ISE - posture fails

Similar Messages

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• ISE Posture Assessment

  Hi,
  While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
  If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
  While testing this on ISE, I noticed that
  If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
  Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
  Regards,
  Aditya

  I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
  Default Posture Status
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
  Jatin Katyal
  - Do rate helpful posts -

• ISE posture requirement to check if endpoint's USP port is disabled

  Hi,
  I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
  Appreciate your input.
  Mike

  If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
  Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
  You would have to create a New Posture Condition and Remediations.
  The condition that I will use in this example is a Registry Key.
  If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
  So set a Posture Condition:
  Click Policy > Policy Elements > Conditions
  Choose Posture from the left menu:
  Then choose Registry Condition from the left menu.
  Click +Add to add a new Posture Condition:
  Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
  Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
  +Add to add a new Link Remediation:
  Then choose Requirements from the left menu and create a new Remediation Result:
  Of course, you can choose different remediations as necessary for your environment.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay

  Hi,
  We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating  via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
  We have three different switches at the moment with the latest IOS version.
  1) WS-C4507R-E    =  15.1(2)SG,
  2) WS-C3560-48PS = 12.2(55)SE7
  3) WS-C3750X-24P = 15.0(2)SE1
  Could you anyone pitch the idea? or advise about the latest IOS for the switches.
  Let me know, if you need more information.
  Thanks,
  Regards,
  Mubahser

  It seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
  It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server.

• Primary administration ISE nodes failed

  Hi All,
  I'm going to implement 3 ISE with destributed deployment, 1 ISE will configured as Administration & Monitoring node, and the others as dedicated Policy Service node.
  My questions are :
  1. If the Administration & monitoring node failed, are the authentication, authorization and posture still can be running well on the client ?
  2. Can we promote the dedicated Policy Service Node as  the new administration & monitoring nodes ? If can, how the procedure for promoting it? it's just as simple as promoting the secondary nodes (in case we have primary and secondary nodes) or there is others effort, such as must restoring the database or etc?
  Thanks?
  Regards,
  Rian

  Hi,
  When the primary administration node fails. The psns will still continue to function and enforce policies.
  Since you have a single administration node and if the that node has to be rebuilt, all other nodes will also have to be reset to factory then re registered once the primary node is ready again.
  In that case you can open a tac case yo have them assist in pulling your database from one of the psn nodes.
  As always this is my observations and what I would do if I was in the situation, we can wait for a cisco engineer to respond or you can post this question in a tac case to make sure there isn't an upcoming feature which addresses this scenario.
  Sent from Cisco Technical Support Android App

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

• ISE posture redirect not working

  ISE v1.1.0.665, 3395 h/w.
  Single Admin/Monitor/Policy node.
  WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
  For Client Provisioning I created an authorisation policy as follows:
  download acl "ACL-POSTURE-REMEDIATION"
  apply url redirect "ACL-POSTURE-REDIRECT".
  "Debug radius" shows all this is downloaded to the switch but:
  - Redirect does not work.
  - dACL is not applied if the URL redirect is also configured.
  Wireshark on the client shows no direct.
  Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
  I've also attached screen shots of these policies and wireshark.

  Grant,
  It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
  192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
  Thanks,
  Tarik Admani

• ISE Posture Remediation issue with AV client installation

  Problem: If  user start AV client installation in pc via AV link remediation after some time (while AV client  installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def  remediation and Cisco NAC agent shows the message AV definition is not up to date.
  Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
  I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
  We have the following posture policies,
  1      AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
  2      AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
  3.     WSUS check
  4      SP   check
  Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
  Please can anybody let me know how remediation work internally ? like if  "AV inst" remediation start  so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
  Second question:what is remediation process sequence ?
  Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?

  Please check the below guide for Posture Configuration:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml

• ISE authentication fail during windows re-logon

  Background:
  Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
  Problem:
  At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
  The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
  Anyone out there experienced something similar or have any ideas on why this is happening?
  Thanks.

  Hi
  Possible Causes
  • This could be either a MAB or 802.1X authentication issue.
  • The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
  • The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
  Resolution
  • Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
  • Verify the switch port configuration for multidomain and voice VLAN configuration.
  • Add the continue/continue/continue to allow the endpoint to pass:
  Choose Policy > Policy Elements > Results > Authentication > Allowed
  Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
  – Process Host Lookup
  – PAP/ASCII
  – Detect PAP as Host Lookup
  – EAP-MD5
  – Detect EAP-MD5 as Host Lookup
  • From the main menu, choose Policy > Authentication.
  • Change the authentication method from Simple to Rule-Based
  • Use the action icon to create new Authentication Method entries for MAB:
  – Name: MAB
  – Condition: IF MAB RADIUS:Service-Type == Call Check
  – Protocols: allow protocols MAB_Protocols and use
  – Identity Source: Internal
  – Hosts: Continue/Continue/Continue

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• ISE max failed logins

  In ISE, does anyone know if the count for the Maximum Login Failures for Guest accounts  (found under the Settings>Guest>Portal Policy page) is a per session setting or cumulative for the lifetime of the account? Does the count ever get reset and is there a way to view current failed login count?
  Our use case is that we have guest accounts that get handed out to multiple guests (say for a hosted conference or a special event). We've had a couple of these type accounts get suspended because of hitting max failed logins. We've increased the setting, but would like to understand the settings further has some of the guest accounts need to exist over a significant period of time. 

  It is per session, when once successfully logged in, the counter is reset.