ISE 1.3 Anyconnect deployement

Similar Messages

• Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

  We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.
  Do we get any additional advantages in using ISE compared to Anyconnect posture module ......
  Siddhartha       

  These are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.
  I will be watching this thread to see what kind of responses you get.
  As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.
  Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.
  We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.
  Wishing you luck in finding your answers for us all.
  Dirk

• ISE + anyconnect 802.1x not getting IP

  Hello guys,
  I am currently testing ISE with the anyconnect.
  So the strange thing is that ISE tells me i am authenticated, authorized.
  And the switchport tells me the same...
  Switch#sh auth session int g0/7
              Interface:  GigabitEthernet0/7
            MAC Address:  5475.d063.fee8
             IP Address:  192.168.1.4
              User-Name:  contractor
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  4
                ACS ACL:  xACSACLx-IP-PERMIT_ANY_ACL-5156419c
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0AC801020000000600490514
        Acct Session ID:  0x00000008
                 Handle:  0xA4000006
  But my client just stays in the "Acquiring IP address" (never gets it) and then changed to "limited or no contectivity" due to the fact that it didnt get ip.
  Everuthing works smooth with the native windows client.
  What can i be missing?
  Regards,
  Emilio

  hola Emilio,
  try to stop the WIFI service in Windows services to give total priority to AnyConnect.
  Let us know the result.
  Regards.
  V.

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• ISE 1.2 Posture Assessment with AnyConnect Client

  Hi Experts,
  I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
  Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
  if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
  Thanks in advance

  ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

• Login scripts not running with AnyConnect NAM and ISE 1.2

  I am using AnyConnect 3.1 NAM as my 802.1x supplicant for ISE 1.2.  When users log in with EAP Chaining (User and Machine Auth), the login script seems hit or miss on if it runs to map their drives.  If I uninstall the NAM client, they map drives every time.  I would think that running a login script to map drives is a common scenario and I was wondering if anyone else using AnyConnect NAM was having similar issues or how they were dealing with it.

  I have the same issue and I solve the issue with change these parameters.
  1.- You must change on configuration profile "before user logon". I have 5 seconds
  2.- You must change on configuration profile  "port authentication Exception policy" and you must enable checkbox "enable port exceptions" and select "allow data traffic before authentication"
  3.- You must enable in the option of interface Ethernet Intel on PC "Wait for link" this option It's in "configured advanced of Intel. You must select "on" in this option.
  4.- (this recommendation it was by Cisco) 
  Active Direct GPO has a setting "Computer Configuration\Administrative
  Templates\System\Logon\ Always wait for the network at computer startup and logon" that
  can be enabled to make the logon scripts wait till 802.1x authentication is completed.
  With those changes the logon script run fine.
  Regards
  David.

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• ISE - Wireless Anyconnect

  Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture. 
  The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:
  - User introduces user/pass for the first time to computer
  - Computer needs to contact AD to download the profile
  - Computer associates with the network
  - ISE puts the user "on-hold" until it's NAC compliant
  - Computer never launches NAC process, so it's never compliant
  - ISE doesn't give access to network
  - User cannot login to computer.
  This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

  Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

• Cisco ISE Anyconnect Profile editor

  I want to wired user's authenticate from ISE device and  to use authentication protocol EAP_FAST. In PC need to install Cisco Anyconnect Profile Editor.
  where and how i get anyconnect profile editor.
  Thanks.

  It's one of the packages listed in the AnyConnect download location.
  Go here and click on Download Software.

• Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

  Hi All,
  We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
  1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
  RADIUS Probe 
  SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
  2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
   - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
  - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
  For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
  That would be really great if any one can help me on the same.
  Thanks & Regards
  Pranav

  Hi Pablo ,
  Please find below solutions 
  Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
  Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
  Regards
  Pranav

• ISE redirect to install NAC Agent for Anyconnect users with Split Tunnel?

  Due to management directive I am not able to disable SPLIT TUNNEL for our VPN users. For this reason, I can not figure out how to enforce the REDIRECT to ISE for forcing the VPN users to install the NAC AGENT.
  Is this possible? If so can we get some documentation on how this is done? Screenshots would be great.
  Thanks,
  Dirk

  I couldn't find the answer that I seek in that doc.
  I am trying to see if I can force traffic to the redirect for installing the NAC agent, even on split tunnel traffic....perhaps forcing the first webpage the user opens forces the user to the redirect page if the NAC agent isn't detected.
  Thanks,
  Dirk

• ISE 1.3 -- ASA ssh and anyconnect attribute

  Hi,
  I've created a compound condition to match the anyconnect client and authorize them as required but the problem is , if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA)  he get authenticated to anyconnect and get access to the default tunnel group.
  anyconnect condition :  device type , NAS-PORT-Type=Virtual and Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type=Anyconnect-client
  SSH condition  : Device type, NAS-PORT-Type=Virtual
  basically , if user does not match the anyconnect condition he still can vpn through the SSH condition .
  Thanks,
  Khaled

  Hi Neno,
  I  will try to break the problem down. I use AND all the time .
  User, NOT part of the VPN  group BUT part of the SSH group , if he try to vpn he will be authenticated (default authentication rule, which is not a problem) and will be authorized, but because the VPN authorization does NOT found it will not give access (normal), but as you now the request jump to the next rule to find a match, in this case the next rule is the SSH.
  In the SSH rule, the user is configured but not for VPN only for SSH ,he will be granted access to the VPN, he will hit the DEFAULT Tunnel group and by default the DefaultGrupPolicy.
  Is there any Unique attribute to lock down the SSH rule to only ssh?
  Thanks for your help

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Windows 7 -How to authenticate to WiFi (home or public) with AnyConnect NAM installed

  Hello,
  We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
  So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
  But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
  So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
  The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.
  Thanks!

  Just so everyone knows...
  Please take note of the specific processor which is included with your HP Pro 3130 MT.
  HP Pro 3130 MT motherboards with specific processors do not have any onboard (integrated) graphics, although they still have the VGA and DVI connectors. This means that although you may remove the PCIe Graphics Card, you will not be able to be able to use a monitor with the onboard VGA or DVI (because there is no integrated graphics).  This also means that you will not be able change your bios to onboard graphics (because there is no integrated graphics).
  "NOTE: HP Pro 3130 with Intel Core i5 750 processor or any Intel i7 processor has no integrated
  graphics."(1)
  (1) Source: http://h18000.www1.hp.com/products/quickspecs/13640_ca/13640_ca.PDF
  If you would like to know why, let me know. Thanks!
  -Dave

• ISE 1.2 EAP Chaining and Windows 8 - Auth failures

  Hi All,
  I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
  Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth. 
  Often the client will work perfectly for a boot even after a few reboots etc and then might stop working.  Other clients won't work at all no mater what settings you configure.
  Outer Method - EAP-FASTv2
  Inner Method - MSChapV2
  ISE 1.2 with Patch 1 (latest)
  Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
  Anyconnect Client  3.1.0466 (latest)
  Machine and User Auth Against AD.
  Cert checks disabled for testing.
  Clients using same configuration.xml file
  Symptom is Anyconnect prompts for username / password instead of using existing credentials.  Typing credentials doesn't work.
  Logs show failed "anonymous" authentications or client EAP timeouts.
  Cheers
  Peter.

  Hi Peter,
  It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
  Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
  Kind Regards,
  Vlad