ISE Posture

Similar Messages

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• ISE Posture Assessment

  Hi,
  While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
  If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
  While testing this on ISE, I noticed that
  If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
  Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
  Regards,
  Aditya

  I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
  Default Posture Status
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
  Jatin Katyal
  - Do rate helpful posts -

• ISE posture requirement to check if endpoint's USP port is disabled

  Hi,
  I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
  Appreciate your input.
  Mike

  If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
  Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
  You would have to create a New Posture Condition and Remediations.
  The condition that I will use in this example is a Registry Key.
  If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
  So set a Posture Condition:
  Click Policy > Policy Elements > Conditions
  Choose Posture from the left menu:
  Then choose Registry Condition from the left menu.
  Click +Add to add a new Posture Condition:
  Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
  Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
  +Add to add a new Link Remediation:
  Then choose Requirements from the left menu and create a new Remediation Result:
  Of course, you can choose different remediations as necessary for your environment.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

• ISE posture redirect not working

  ISE v1.1.0.665, 3395 h/w.
  Single Admin/Monitor/Policy node.
  WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
  For Client Provisioning I created an authorisation policy as follows:
  download acl "ACL-POSTURE-REMEDIATION"
  apply url redirect "ACL-POSTURE-REDIRECT".
  "Debug radius" shows all this is downloaded to the switch but:
  - Redirect does not work.
  - dACL is not applied if the URL redirect is also configured.
  Wireshark on the client shows no direct.
  Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
  I've also attached screen shots of these policies and wireshark.

  Grant,
  It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
  192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
  Thanks,
  Tarik Admani

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE posture based upon switch user is connected to

  OK, I am a new ISE user and definitely an early beginner on creating ISE policies. I have successfully created a policy that can determine if you are using a corporate asset or not and using 802.1x authentication grant you access to corporate resources or not. This policy also assigns the VLAN the user is placed into. Seems to work quite well so far at least as a baby step in policy creation.
  Our building has different VLANS based upon floors and the like and I would like the policy(s) take this into consideration when assigning the VLAN. Is there a way to include which switch the postureing process is flowing through to assist in assigning the VLAN? I am thinking I would have separate policies based upon the switch / stack but not sure how to include that in the logic. I figured it would be similar to my policy where I check corporate assets and that you are wireless and that you have a valid AD account but have been unable to figure out the endpoint part. I have created network groups for my network devices but am stumped after that. Is there something else I should or could be doing instead? Do I need a completely different train of thought?    
  Brent

  Hello Brent, using "Network Device Groups" can definitely make this possible for you. For instance, you can create a "Location" based group hierarchy that looks like something like this:
  All Locations > HQ > Floor-1
  All Locations > HQ > Floor-2
  All Locations > DR > Floor-1
  etc
  Then you can reference that group in your authorization policy by using something like this
  If "Conditions > Device > Location" = All Locations > HQ > Floor-1
  then
  Permissions = "HQ_Floor-1-Posture"
  If "Conditions > Device > Location" = All Locations > HQ > Floor-2
  then
  Permissions = "HQ_Floor-2-Posture"
  I hope this helps and addresses your issue. 
  Thank you for rating helpful posts!

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE posture problem

  Hi all,
  I've been playing around with ISE demo and I am very impressed!!!
  After trying different scenarios with my co-workers I came to a point where we find it kind of buggy.
  I have rules to redirect unknown users to pasturing through web where they download NAC CLIENT and everything works fine.
  Here's the catch:
  On a windows 7 machine (connecting wirelessly with built in wireless client) they are stuck on posture pending if they do the following:
  They connect - open up web browser - ise redirects them to download the client they hit install and the warning about installing the client pops up - that moment the user decides to close the browser (it's most likely to happen when you have 5000+ users)  - dissconnects from network and tries to re-connect again. NOW - when they open up the web browser ISE says unable to allow access to network and all that error.
  So it's not letting them download the nac agent any more.. no matter what they do connect - reconnect wait 2-3 minutes nothing, only after a period of time they are able to get the NAC client installation page.
  NOTE: this works totally fine on a windows xp machine with the INTEL PRO SET wireless utility.
  It's not a big thing but when you have 5000+ clients and you want to introduce them to something new it will cause alot of helpdesk calls and all that you know how it goes.
  Thanks in advance.
  P.s I can create a short video of the whole process.

  Very interesting thread. Can you tell me – how can ISE differentiate between a new/unknown computer owned by an employee and/or the organization, which you WANT to load the NAC client on, and a guest that you might want to give Internet access to but you don’t want to load a NAC client on?

• ISE Posture Status Pending

  Hello,
  I am newly configuring and testing  Posturing/Client Provissioning on ISE.  I configured Client_Provissioning Policy without any Posture_Policy just to test it works or not.
  My Wireless client can authenticate and get and install NAC_Agent successfully,  but after that no network access is given to the client pc. 
  on the ISE Authentication Reports it shows ( Posture Status Pending )
  and on the Wireless client everytime when i open browser i get this message " Cisco Agent was detected and is running. If you are still unable to access the network please contact you administrator"
  I dont know what is the issue, plz help

  Hi Ravi,
  I have not yet configured any Posture policies.  i have configured only client-provissioning policy, i want to first test client-provissioning works properly before applying any Posture-Policy.
  So My wireless clients are correctly redirected and recieve NAC Agent, but afterthat it seems that the NAC_Agent does not do anything and does not send any report back to ise for further processings.
  on the ise Authentication Report i can see, the client is stuck in UKNOWN-STATUS , and shows Posture_Status Pending...
  it does not go to Uncompliant or Compliant Status.
  I dont know what can be the issue? neither ISE shows me the error , nor the WLC.

• ISE Posture to guest clients

  Hi Guys,
  i'd like to know if is it possible to make a posture to Guest Clients using the Web Agent  after they had been login into the portal.
  thanks

  Of Course it is possible. For detailed information please review the following guide
  Configuring Client Posture Policies
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html
  You can also create posture-specific authorization policies for all wired, wireless, and guest deployments by
  specifying the Session:PostureStatus attribute in the authorization policies. This attribute has three
  values, unknown, compliant, and noncompliant, which you can use n the authorization policies
  Regards,
  Ashok

• ISE - posture fails

  Hello,
  I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)
  Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?
  Best regards,
  Kreso

  Hi Mohammed,
  as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.
  Try exporting the root CA certificate (not the one issued to the ISE node by the CA,  but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.
  You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:
       # openssl x509 -in cert1.pem -inform DER -text
       unable to load certificate
  following some ASN error messages. To convert it use the following command:
       openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem
  Now you can read cert data using the command:
       openssl x509 -inform pem -in cert2.pem -noout -text
  The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.
  HTH,
  Kreso

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok

• [ISE] Posture Status - Not applicable

  Hi,
  I configured WiFi Guest Access with WLC and ISE and it works great.
  Now I want to check client posture.
  I configured a posture policy
  On Windows7 client, I installed NAC client. With network sniffer, I can see SWISS protocol (TCP 8905) between client and ISE.
  In authentications log, Posture Status is always "NotApplicable"
  Why is this posture not applicable?
  Thanks a lot!
  Patrick

  Hello Tarik,
  Result NonCompliant: http://uploaddeimagens.com.br/imagens/result_noncompliant-jpg
  Posture rule: http://uploaddeimagens.com.br/imagens/posture_rule-jpg
  The client provisioning is set to force NAC Agent version 4.9.0.47
  Yes, the vlan is correct.
  The major problem is the NotApplicable ststus in the posture log, the ISE is not applying the posture, some times works fine, some times dont work and appear the NotApplicable in the log.

• ISE Posture for non-agent device problem

  I have a couple of questions:
  - They said it the documents: "these (non-agent) devices assume the Default Posture Status settings". I wonder how ISE determines that a device is a non-agent device, or to put it another way, when is the Default Posture Status settings applied to a device? Is it after some period of time not receiving anything from the agent? If yes, can and where do I change that time in ISE?
  - I tested this with my lab and saw that: after the user successfully login with his account, and the Authorization profile with Client provisioning is applied to that session, the user goes to a web page and gets redirect to the CPP page. Now if he just sits there and doesn't install the NAC agent, I noticed that after about 40s, the session is automatically restarted to a new one, with a different session ID, but the same username. The new session gets to the point where the same redirect Authorization profile is applied and the whole process cycles over and over. Things I observed each time the session restarts:
  + The user doesn't even have to enter the credentials again. The 802.1x login doesn't popup 
  + The Default Posture status (I set it to Noncompliant) is applied to the session right before it restarts. I can see an event on ISE indicating that. The event also shows the Acct-Terminate-Cause as "Admin Reset"
  + If at any point, the user installs a NAC agent then he can break the cycle (e.g becomes compliant) and carry on with other Authorization profiles
  So my question is: is that expected behavior of ISE? Although it seems no harm except new sessions are created continously
  Or have I configured something wrong?

  Anybody?