Cisco ISE posture check for VPN

Similar Messages

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• Did Cisco ISE have limitation for policy setting?

  Deat All,
  Did anyone know about Cisco ISE limitation about policy setting?
  Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
  Thanks you
  Best Regards

  Here is the nswer for your first question.
  Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
  To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
  Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
  Forwarder—The main ingress queue of endpoint information collected by the profiler.
  Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
  For more information go through :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

• Posture Check for Domain Machine

  Hi,
  i am setting up an ISE for dot1x and posture checking, I am unable to find a way to check for a policy whereby the laptop/workstation is a domain machine. So far, the rules and config guides are looking at ExternalGroups member of, but these are the log in credentials of the user and they can still pass the rule eventhough the machine is not a domain machine.
  There is a registry key for domain machine, but this check is too easy to spoof. Is there any more effcient and "better" way to check for domain machine for posture check?
  Thanks and regards,
  WK Peck

  Hello Aditya,
  Configure WSUS Remediation
  This example shows how to ensure that all employee computers with Windows 7 have the latest critical patches installed. Windows Server Update Services (WSUS) are internally managed.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc17

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Posture check for Windows Update

  Hi All,
  I am constructing Posture conditions in ISE, which check  Windows Update are not more than 7 days old.
  Can you guys help me in formulating this condition.
  Thanking in advance,
  Thank You,
  Aditya

  Hello Aditya,
  Configure WSUS Remediation
  This example shows how to ensure that all employee computers with Windows 7 have the latest critical patches installed. Windows Server Update Services (WSUS) are internally managed.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc17

• Cisco ISE Posture support Symantec or Mcafee AV in one condition

                     Hi Team,
                      Any one help me regarding the configuration of the Cisco ISE. We want to configure one compound condition
                      for mcafee or symantec av server. Can I configure in a such manner that the client pc can have either macfee
                      or symantec server then posture will be compliant.
                      Abhishek Agrawal

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• Check for VPN Connection Exists

  Hello
  I am working on a windows store app for Enterprise. This app will require internet and VPN connection to get data. I have found a way to check for internet access. However, I am not sure how to check if there is a VPN tunnel available. If VPN is available
  then I can make a call to a WebService and get data. If there is no VPN then the WebService call will fail [after about 10-15 seconds]. I can assume that if the WebService calls fails that means there is no VPN but there must be another way to find this out
  before even calling a Service.
  Please help.
  Thanks
  Bevan

  We're using Microsoft Direct Access rather than a VPN but I think this is worth sharing anyway.
  Rather than calling a web service I'm just using the HttpClient's GetAsync() method to call a small file hosted on an internally hosted web server. This minimises the payload as much as possible which may be important if your users are connected using devices
  with 3G/4G with data limit.
  I'm wrapping the call in a Stopwatch to get a rough idea of the round robin request/response and visualising that for the users so they know how good their connection to the corporate network is. This info is far more useful than the WiFi/Mobile signal bars.
  Stopwatch stopWatch = new Stopwatch();
  stopWatch.Start();
  HttpClient httpClient = new HttpClient();
  HttpResponseMessage response = await httpClient.GetAsync(nslUri);
  response.EnsureSuccessStatusCode(); // -- throw exception if not a success code
  stopWatch.Stop();
  TimeSpan ts = stopWatch.Elapsed;
  This might also be of interest...
  https://msdn.microsoft.com/en-us/library/windows/apps/xaml/windows.networking.vpn.aspx

• Cisco ISE authentication failed for Win XP SP3

  Hello,
  I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
  ISE 1.2 (patch 4)
  Switch: 2960 / 2960S (15.0.(2)SE2)
  Authentication details:
  Event:
  5400 Authentication failed:
  Failure Reason
  11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Resolution
  Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
  Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
  I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
  Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
  Any idea?
  thanks

  The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
  Are there any differences between xp client config and win7 client config?
  thanks,

• Cisco ISE to check Windows Firewall is enabled or not in Posture Requirement.

  I have already a running setup for wireless employees. Everything is working fine. Wireless Employees authenticate by AD through ISE. URL redirection is working fine. Posture requirements to check Hotfixs & AV installation & definition is working fine. Now I have new requirement to check whether Window firewall is enabled or not, if not then put the users in temporary access & do the remediation, if failed then put the user in noncompliant.
  I want to know under which option i can create Window Firewall requirement.
  Thanks

  Windows Firewall in Windows XP creates  a registry key
  Registry Key:
  HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  Registry Value:
  EnableFirewall
  If the XP Firewall is on the Value will be = to “1”
  The following link shows how to tell if firewalls of different brands are running
  http://cisconac.blogspot.com/2007/05/custom-checks-personal-firewall.html
  So, the ISE config will be something like the following picture. Please rate if it helps

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

• Cisco ISE posture problem

  Hi all,
  I've been playing around with ISE demo and I am very impressed!!!
  After trying different scenarios with my co-workers I came to a point where we find it kind of buggy.
  I have rules to redirect unknown users to pasturing through web where they download NAC CLIENT and everything works fine.
  Here's the catch:
  On a windows 7 machine (connecting wirelessly with built in wireless client) they are stuck on posture pending if they do the following:
  They connect - open up web browser - ise redirects them to download the client they hit install and the warning about installing the client pops up - that moment the user decides to close the browser (it's most likely to happen when you have 5000+ users)  - dissconnects from network and tries to re-connect again. NOW - when they open up the web browser ISE says unable to allow access to network and all that error.
  So it's not letting them download the nac agent any more.. no matter what they do connect - reconnect wait 2-3 minutes nothing, only after a period of time they are able to get the NAC client installation page.
  NOTE: this works totally fine on a windows xp machine with the INTEL PRO SET wireless utility.
  It's not a big thing but when you have 5000+ clients and you want to introduce them to something new it will cause alot of helpdesk calls and all that you know how it goes.
  Thanks in advance.
  P.s I can create a short video of the whole process.

  Very interesting thread. Can you tell me – how can ISE differentiate between a new/unknown computer owned by an employee and/or the organization, which you WANT to load the NAC client on, and a guest that you might want to give Internet access to but you don’t want to load a NAC client on?