ISE Posture Assessment

Similar Messages

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• ISE 1.2 Posture Assessment with AnyConnect Client

  Hi Experts,
  I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
  Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
  if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
  Thanks in advance

  ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

• Simple Web Auth policy and simple posture assessment policy in ISE

  G'day All,
  I've just finished reading through the Cisco BYOD with ISE document and it's left me a little more confused than when I started.
  I completely understand the onboarding process and the different policy elements that make up the self registration/onboarding configuration.
  What I'd like to do is put together an ISE configuration that is a lot simpler for the BYOD user.
  Is anyone able to advise if it is possible to have a single dot1x SSID with ISE that has a policy for Window Laptops using AD authentication for the user and Posture assessment and a policy for all smart devices (iOS and Android) that is just AD authentication of the user, without the need for device registration?
  The target user demographic for my deployment are really not technical so having to go through the onboarding process, especially for the Android devices, with the pre-installation of the cisco app, etc, really isn't what they are looking for.
  Huge thanks for any assistance.
  Cheers,
  JS

  Yes, that's possible. But without "device registration" then you need to configure Wireless 802.1x manually in every Android device.
  Please rate if that helps.

• Cisco ISE inline posture node Posture assessment query

  Hi all,
  i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
  "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
  they are likely to fall into one of the identity groups that already have authenticated and authorized users
  connected to the network.
  For instance, there may be an employee, executive, and guest that have been granted access through the
  outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
  groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
  and authorization uses the existing installed profiles on the Inline Posture node, unless the original
  profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
  with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
  Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
  I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
  Thanks!
  Mario

  I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
  After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
  So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
  If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
  https://communities.cisco.com/docs/DOC-30977
  HTH,
  Ryan

• Pre-login posture assessment - possible with ISE?

  Does anyone know if it is possible (or not) to have a windows machine posture assessed on boot? ie. before anyone logs in on it. Currently, I have to log in on my machine before the assessment starts. It would be good to have assessment begin as soon as the machine boots so that (assuming the machine passes assessment) it is completed by the time I log in. We are using the NAC Agent with ISE1.2.
  Thanks in advance for your thoughts.

  As far as i know, the posture agent does not do anything before user has logged in, i have never seen a posture report in ise, that indicates anything else, because you would get many failed posture compliance checks, if it did (checking user keys, user files, av status and so on in machine land).

• ISE post compliant posture assessment URL redirection

  G'day All,
  Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
  I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
  Thanks gang.
  Cheers,
  James.               

  It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
  I think  URL redirection can be done in web authentication if used in case of employee.
  Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
  Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
  Name
  Central_Web_Auth
  Description
  (optional)
  Access-Type
  ACCESS_ACCEPT
  DACL   Name
  CENTRAL_WEB_AUTH
  Centralized   Web Authentication
  ACL:
  ACL-WEBAUTH-REDIRECT
                                                            Redirect : Default
  “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok

• ISE Posture

  Hi Guys,
  I am studing the ISE appliance but i have some doubts about how to configure the Posture policies, in other words, is there
  a sequence that i can follow to construct a simple posture police like a simple AV process running verification?
  I now that there are some possibilities, but i remember that on NAC we had for example
  Checks - Simples condition
  Rules - Compound conditions
  Requeriments - Compound conditions apply on some users.
  thanks

  Creating a new posture policy
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1920487
  Posture Assessment and Remediation Options in Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp2070069
  In order to create a AV posture policy, you can start from here.
  Jatin Katyal
  - Do rate helpful posts -

• Prerequisite to enable Profiling for posture assessment to check the AV, Patches, OS update

  Hi Experts,
  I have wireless set-up with two SSID , one is used for corporate users with dot1x auth and other one for guest using CWA .
  I understood that , i do not need to buy any license or pay to cisco for Wireless license however i want to understand for enabling profiling for posture assessment .
  I understood that I need have advance license for posture assessment however I am looking out for information about costing to buy advance license and is there any prereuisite to configure posture assessment other than additional license?

  There were a few changes in ISE v1.3:
  - Base License = The same
  - Plus License = The same (with some more features)
  - Advanced License = Apex
  - Wireless = Mobility (Now it includes VPN based authentications as well)
  So your plan is to run the new version of ISE (1.3) and AnyConnect 4 then you will need to have:
   - ISE Mobility License (Includes Base, Plus and Apex for wireless and VPN)
   - AnyConnect APEX license - This one is on the honer system and it is not installed on ISE
  If you plan to use posture on wired as well then instead of the "mobility" license you will need to get:
   - ISE Base
   - ISE Plus
   - ISE Apex
   - AnyConnect Apex
  Thank you for rating helpful posts!

• AnyConnect - Posture Assessment Failed: Unable to get the available CSD version....

  Hello all
  I am attempting to get the HostScan posture assessment working so we can check that any device connecting to the ASA is a valid corporate asset.
  I have installed the posture module onto our test client machine (Windows 8.1) using the following software:
  anyconnect-posture-win-4.0.00061-pre-deploy-k9
  Then in ASDM under Remote Access VPN > Host Scan Image I have uploaded the following package:
  disk0:/hostscan_3.1.06073-k9.pkg
  ...and ticked the box 'Enable Host Scan/CSD'.
  Under Remote Access VPN > Secure Desktop Manager I have configured an initial simple Prelogin policy to test it working, this simply just checks that the OS is Windows 8. A success should map this user to a Group Policy I have created that is mapped to a Connection Profile. 
  So, with all that said, when I try to connect I see that the AnyConnect client going through the motions: "Posture Assessment: Checking for updates....", after which I get a pop-up and error message:
  "Posture Assessment Failed: Unable to get the available CSD version from the secure gateway"
  A bit stumped here and haven't quite found much on the web as to how to resolve this.
  Has anyone encountered this before? If so, can you advise on what I can do
  By the way I am connecting using IKEv2 (IPsec) as these are the requirements and the AC version is 4.0.00061, ASA version: 9.2(1).
  Many thanks

  Hello
  Please forgive the shameless bump. Was hoping someone could help?
  Many thanks

• ISE posture requirement to check if endpoint's USP port is disabled

  Hi,
  I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
  Appreciate your input.
  Mike

  If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
  Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
  You would have to create a New Posture Condition and Remediations.
  The condition that I will use in this example is a Registry Key.
  If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
  So set a Posture Condition:
  Click Policy > Policy Elements > Conditions
  Choose Posture from the left menu:
  Then choose Registry Condition from the left menu.
  Click +Add to add a new Posture Condition:
  Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
  Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
  +Add to add a new Link Remediation:
  Then choose Requirements from the left menu and create a new Remediation Result:
  Of course, you can choose different remediations as necessary for your environment.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• NAC not doing posture assessment

  Hello All,
  I am having diffculty with NAC where its not doing posture assessment. I ran through the configuration guide and followed it to the T but still no luck. I am running NAC 4.5(1) for In Band wireless. Any ideas as to what i should be looking at next?
  Thanks,
  G

  What devices etc you using to implement NAC? Are you using ACS Server? or NAC Appliance?
  What mode of NAC are you using? L2 dot1x; L2 IP or L3 IP?
  What authentication are you using? (Take a look at your settings under System Config -> Global Authentication, if using Cisco ACS)
  A lot of issues I have seen with NAC is down to certificates/ca chains on the NAC posture server and the end clients.
  Stu

• Does Cisco NAC Support Continuous Posture Assessment ?

  Hi all,
  Cisco does not seem to support continuous posture assessment when running out of band or in band ? What I mean is after authentication during authorization phase I ve been assigned to a role and according to that role I receive a posture result, if that posture result is pass then Ive been evaluated as a healthy end point and receive a Certificate. Then the switchport that I am connected to gets assigned to the corporate VLAN. Afterwards till my certificate expires system will always think that I am healthy.
  Ive gone through 4.8 release notes, it still does not seem to be supported ?
  Any comments are appreciated.
  Dumlu

  I think this is mentioned in the release notes; did you check the following section?
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105597
  Regards
  Farrukh