View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0056 - ISE 1.1 Posture Assessment with NAC Agent (Part 2)

Rating: 
4.666665
Average: 4.7 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video looks at posture assessment configuration on Cisco ISE. We will be performing Antivirus installation, and signature definition update checks before allowing a domain user onto the network.  Using wired Windows 7 and ClamWin Antivirus as an example, we will step through the posture assessment process, starting from NAC Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access. 

In part 2, we will be configuring posture policies to perform Antivirus checks, and test our configuration performed in part 1. 
Topic:
  • Authorization Policies
  • Posture Policies
  • Client Provisioning Policies
  • Policy Elements
    • Conditions (Authorization)
    • Results (Authorization Profile, dACL, VLAN)
  • Posture Agent Profile
  • Cisco NAC Agent (Windows)
  • NAC Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus
Note:
  • NAC Agent uses SWISS protocol (UDP/8905) to communicate with ISE

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

28 comments

For the purposes of the lab, I configured a Squid proxy server on one of my Linux servers. Then in the ClamWin interface, specify the proxy server. The DACL-ISE-CLAM can include the proxy server, and the proxy server itself could be configured to only service AV update requests, based on fqdn or file type.

Once this is configured, the Repair / Update button from Cisco NAC Agent, works fine, and ClamWin is updated automatically.

Generally, companies will have commercial AV products with local management consoles, but this proxy method is good enough for a lab environment.

That is a great way to test remediation functionality. Thanks for sharing Chris.

Are these standard policies from the install or did you create these? My screen has nothing when I bring up the page on my machine.

BTW: These ISE videos are AWESOME - Thanks for making them available

The posture policies were create in the Part 1 of the video. Here is the link
SEC0055 - ISE 1.1 Posture Assessment with NAC Agent (Part 1)

Hello,
Really glad to find your blog it's been a great life save in my ongoing POC.
Just need to clear out some doubt. I discover that you did not include machine authc in your config and looking at Cisco Doc on posture it only create rule for non-complaint and complaint employee.

Why is machine authc left out. I thought it will be good if machine first authenticate before proceeding to users authc/authz on which posture will be based since your posture is users based and not machine base.

Thanks,

Thank you for your comment. While we cannot cover all possible deployment scenarios, you can certainly combine what we have gone through on each video, in your case machine auth and posture, and produce a desired solution. 
We are glad you find our video helpful so please feel free to share to your friends and colleagues.

Hi
I have ISE and NAC agent 4.9.0.42 installed on all PC
But I observed that
- on some computer NAC agent popup with timer (59s) , then timer decrement from 59 to 0s, NAC agen check the pc during this time, then if pc is compliant he get access
- and on other computer without timer, the NAC agent popup; then NAC agent check the pc during few second, then if pc is compliant he get access

I would like to know what is the difference between the 2 NAC agent
For the NAC agent with timer, Is it possible to modify the timer (for exemple from 59 second to 15 second)

Thanks in advance

Hmm. Don't recall ever seeing those countdown timers when NAC agent assessing the computer. You don't really have control on how long it will take the NAC Agent to run. The only two places I can think of that allow you to adjust any parameters are the posture global settings and NAc profile setting. The only time I recall seeing countdown timer is when NAC agent ran successfully and waiting to close the result windows.

Hi,
I have followed this video , all was fine till I was testing the client Provisioning , once the user log in ,I can see the correct authorization profile on ISE log (LM-WIRED-UNKNOWN) , but the machine loses it is IP and off course there will be no redirection ...on the switch I have already the redirection ACL , and I can see it is downloaded correctly ...any clue where I should strat troubleshooting ? the DACL used in the authorization profile allow DHCP/DNS & traffic to ISE , while redirection ACL is the opposite of that .

thank you for your help

So the machine losst IP after user successfully logged into Windows? That's sounds kinda strange. Do you do any VLAN switching? That's that only thing I can think of that might cause the machine to lose IP. If you remove the posture check completely and just do 802.1X authen, does machine still lose IP?

Hi,
Thanks for your reply , Actually I found a problem with my DHCP server , that's why the machine was losing its IP address. Now every thing looks fine , after the user log in , the switch received the DACL and the redirection URL from the ISE , this is shown in "show auth sess int" and in epm logging. The problem is that once the client open the browser , the direction is not happening .. I used the command debug epm redirect , and did few tests and shows , it seems that there is no hit on www port in the Redirect ACL .. In the Redirect ACL , we permit tcp any any eq www & 443 only , do I need to permit 8433 also ? in your scenario you did not ...
how can i change the redirection URL to be http not https ?

thanks

The permit on the redirect ACL refers to traffic that need to be redirected which is usually on TCP/80,443. You would not want to redirect traffic to ISE portal on TCP/8443 and that's why it is not included in the ACL. Please make sure that the client machine can resolve the ISE server name in the redirect URL and ISE IP is permitted in the DACL. You should also see hits on the redirect ACL when you try to get to the internet. You can't change the redirect URL nor that you need to.

Hi ,

I got it to work , I use this Redirection ACL :
deny ip any host ise-ip
deny ip any host remediation-server-ip
permit ip any any.

also I changed the NAC agent version , I use the latest and it works fine , except that the user login time become very long , is there any thing we can do about it?

thanks a lot for your help

Long user login time usually means the machine cannot communicte with domain controllers or some other services. Try to ptermit all after successful machine auth and if login becomes faster, then you know something is being blocked and you might need to sniff it out to find out.

hi , you were right , long time user login was related to the communication with AD , I allowed the full access to the AD and login becomes normal.. thanks alot.

my last question, if you do not mind , while I'm testing the part where you configured an optional AV DEF check , I notice that when the posture complete and only the optional AV DEF requirement is not met if I click continue , it takes very long time before I got the complaint Access , it takes about 2 minutes , after that it works fine .
my question , when posture assessment completed with all mandatory requirements met , and only optional requirements are not met , then we chose to continue ,whats really happening between the NAC agent and ISE at this stage ? why It takes all this time before the posture process complete .

appreciate you help

thanks

Good question. Wouldn't think it would take that long after clicking continue. If you remove the optional requirement, do you immediately get full network access?

hi
I removed the optional requirement , and I installed Clamwin AV , it takes around 1 minute for NAC agent to discover that AV is installed and I'm getting full network access after that.

before I install the clanwin AV , the NAC agent immediately discovered the there is no clamwin AV and that there is an optional requirement , but after installing the AV , NAC agent takes longer time to figure out that AV is installed , and give the full access .

it could be related to NAC agent version 4.9.5.4 ...maybe

We tested the optional AV definition check in our lab and it took about a minute after user click to continue. Normally, if there are more checks to perform, it will take the agent longer. With 1 or 2 checks, taking around 30sec - 1 min is normal. Definitely try different version of agent to test but it is unlikely that it will make much difference.

I am trying to use Eap-Chaining combined with Posture, in my posture I want to make sure the AV is installed, but for some reason that I don't know, my machine is always in the UNKNOWN posture state. Even that I have the NAC agent installed.
So: I have the same rule created for eap-chaining, to which I added the condition to posture, but even that I have the NAC installed on the machine , ISE is still saying machine posture state unknown.
Any idea on what could be the issue. As of why ISE is not detecting my NAC agent.

So how far along in the posture assessment process were you? It sounds like you were able to get URL redirected to download NAC agent and install it properly. Did you get the NAC agent window popup to assess your machine? You might want to remove all the posture policy at first and make sure NAC agent can run to completion and become compliant before enforing any posture checks,

my URL is not working and wasn't working, I manually installed the NAC agent on the laptop to see the difference, and still no go.

when I connect the lap top into the port this is what I get downloaded.
Interface: GigabitEthernet1/0/5
MAC Address: d4be.d975.314e
IP Address: Unknown
User-Name: dtavares
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-Allow_ISE_AVInstall-54f7588e
URL Redirect ACL: ALC_Redirect_AV
URL Redirect: https://server.domain.com:8443/portal/gateway?sessionId=0A640267000000CE...
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A640267000000CE1EAA170A
Acct Session ID: 0x000000FA
Handle: 0xB40000CF

Runnable methods list:
Method State

dot1x Authc Success

Extended IP access list xACSACLx-IP-Allow_ISE_AVInstall-54f7588e (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.100.1.40 ---> this is my primary ISE
40 permit ip any host 10.100.130.40 ---> this is my seconday ISE
50 permit ip any host 10.100.1.249 ----> this is my domain controller and DNS Server
60 deny ip any any log

Extended IP access list ALC_Redirect_AV
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.100.1.40
40 deny ip any host 10.100.130.40
50 permit tcp any any eq www
60 permit tcp any any eq 443
70 deny ip any any

ISE seems to have pused down correct profile to the port. You might want to first try copy/paste the redirect URL from the show command above to the client browser and see if you can get to ISE portal. If you can, that means the switch fails to redirect the traffic so make sure http server is enabled on the switch WITHOUT any access-class ACL. If you cannot, there might be something wrong with either your ACLs or routing from client machine to ISE, possibly check potential FW in between. Please note that URL redirection needs to work for NAC agent to do its things even when you install the agent manually.

I am getting the same issue where the NAC agent is not being pushed to the PC. Any other thoughts? I verify that the client can ping the gateway, but not 8.8.8.8. If I copy and paste the URL in the browser, I get the prompt to download the agent.

SW#show authentication sessions interface g1/0/44
Interface: GigabitEthernet1/0/44
MAC Address: 00b5.6d00.6fc3
IP Address: 10.128.32.58
User-Name: username
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
URL Redirect ACL: TAC-Redirect
URL Redirect: https://10.128.1.20:8443/portal/gateway?sessionId=0A80041C00000A053AFFCB...
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A80041C00000A053AFFCBAC
Acct Session ID: 0x00000AF8
Handle: 0x9F000A06

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

Extended IP access list TAC-Redirect
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.128.1.20
40 deny ip any host 10.129.1.20
50 permit tcp any any eq www
60 permit tcp any any eq 443
70 permit tcp any any eq 8443

The dynamic ACL xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc is a permit ip any any

It is strange that you have the IP in the redirect URL instead of node FQDN. Are you using Gi0 on ISE server or other interfaces. Do you have http enabled on the switch?

I am using G0 on the ISE server. Should I be using the FQDN? ip http server and secure server are enabled on the switch. I get no pop up whatsoever. When I open the browser it just spins and does nothing. The only thing I can think of is in the Client Provisioning policy I don't have the Compliance module enabled in the results table but only the NAC agent and Profile

Yes try FQDN since FQDN should be the default URL. Not sure how it became an IP. When the browser was spinning, did you see the redirect URL on the URL bar or you don't even see that. You will definitely need to have Compliance module configured along with the Agent packages.

The FQDN did not solve it. It somehow seemed to be a routing issue. The setup is like this - access switch---->core switch. The default gw of the access switch is the core switch. The core switch has SVIs for all of the other VLANs but not the one we were testing with. Routing for that VLAN is done on the firewall. So I moved the user to another VLAN on the access switch and got the redirection page :) Thanks for your assistance.

Strange since it worked if you copy/paste the redirect URL. Either way, glad it worked out for you :)

Poll

Vote for the Next Video Series