Cisco ISE (1.3) Posture without Client Provisioning

Similar Messages

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Cisco ISE (1.3) Posture and re-authentication

  Hello,
  With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
  Is there a way to work around this?
  Regards,
  Dennis

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Cisco ISE trying to posture a device that should not be able to be postured

  Overview:
  Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
  Mobile device authorisation policy configured:
  Problem:
  A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
  Troubleshooting:
  I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
  I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
  Have any of you guys experienced this before?

  Hi,
  I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
  I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
  Tarik Admani
  *Please rate helpful posts*

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• Cisco ISE multiple EAP authentication methods question

  With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
  My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
  Thanks in advance.

  Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
  Sent from Cisco Technical Support iPad App

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• Posture setup in Cisco ISE

  Dears
  I am trying to configure the posture for the ISE but the result is always " Posture status : pending " and the agent can access all network resources without any problem .
  please help

  Please review the below steps:
  Step 1 Choose Administration > System > Deployment >  Deployment.
  The Deployment navigation menu appears. Use the  Table view or the List view button to display the
  nodes in your deployment.
  Step 2 Click the Table view.
  Step 3 Click the quick picker (right arrow)  icon to view the nodes that are registered in your deployment.
  The Table view displays all the nodes that are  registered in a row format in the Deployment Nodes page.
  The Deployment Nodes page displays the Cisco ISE  nodes that you have registered along with their
  names, personas, roles, and the replication status  for the secondary nodes in your deployment.
  Step 4 Choose a Cisco ISE node from the  Deployment Nodes page.
  Note If you have more than one node that is  registered in a distributed deployment, all the nodes that
  you have registered appear in the Deployment Nodes  page, apart from the primary node. You
  have the option to configure each node as a Cisco  Cisco ISE node (Administration, Policy
  Service, and Monitoring personas) or an Inline  Posture node.
  Step 5 Click Edit.
  The Edit Node page appears. This page contains the  General settings tab that is used to configure the
  Cisco ISE deployment. This page also features the  Profiling Configuration tab, which is used to
  configure the probes on each node.
  Note If you have the Policy Service persona  disabled, or if enabled but the Enable Profiler services
  option is not selected, then the Cisco ISE  administrator user interface does not display the
  Profiling Configuration tab. If you have the Policy  Service persona disabled on any Cisco ISE
  node, Cisco ISE displays only the General settings  tab. It does not display the Profiling
  Configuration tab that prevents you from  configuring the probes on the node.
  Step 6 On the General settings tab, check  the Policy Service check box, if it is already active.
  If the Policy Service check box is unchecked, both  the session services and the Profiler service check
  boxes are disabled.
  Step 7 For the Policy Service persona to run  the Network Access, Posture, Guest, and Client Provisioning
  session services, check the Enable Session Services  check box, if it is not already active. To stop the
  session services, uncheck the Enable Session  Services check box.
  The posture service only runs on Cisco Cisco ISE  nodes that assume the Policy Service persona
  and does not run on Cisco Cisco ISE nodes that  assume the administration and monitoring
  personas in a distributed deployment.
  Step 8 Click Save to save the node  configuration.

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• ISE 1.2 Posture Assessment with AnyConnect Client

  Hi Experts,
  I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
  Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
  if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
  Thanks in advance

  ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.