Cisco ISE posture assesment and client provisioning

Similar Messages

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay

  Hi,
  We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating  via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
  We have three different switches at the moment with the latest IOS version.
  1) WS-C4507R-E    =  15.1(2)SG,
  2) WS-C3560-48PS = 12.2(55)SE7
  3) WS-C3750X-24P = 15.0(2)SE1
  Could you anyone pitch the idea? or advise about the latest IOS for the switches.
  Let me know, if you need more information.
  Thanks,
  Regards,
  Mubahser

  It seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
  It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server.

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• ISE Posture to guest clients

  Hi Guys,
  i'd like to know if is it possible to make a posture to Guest Clients using the Web Agent  after they had been login into the portal.
  thanks

  Of Course it is possible. For detailed information please review the following guide
  Configuring Client Posture Policies
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html
  You can also create posture-specific authorization policies for all wired, wireless, and guest deployments by
  specifying the Session:PostureStatus attribute in the authorization policies. This attribute has three
  values, unknown, compliant, and noncompliant, which you can use n the authorization policies
  Regards,
  Ashok

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• Cisco ISE 1.2 and AD Group

  Hello,
  I have Cisco ISE installed on my EXSi server for my test pilot. I have added several AD groups to ISE as well.
  I have created an Authorization policy condition, which is WIRELESS_DOT1X_USERS (see screenshot)
  Basically, I just duplicated the default Wireless_802.1X and added Network Access:EapAuthentication, Equals, EAP-TLS.
  My problem is, I was unable to join the wireless network if I added my AD group to the Authorization policy (see screenshot). The user that I have is a member of WLAN-USERS. If I removed the AD group from the Authorization policy, the use is able to join the wireless network.
  I attached the ISE logs screenshot as well. I checked the ISE, AD/NPS, WLC, laptop time and date, and they are all in synched.
  I also have the WLC added as NPS client on my network.
  I checked the AD log and what I found was the WLCs local management user trying to authenticate. It is supposed to be my wireless user credential not the WLC.
  This is the log that I got from the AD/NPS
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:                              NULL SID
  Account Name:                              admin
  Account Domain:                              AAENG
  Fully Qualified Account Name:          AAENG\admin
  Client Machine:
  Security ID:                              NULL SID
  Account Name:                              -
  Fully Qualified Account Name:          -
  OS-Version:                              -
  Called Station Identifier:                    -
  Calling Station Identifier:                    -
  NAS:
  NAS IPv4 Address:                    172.28.255.42
  NAS IPv6 Address:                    -
  NAS Identifier:                              RK3W5508-01
  NAS Port-Type:                              -
  NAS Port:                              -
  RADIUS Client:
  Client Friendly Name:                    RK3W5508-01
  Client IP Address:                              172.28.255.42
  Authentication Details:
  Connection Request Policy Name:          Use Windows authentication for all users
  Network Policy Name:                    -
  Authentication Provider:                    Windows
  Authentication Server:                    WIN-RSTMIMB7F45.aaeng.local
  Authentication Type:                    PAP
  EAP Type:                              -
  Account Session Identifier:                    -
  Logging Results:                              Accounting information was written to the local log file.
  Reason Code:                              16
  Reason:                                        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

  Thank you Tarik,
  I got my AD group working. What I did, I checked the user's certificate that is installed on the laptop then modified the ISE certificate authentication profile to "Subject Alternative Name". I had the ISE set to common name when I was having an issue.
  I forgot to mentioned that I have to servers in my ISE test pilot. I have AD with NPS, and CA. These servers are Windows 2008 R2.
  I am a little confuse about the attribute in certificate template you have mentioned. Is that located at Certificate Authority/server-name/Certificate Templates/Users? I am not sure where to look for that attribute on the CA server.

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Cisco ISE Posture support Symantec or Mcafee AV in one condition

                     Hi Team,
                      Any one help me regarding the configuration of the Cisco ISE. We want to configure one compound condition
                      for mcafee or symantec av server. Can I configure in a such manner that the client pc can have either macfee
                      or symantec server then posture will be compliant.
                      Abhishek Agrawal

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco ISE 1.2 and Symantec Endpoint Protection

  Hi Experts,
  Good Day!
  I'm just wondering if ISE 1.2 is able to detect an application/software in a laptop like the Symantec Endpoint Protection before giving the user an access to the network? Is it possible?
  I tried to searched over the internet however, I can't find any documentation about it.
  Thank you for your support.
  Cheers,
  Niks

  hello ,have you checked posturing service of ISE , with ISE posture service enabled you can check Antivirus Installation , Antivirus Version/ Antivirus Definition Date etc . Check the following link for different Posture Assessment Options  available
  http://www.cisco.com/en/US/partner/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2276381

• Cisco ISE 1.1 and IE9

  Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
  This webpage is not available
  The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
  Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

  Supported Administrative User Interface Browsers
  You can access the Cisco ISE administrative  user interface using the following browsers:
  •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
  •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
  •Windows Internet Explorer 8
  •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
  Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.