ISE Posture

-

 












Example Conditions

  • Ensure Windows Firewall is enabled
  • Check for attached USB devices
  • Anti-malware installation
  • Critical Patch installation
  • Application installation







Note:

Anyconnect package on ASA/FTD contains ISE Posture module, but need be enabled in Group Policy to push it to user's PC along with Anyconnect VPN core module. 


Example: ASA

group-policy ISE_VPN internal
group-policy ISE_VPN attributes
 dns-server value 172.16.1.10
 vpn-tunnel-protocol ssl-client
 webvpn
  anyconnect modules value iseposture
  anyconnect profiles value Test-Profile type user


Example: FTD


















2.  When user PC has no AnyConnect installed, user connects to remote VPN URL, after login, the user has link to download Anyconnect VPN core module. After AC installation, launch and login AC, when  Group Policy has ISE posture module is enabled, the module will be download and installed. Then "discover" process is started.
     2.1 When enroll.cisco.com is allowed on the tunnel, compliance module download and installation will be started
     2.1 When enroll.cisco.com is NOT allowed on the tunnel, user can open browser to access any tunneled internal IP, then be redirected to client provisioning portal 



















Click "click here to download and install AnyConnect", NSA will be downloaded, click to install it, NSA will start to download and install compliance module, then may need disconnect/reconnect AC to start to see scanning, or click Scan Again button if it enabled in Posture Profile.


Enable client provisioning to allow users to download client provisioning resources and configure agent profiles. You can configure agent profiles for Windows clients, Mac OS X clients, and native supplicant profiles for personal devices


 once PSN is located, compliance module will be downloaded and installed, posture assessment will be started.

3. Compliance module needs user PC trust ISE certificate.


Screenshots






























ISE posture module and compliance module will be download and installed.







After posture check.

















The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirements status.

 

The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.




ISE posture configuration

Client Provisioning > Resources, needs
1. Anyconnect package:  Add > Agent resources from local disk >> Cisco Provided Packages
    To avoid problems, make it as same version as the one on FTD/ASA, otherwise, user may get "Failed to Launch Downloader" error in System Scan module.
2. Compliance module:   Add > Agent resources from Cisco site
3. Posture Profile:   Add >  Anyconnect Posture Profile
4. Anyconnect Configuration: Add >  Anyconnect Configuration, specify above three items 

Client Provisioning > Client Provisioning Policy

Posture Policy

Authorization Policy














































FTD-NONCOMPLIANT has no DACL in the lab, if configure DACL, make sure it doesn't block discover, otherwise System Scan module get error "no policy server detected"

REDIRECT is the extended ACL configured on FTD/ASA, ISE just specify and return the name.



========================
Posture Profile  discovery host option is not meant to put PSN IP addresses.  It is meant to put ANY IP address that resides somewhere beyond the default gateway of the client.  So you could even use an Internet address.  The whole point is to have the client send packets out beyond the default gateway to trigger redirection from the switch or WLC the client is connected to.

here is another field in the profile where you can list the PSN's that the client should try to connect to.  That field is called the "Call Home List" and you can list all of your PSN's there

AnyConnect uses a process to "discover" the hosting PSN to trigger posture to start.

Discovery host is the first method tried before falling back to other methods such as default gateway, cisco.com, and previously connected devices.

The discovery host is used when the posture module initializes and initiates a probe  to detect if a client provisioning portal is present.

So what should be placed in this field? You can leave it blank if you want but a better practice is to place a URL that will trigger a connection (ie a resolvable name). The AnyConnect client already tries enroll.cisco.com so you use an internal URL like www.company.com or an external URL like www.google.com. It really doesn’t matter as long as the name can be resolved and the redirect URL is triggered

Posture module initialization pre-ISE 2.2

You log onto the network and the authorization rule you’re assigned requires posture assessment. AnyConnect launches and the ISE posture module starts running. In order to discover if posture assessment is required, the posture module initiates 4 probes to detect the client provisioning portal. The four probes are:

  • HTTP GET auth discovery to the default gateway IP
  • HTTP GET auth discovery to enroll.cisco.com
  • HTTP GET auth discovery to the configured Discovery Host
  • HTTP GET status check (SSL on TCP/8905) to previously connected PSN

The first three probes rely on a redirect ACL and URL to be present. The final probe is only initiated on a 2nd run of the probes if the first three fail the first time.


Posture module initialization post-ISE 2.2

In ISE 2.2, we still have the same four probes from above (stage 1) but two new probes have been added (stage 2). These new probes are:

  • Call Home List: Comma separated list of FQDNs and port numbers (FQDN and port number separated by colon). The port number is whatever port is configured for the client provisioning portal. The default port number is TCP/8443 if it is not specified in the list. The PSNs are accessed in the order in which they are presented in the list.
  • ConnectionData.xml: This XML file contains a list of PSNs which the posture module should attempt a connection if the Call Home List is empty or fails. This file is created the first time a successful posture connection is made.

The biggest advantage of these new probes is adding more support 3rd party NAD posture redirection. Cisco ISE also gained the ability to find the session owner if the PSN used in either probe is not the same PSN that owns the authentication session. The process is:

  • AC posture module sends client information to the PSN found in the CHL or ConnectionData.xml file. If that PSN is the session owner, posture assessment occurs with the connection to the PSN on TCP/8905.
  • If the PSN contacted is not the session owner, the PSN queries the MNT to find who owns the session. The MNT responds with who owns the session and the PSN notifies the client with the FQDN of the session owner. The client then connects to the right PSN for posture assessment and reporting.
The only thing we MUST fill out on the posture profile are the Server name rules. This defines the ISE server names that the Posture module is allowed to communicate with. This is a security measure to prevent your posture modules installed on corporate owned assets from communicating with an ISE server from another organization, potentially leaking information from your hosts to third parties


https://www.lookingpoint.com/blog/cisco-identity-services-engine-provisioning-anyconnect-for-ise-posture


No Policy Server Detect issue

First connects to Posture assessment.




















1. Verify Posture Status Unknow DCAL doesn't block discover .

2. If split-tunnel is used, add enroll.cisco.com to tunnel

3. If ACP rule is enabled for AC traffic, verify it is allowed for enroll.cisco.com (outside>outside)





Agentless Posture




Endpoint login configuration

















Client Provisioning Policy



















Requirements:














Posture Policy















Authorization Policy
















Live Log












Troubleshooting

























Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more