View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0194 - ISE 1.3 Posture Assessment with AnyConnect Client (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video looks at posture assessment on Cisco ISE 1.3. We will continue from the wired EAP-TLS video and add configuration for Cisco NAC agent, and then later replace it with Cisco AnyConnect ISE posture module. Antivirus installation, and signature definition update checks using ClamWin Antivirus will be performed before allowing a domain user onto the network. Using wired Windows 7, we will step through the posture assessment process, starting with Posture Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access. 
 
Part 1 of this video shows configuration on ISE with Cisco NAC Agent, and tests posture assessment without posture policy
 
Topic:
  • Authorization Policies
  • Posture Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, VLAN)
  • Posture Agent Profile
  • AnyConnect Agent Profile and Configuration
  • Cisco NAC Agent (Windows)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus

Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

32 comments

I am stuck on this video.
I'm getting redirected to the provisioning portal, but first the switch is asking me to accept the Switch-certificate..... am I suppose to install cert on the switch ?
I enabled ip http server and ip http secure-server on the switch.

the biggest issue, after accepting the switch-cert and after getting the provisioning portal. I click on start to download the agent. but I am getting this error:
"An error occurred. Contact the help desk for assistance. "
this is when I am in unknown posture state.

did I miss anything ?

We have never seen a cert being presented by a switch before so curious to see what that looks like. You should not have to install any cert on the switch. Please double check your client provisioning policy and make sure there is a matching policy for the session. May be try with NAC agent first and get that to work before switching to AnyConnect ISE Posture Module

the NAC AGENT does not pop up automatically after the PC boots up and machine and user authentication happens.
i have to clear the auth sessions or bounce the port for the NAC AGENT to pop up for remediation.
i have followed all the steps here over and over again but i cant get it right

What state was the switchport in (as far as show auth session) after PC boot up and login? Is the PC physical or VM?

my PCs are physical machine. i am put on the unknown state. however, i realized it was a bug issue with 2960X IOS 15.0.2-EX5. i downgraded the ios to IOS 15.2(2)E and the agent could now pop-up

When you said downgraded, do you mean upgraded? Glad the problem is resolved for you.

i can not find anti-virus vendors on the vendor drop-down when defining posture compound conditions ..

Do you mean you cannot see ANY vendor, or a specific one that you need? Try to run the online update manually and make sure you also have it setup to periodically update.

Thanks Metha,
i was able to get the anti-virus after running the online update manually and setting the updates periodically

Hi Metha,

At 06.41 do you actually mean permit instead of deny on the ACL? You do actually say permit and that would make sense as that would create a captive environment forcing access to the ISE server?

Thanks,

Jim

Redirect ACL uses Deny to allow traffic you want to pass through (eg. DNS, ISE, remediation server) and uses Permit to match traffic that you want to have redirected to ISE portal page.

when redirected to the client provisioning portal to download the NAC Agent, when i click the 'start' button to start downloading the agent, i get a success page instead of the agent download.
Could this be a bug or there is a configuration i am missing ? i am running ise 1.4.0.253
Regards,
Justus

That is certainly strange. We are not aware of any bug with such behavior. Please make sure that you have configured Client Provisioning policy properly and there is rule that matches the user session. Also you might want to restart service/server is not already.

Hi Metha,

I want to start by saying I love this Site!

What do you mean by this statement? "Note: AnyConnect ISE Posture Module requires AnyConnect APEX license in addition to ISE APEX license (even without VPN)" I have the ISE APEX license, I can get the Anyconnect APEX license but where would I apply those licenses? Are they applied on the ISE? Thanks!

AnyConnect APEX gives you a right to use AnyConnect client with ISE posture module. You just need to purchase it to match your total number of users. There is no need to apply license anywhere. If you also have an ASA and want to enable AnyConnect VPN, the PAK can be fufilled agasint the ASA serial.

We are glad you like our site :-)

hello
My configuration for dot1x include GPO on server 2008 and PEAP authentication with MSCHAPv2 and uncheck validate certificate .
My configuration for unknown posture . when my PC try to download NAC Agent in unknown state its prompt to accept and install certificate . but i no want to install and validate
any certificate. what do i do ?

dot1x GPO config has nothing to do with the cert encountered during NAC agent download. That cert is from the https connection to ISE. To avoid that cert, you need to have proper cert selected for Client Provisioning portal. The cert need to have ISE hostname as common name (or wildcard) and either be signed by a trusted public CA, or enterprise CA that the clients trust.

Hi metha,
Great Job, but why did you leave the discovery host empty?
i think we should put the PSN IP.
2- what is difference betw the 2 ACL calm redirect and ACL-redirect ?

Thanks man,.

There is no particular reason. You can hardcode it is your like. Here we let the client automatically discover the PSN from the redirect URL. You can see this field is not mandatory.

The Clam redirect ACL allow client contacting Clam server to download the software, in this case, on the internet, while the ACL-redirect catches all traffic

can i distribute the NAM module also using ise along with the posture ?, if so, how i will confure client provisionning policy to distribute both of NAM Module and Posture module ?

Yes you can. This is under the AnyConnect config profile. In addition to VPN and ISE posture, you can check the NAM check box and upload the corresponding .xml file you want to distribute to your users.

Guys, do you encounter this issue in ISE 1.3?

What exact issue are you encountering?

Hi labminutes,
I want to ask can ISE keep tracking endpoint compliance after endpoint pass the first check. Let say that Endpoint has install and update anti-virus, so it pass the compliance policy and get access to network. But after that, User turn off or uninstall Anti-virus. Can ISE discover that and deny Endpoint to access untill it compliance again ?

You should be able to configure posture agent to periodically perform reassessment while endpoints remains connected to the network and issue CoA should endpoint becomes non-compliant. There is no way to do it real-time. Obviously if endpoint lose connection and reconnect, it will immediately be reassessed. 

Hi Metha,

I am configuring in a client the posture functionality. I started with the simplest way, just trying to pop up the NAC Agent and be compliant.

The thing is that, the NAC Agent is already installed (and executed) in the PC because the users don't have admin permissions. When the redirection occurs to the posture portal, instead of recognizing the agent, a new window appears asking for repair or uninstall the agent.

As far as I checked, NAC Agents have the same versions (the one installed in the PC and the one provided by ISE), 4.9.5.10. ISE version is 2.1 (patch 3).

Am I missing something?

Thank you!

It looks like the NAC Agent is not installed properly on the client. Our suggestion is to move to AnyConnect ISE Posture Agent as NAC Agent is now considered obsolete. 

Thank you! I will do that.

Finally, I established the Anyconnect ISE Posture VPN solution with no issues. I had to play with the ISEPostureCFG.xml file in order to my PC reaching the PSN (no internet access and no default-gateway replay in port 80) by using IP private address.

I have a new question, I hope you can help me. When the System Scan is working an Anyconnect certificate warning (of the PSN) appears: "certificate not match the server name!. Where does Anyconnect search for the Certificate? Personal Store name?

I have read that may be is a problem to have defined an IP in the SAN?

Thank you in advance.

We never ran into this cert issue. What type of cert do you have installed on ISE and does it match hostname in the the posture redirect URL?

It is a certificate validated by the CA of the client and the CN and one attribute of the SAN has the hostname of the posture redirect URL. Also in the SAN is defined the IP of the server.

I have read that the ASA doesn't like very much the multi-SAN but I don't know if it has anything to do with this.

That is strange. This should have nothing to do with the ASA. If you never get cert warning/error for web admin portal or 802.1X, this should not be a problem.

Poll

Vote for the Next Video Series