan ID of port change from 1 to 63 right ? But if in the interface connect to Endpoint if i execute command : "switchport access vlan 1". Is Dynamic vlan still effect or not ?
And about DACL, it only requied the switch support DACL or we need to do something else on switch for DACL take effect
Authorization Profiles
VLAN you configure in Auth Profile on ISE will override whatever VLAN you set on the switchport as long as that VLAN is created in the VLAN database. dACL from ISE will only be accepted by the switch if the switch support dACL and has aaa network autorization enabled.
Reauthentication
When user login success, after some time the login pop-up appear in Clent pc and ask user re-type there username or password. Where i can disable reauthentication ?? On switch, on ISE or both ??
Reauthentication
If it is a domain computer, user should never be prompted if you have .1x profile configured to use windows credential. Reauth can be disabled on switchport.