ISE Automatic Remediation
Hi,
We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.
In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.
And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.
Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.
Can you help us with this issue? Thanks!
Best regards,
Carlos Morais
Hi,
No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:
"If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."
Best regards,
Carlos Morais
Similar Messages
-
ISE Posture Remediation issue with AV client installation
Problem: If user start AV client installation in pc via AV link remediation after some time (while AV client installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def remediation and Cisco NAC agent shows the message AV definition is not up to date.
Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
We have the following posture policies,
1 AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
2 AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
3. WSUS check
4 SP check
Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
Please can anybody let me know how remediation work internally ? like if "AV inst" remediation start so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
Second question:what is remediation process sequence ?
Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?Please check the below guide for Posture Configuration:
http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml -
McAfee Antivirus automatic remediation
Hello All,
I'm having an issue with McAfee Antivirus remediation. I'm using Cisco NAC 4.8.2 and it seems that automatic remediation is not working.
Could someone help?
Is there a webpage where we can check which AV can do automatic remediation?Hello,
Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
Regards. -
Delaying ISE Posture / Remediation
Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
Is this possible?
What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
Hope that makes sense.
MarioHello Mario,
You can customize remediation timeout settings for your requirement. Please review the following:
Remediation Timeout Customization
Parameter
Default Value
Valid Range
Description or Behavior
Remediation timer
4
1-300
Specifies the number of minutes the user has to remediate any failed posture assessment checks on the client machine before having to go through the entire login process over again.
Network Transition Delay
3
2-30
Specifies the number of seconds the agent should wait for network transition (IP address change) before beginning the remediation timer countdown.
Note When you use the "Enable agent IP refresh after VLAN change" option, Cisco ISE sends "DHCP release delay" and "DHCP renew delay" settings (as specified below) instead of using the "Network transition delay" setting used for Windows agent profiles. If you do not use the "Enable agent IP refresh after VLAN change" option, Cisco ISE sends "Network transition delay" timer settings to client machines, but Cisco ISE will not send both.
For more detail understanding on this, please visit the section Configure Client Provisioning Policies > Remediation Timeout Customization at the following location in ISE user guide - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
Regards,
Ashok -
NAC Appliance and BigFix Automatic remediation
Hi,
I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
Regards,
AmitHi,
I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
Regards,
Amit -
Dear All,
I am facing issue with automatic discovery of ISE node by NAC agent (Discovery Host). Our client was using Cisco NAC 3310 appliances which has been replaced by ISE and we have upgraded the NAC agent software as well. Now what is happening that whenever NAC agent starts on a user PC it shows ip address of old NAC manager in the discovery host field of NAC agent and due to this, posture assesment doesn't complete and user gets stuck in remediation state.
As a work arround , I changed the ip address manually in Discovery Host option of NAC agent to point towards new ISE node and then posture assesment gets completed. So kindly advice how I can make this process automatic so that NAC agent should communicated with ISE automatically.
Regards,
MujeebHi,
It has been resolved without manual entry in NAC agent or NACAgentCFG file. Actually the redirection was not working properly for agent so I changed the redirect ACL as follows,
ip access-list ext ACL-AGENT-REDIRECT
#deny udp any any eq 53
#permit tcp any any eq 80
Kindly refer following document for the same.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_10_universal_switch_config.pdf
Now the agent is able to find the primary ISE node and posture is woking fine.
Regards,
Mujeeb -
ISE Addon for Checkout or Checkins via TFS 2013
Hi
I am coordination the development of some PowerShell scripts to work against our SharePoint Farm. Now as there is more that just me developing these scripts, I think we need to start doing regular checkin and checkouts in our TFS 2013. Anyway,
I naively thought there must be an addon I could add to ISE for this; since it seems such a common requirement. However, there does seem much out there that is actively being used. Are there alternatives that are widely used such a series of PS functions
anyone knows about.
Daniel
Freelance consultantHi Daniel,
If you want to complete checkout in Powershell ISE automatically, please go through this article:
Protect Your PowerShell Scripts with Version Control
In addition, you can also refer to this script
PowerShell ISE-specific profile script, which performs a few simple things:
Checks if you have the TFS client installed (eg Team Explorer).
Registers for ISE events on each open file and any files you open later.
Upon editing of a file, if it is TFS-managed then checks it out.
The end result is the same TFS workflow experience from within the PowerShell ISE as Visual Studio provides.
Refer to:
Automatic TFS Check Out for PowerShell ISE
If there is anything else regarding this issue, please feel free to post back.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support -
Nac Agent do not execute remediation
Hi to all,
in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
I have admin right on both pc.
Why I can solve the problem?
Thanks for helpThere is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
"â¢Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
Hope that helps, rate if it does.
Cheers,
Tim -
Wireless posturing at branch sites
Hi all,
I have been looking in to an enterprise wide wireless solution for my company and I completely understand wireless posturing using WLC's & ISE's at our campus sites however what I am struggling to get a black and white answer for, is whether the same posturing can be done at the branch without having to tunnel all wireless traffic back to our DataCenters.
We have a number of small sites (5 - 15 users on DSL), and we do not want to tunnel traffic back due to limited bandwidth so we want to know whether using Cisco kit can help us keep the wireless traffic locally switched and still apply posturing and automatic remediation techniques.
Our Cisco partner have advised that we should use H-REAP or FlexConnect as its known now. But they advise that the drawback to this is that APs in H-REAP mode are not compatible with the ISE currently meaning that that the only way of achieving posturing is tunnelling all wireless traffic back to the DataCenter.
I thought that posturing only requires to see the report from the NAC agent on the client machines. I did not think that posturing required that the ISE actually needs to look at the clients traffic.
I can understand that maybe we will need a WLC at every site as the WLC supports the RADIUS CoA attribute, but will we need an ISE as well?
Currently, I cannot find any Cisco Wireless / ISE design examples that fit our requirements. Effectively, we have 2 datacenters and then hundreds of very small DSL branch sites, and a few bigger branch sites with 10mbps ethernet bearers. Our end goal in security is that we want to provide 802.1x authentication at the network edge both wirelessly and wired. Can Cisco kit currently do this?
I hope this all makes sense.
thanks
Mario De RosaHi,
One important problem that we came up against with FlexConnect clients was that the ISE could not push an ACL when doing a CoA.
So, when a client needs to go through posture, you can push out a VLAN, and an ACL restricting network access.
BUT...
once passed posture and the ISE issues a CoA, the ISE can only push a VLAN to place the client in to. The ISE completely removes the ACL, affectively permitting complete unrestricted access to the network. Meaning that you cannot push dACL's for particular user types.
This is probably not much of an issue if you have full control and management of your own WAN. We do not, so to have VLANs added to remotes sites for particular groups of users would have cost us money every time. Plush changing any ACLs on our WAN routers would also have cost us money.
I'm not sure whether this is a Wireless Controller limitation or an ISE limitation.
Mario -
Windows 7 -How to authenticate to WiFi (home or public) with AnyConnect NAM installed
Hello,
We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.
Thanks!Just so everyone knows...
Please take note of the specific processor which is included with your HP Pro 3130 MT.
HP Pro 3130 MT motherboards with specific processors do not have any onboard (integrated) graphics, although they still have the VGA and DVI connectors. This means that although you may remove the PCIe Graphics Card, you will not be able to be able to use a monitor with the onboard VGA or DVI (because there is no integrated graphics). This also means that you will not be able change your bios to onboard graphics (because there is no integrated graphics).
"NOTE: HP Pro 3130 with Intel Core i5 750 processor or any Intel i7 processor has no integrated
graphics."(1)
(1) Source: http://h18000.www1.hp.com/products/quickspecs/13640_ca/13640_ca.PDF
If you would like to know why, let me know. Thanks!
-Dave -
Windows Update Service keeps turning back on
I have Windows Update service stopped and Disabled in my image. It doesn't turn back on upon every reboot I attempt.
However, once I use it in an OSD to apply image and carry out my OSD task sequence, every single time the Windows Update service now shows as "Started" with Startup Type configured as "Automatic (Delayed Start)".
I'm not showing anything in my setupcomplete.cmd that indicates this server should be turned on. I'm not seeing anything in OSD that indicates this should be turned on.
maybe I am missing something though. Is SCCM configured to turn services back on for me or should I be looking somewhere else to see why?
There's no GPO for Windows Update in the AD I'm on eitherI came across this, is this legitimate? Sccm 2012 R2 Cu4
http://blogs.technet.com/b/configurationmgr/archive/2013/02/05/support-tip-after-disabling-the-windows-update-service-it-automatically-becomes-enabled-the-next-day.aspx
So this was what was enabling our Windows Update Service every day. To prevent this from happening we can exclude clients from remediation via a Registry change on the client:
1. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly.
2. Change the value to True
When set to True, the client computer will not automatically remediate any problems that are found, however you will still be alerted in the Monitoring workspace
about any problems with this client. More information and alternate methods for disabling remediation on selected machines can be found athttp://blogs.technet.com/b/seanm/archive/2012/12/20/configuration-manager-client-health-disable-automatic-remediation-for-selected-machines.aspx
When set to False (the default setting), the client computer will automatically remediate problems when they are found and you will be alerted in the Monitoring workspace. For more information see How
to Configure Client Status in Configuration Manager at http://technet.microsoft.com/en-us/library/hh338432.aspx.
Yes that's the blog entry I have linked to. It will do what you require.
Cheers
Paul | sccmentor.wordpress.com -
Automatic Antivirus Remediation in Posture
Hi All,
I have configured ISE (1.2) to check Antivirus Installation on endpoints and it is working flawlessly.
Now, the client wants,
1) If Antivirus is not updated on endpoint for more than 5 days; it should be considered as "non-compliant" and as a remediation action; updates should be downloaded automatically.
--> I configured AV Remediation action.
Now, the problem is when endpoint gets categorized as non-compliant, ideally AV updates should get downloaded on endpoint as a remediation action. But AV updates are not getting downloaded.
Please help me in solving this problem..
Thanks in advance,
AdityaAdding an Antivirus Remediation
You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.
The AV Remediations page displays all the antivirus remediations along with their name and description and their modes of remediation.
Step 1 Choose Policy > Policy Elements > Results > Posture.
Step 2 Click Remediation Actions.
Step 3 Click AV Remediation.
Step 4 Click Add.
Step 5 Modify the values in the New AV Remediation page.
Step 6 Click Submit.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_pos_pol.html#pgfId-1924006
Antivirus Remediation
The following table describes the fields in the AV Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_policy.html#23739
Table C-23 Antivirus Remediation
Fields
Usage Guidelines
Name
Enter a name for the antivirus remediation.
Description
Enter a description for the antivirus remediation.
Remediation Type
Choose one of the following:
Automatic —When selected, you should enter values for the Interval and Retry Count.
Manual —When selected, Retry Count and Interval fields are not editable.
Interval (in seconds)
Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count
Enter the number of attempts that clients can try to update an antivirus definition.
Operating System
Choose one of the following:
Windows
Macintosh —when selected Remediation Type, Interval, and Retry Count fields are not editable
AV Vendor Name
Choose the antivirus vendor. -
We're working with Cisco ISE 1.3.0.876 and NAC Agent with posture policies and we need a remediation that automatically send to the Symantec Endpoint Protection server that's locally. How can we do that?
We're running the version 12.1.4. Can I do a file remediation to the antivirus files? Why Cisco ISE only permits 50MB to upload files?
-
ISE 1.2 - AV/AS Remediation missing vendors
Trying to create a remediation rule in ISE 1.2 patch 3 and the drop down list for the AV/AS Vendor Name is not scrollable so I am not able to select our AS/AV vendor. See picture below:
You're right. I just tested this and was able to scroll down using the down arrow on the keyboard.
-
ISE Posture Condition for Windows Service Pack and Remediation
Hi,
We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
thanks in advance.1. Windows Server Update Services (WSUS) remediation remediates Windows clients from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest Windows service packs, hotfixes, and patches (WSUS updates) for compliance. You can create a WSUS remediation where a NAC Agent integrates with the local WSUS Agent to check whether the endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete WSUS remediations from the remediations list.
You can configure Windows clients to receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally administered WSUS server for compliance.
The Windows server update services (WSUS) remediations list page displays all the WSUS remediations along with their names, description, and as well as their modes of remediation
check the following link for configuration
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
2.for AV/AS Remidiaton configuration check this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420
Maybe you are looking for
-
RH Project Structure - Source File (*HTM) - advise pls
Hi All, (running RH X5.0.2 on Windows XP SP2) I transferred & inherited an 'unstructured RH HELP s/ware documentation system (*.chm output) and I'm trying to determine upfront the best way to organize, share and manage the projects for chm help, docu
-
Dynamically determine the height of Top-of-page of an ALV report
Hi all, I wanted to know if there is a way to determine and set the height of an HTML-TOP-OF-PAGE based on it contents? Thanks in advance Shabir
-
Can the Noise Gate be adjusted in Audition CS5
Hi All, Can the noise gate be adjusted in Audition CS5 Regards Matt
-
Printer Settings for Epson not working in LR and PE 12, crashes programs when I click.
In LR 4.4 and PE 12, after I have set all my color management info in the program's print panel to the Epson printer and to the correct paper, I go to Page Setup, select the paper size and printer, then Printer Settings, select Printer, then attempt
-
FM to update premise type?
Hi, Is there any Function module to update the premise type ?