Delaying ISE Posture / Remediation

Similar Messages

• ISE Posture Remediation issue with AV client installation

  Problem: If  user start AV client installation in pc via AV link remediation after some time (while AV client  installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def  remediation and Cisco NAC agent shows the message AV definition is not up to date.
  Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
  I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
  We have the following posture policies,
  1      AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
  2      AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
  3.     WSUS check
  4      SP   check
  Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
  Please can anybody let me know how remediation work internally ? like if  "AV inst" remediation start  so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
  Second question:what is remediation process sequence ?
  Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?

  Please check the below guide for Posture Configuration:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

• Drive mapping during posture remediation

  I am doing ISE (1.1.1) deployment for client. The customer is using AD logon script do do drive map to a nas server. My posture remediation acl is blocking drive mapping unless I use 'permit ip any any' which is a security hole. My acl should be modified to allow the drive mapping during unknown/posture-remediation interval. Could any one suggest if you have faced similar issue.

  You need to permit access to your domain controllers during posture remediation and add a delay to your logon script -
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a70c18.shtml

• ISE posture redirect not working

  ISE v1.1.0.665, 3395 h/w.
  Single Admin/Monitor/Policy node.
  WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
  For Client Provisioning I created an authorisation policy as follows:
  download acl "ACL-POSTURE-REMEDIATION"
  apply url redirect "ACL-POSTURE-REDIRECT".
  "Debug radius" shows all this is downloaded to the switch but:
  - Redirect does not work.
  - dACL is not applied if the URL redirect is also configured.
  Wireshark on the client shows no direct.
  Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
  I've also attached screen shots of these policies and wireshark.

  Grant,
  It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
  192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
  Thanks,
  Tarik Admani

• ISE posture requirement to check if endpoint's USP port is disabled

  Hi,
  I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
  Appreciate your input.
  Mike

  If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
  Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
  You would have to create a New Posture Condition and Remediations.
  The condition that I will use in this example is a Registry Key.
  If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
  So set a Posture Condition:
  Click Policy > Policy Elements > Conditions
  Choose Posture from the left menu:
  Then choose Registry Condition from the left menu.
  Click +Add to add a new Posture Condition:
  Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
  Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
  +Add to add a new Link Remediation:
  Then choose Requirements from the left menu and create a new Remediation Result:
  Of course, you can choose different remediations as necessary for your environment.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• ISE Posture Assessment

  Hi,
  While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
  If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
  While testing this on ISE, I noticed that
  If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
  Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
  Regards,
  Aditya

  I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
  Default Posture Status
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
  Jatin Katyal
  - Do rate helpful posts -

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Automatic Remediation

  Hi,
  We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.
  In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.
  And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.
  Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.
  Can you help us with this issue? Thanks!
  Best regards,
  Carlos Morais

  Hi,
  No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:
  "If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."
  Best regards,
  Carlos Morais

• ISE - posture fails

  Hello,
  I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)
  Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?
  Best regards,
  Kreso

  Hi Mohammed,
  as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.
  Try exporting the root CA certificate (not the one issued to the ISE node by the CA,  but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.
  You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:
       # openssl x509 -in cert1.pem -inform DER -text
       unable to load certificate
  following some ASN error messages. To convert it use the following command:
       openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem
  Now you can read cert data using the command:
       openssl x509 -inform pem -in cert2.pem -noout -text
  The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.
  HTH,
  Kreso

• ISE Posture

  Hi Guys,
  I am studing the ISE appliance but i have some doubts about how to configure the Posture policies, in other words, is there
  a sequence that i can follow to construct a simple posture police like a simple AV process running verification?
  I now that there are some possibilities, but i remember that on NAC we had for example
  Checks - Simples condition
  Rules - Compound conditions
  Requeriments - Compound conditions apply on some users.
  thanks

  Creating a new posture policy
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1920487
  Posture Assessment and Remediation Options in Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp2070069
  In order to create a AV posture policy, you can start from here.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE posture based upon switch user is connected to

  OK, I am a new ISE user and definitely an early beginner on creating ISE policies. I have successfully created a policy that can determine if you are using a corporate asset or not and using 802.1x authentication grant you access to corporate resources or not. This policy also assigns the VLAN the user is placed into. Seems to work quite well so far at least as a baby step in policy creation.
  Our building has different VLANS based upon floors and the like and I would like the policy(s) take this into consideration when assigning the VLAN. Is there a way to include which switch the postureing process is flowing through to assist in assigning the VLAN? I am thinking I would have separate policies based upon the switch / stack but not sure how to include that in the logic. I figured it would be similar to my policy where I check corporate assets and that you are wireless and that you have a valid AD account but have been unable to figure out the endpoint part. I have created network groups for my network devices but am stumped after that. Is there something else I should or could be doing instead? Do I need a completely different train of thought?    
  Brent

  Hello Brent, using "Network Device Groups" can definitely make this possible for you. For instance, you can create a "Location" based group hierarchy that looks like something like this:
  All Locations > HQ > Floor-1
  All Locations > HQ > Floor-2
  All Locations > DR > Floor-1
  etc
  Then you can reference that group in your authorization policy by using something like this
  If "Conditions > Device > Location" = All Locations > HQ > Floor-1
  then
  Permissions = "HQ_Floor-1-Posture"
  If "Conditions > Device > Location" = All Locations > HQ > Floor-2
  then
  Permissions = "HQ_Floor-2-Posture"
  I hope this helps and addresses your issue. 
  Thank you for rating helpful posts!

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*