ISE Posture

Example Conditions

Ensure Windows Firewall is enabled
Check for attached USB devices
Anti-malware installation
Critical Patch installation
Application installation

Note:

Anyconnect package on ASA/FTD contains ISE Posture module, but need be enabled in Group Policy to push it to user's PC along with Anyconnect VPN core module.

Example: ASA

group-policy ISE_VPN internal
group-policy ISE_VPN attributes
dns-server value 172.16.1.10
vpn-tunnel-protocol ssl-client
webvpn
anyconnect modules value iseposture
anyconnect profiles value Test-Profile type user

Example: FTD

2. When user PC has no AnyConnect installed, user connects to remote VPN URL, after login, the user has link to download Anyconnect VPN core module. After AC installation, launch and login AC, when Group Policy has ISE posture module is enabled, the module will be download and installed. Then "discover" process is started.
2.1 When enroll.cisco.com is allowed on the tunnel, compliance module download and installation will be started
2.1 When enroll.cisco.com is NOT allowed on the tunnel, user can open browser to access any tunneled internal IP, then be redirected to client provisioning portal

Click "click here to download and install AnyConnect", NSA will be downloaded, click to install it, NSA will start to download and install compliance module, then may need disconnect/reconnect AC to start to see scanning, or click Scan Again button if it enabled in Posture Profile.

Enable client provisioning to allow users to download client provisioning resources and configure agent profiles. You can configure agent profiles for Windows clients, Mac OS X clients, and native supplicant profiles for personal devices

once PSN is located, compliance module will be downloaded and installed, posture assessment will be started.

3. Compliance module needs user PC trust ISE certificate.

Screenshots

ISE posture module and compliance module will be download and installed.

After posture check.

The ISE Posture module is the agent that appears in AnyConnect as a tile, this module establishes communication with the ISE Policy servers, receives information about posture requirements from the ISE and provides report to the ISE regarding requirements status.

The ISE posture module relies on the compliance module, which contains the list of supported antimalware and firewall for ISE posture. The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions. Vendors frequently update the product version and date in the definition files, therefore, you must look for the latest version and date in the definition files for each vendor product by frequently polling the compliance module for updates. Each time the compliance module is updated to reflect the support for new vendors, products, and their releases, the AnyConnect agents receives a new library.

ISE posture configuration

Client Provisioning > Resources, needs

1. Anyconnect package: Add > Agent resources from local disk >> Cisco Provided Packages

To avoid problems, make it as same version as the one on FTD/ASA, otherwise, user may get "Failed to Launch Downloader" error in System Scan module.

2. Compliance module: Add > Agent resources from Cisco site

3. Posture Profile: Add > Anyconnect Posture Profile

4. Anyconnect Configuration: Add > Anyconnect Configuration, specify above three items

Client Provisioning > Client Provisioning Policy

Posture Policy

Authorization Policy

FTD-NONCOMPLIANT has no DACL in the lab, if configure DACL, make sure it doesn't block discover, otherwise System Scan module get error "no policy server detected"

REDIRECT is the extended ACL configured on FTD/ASA, ISE just specify and return the name.

========================

Posture Profile discovery host option is not meant to put PSN IP addresses. It is meant to put ANY IP address that resides somewhere beyond the default gateway of the client. So you could even use an Internet address. The whole point is to have the client send packets out beyond the default gateway to trigger redirection from the switch or WLC the client is connected to.

here is another field in the profile where you can list the PSN's that the client should try to connect to. That field is called the "Call Home List" and you can list all of your PSN's there

AnyConnect uses a process to "discover" the hosting PSN to trigger posture to start.

Discovery host is the first method tried before falling back to other methods such as default gateway, cisco.com, and previously connected devices.

The discovery host is used when the posture module initializes and initiates a probe to detect if a client provisioning portal is present.

So what should be placed in this field? You can leave it blank if you want but a better practice is to place a URL that will trigger a connection (ie a resolvable name). The AnyConnect client already tries enroll.cisco.com so you use an internal URL like www.company.com or an external URL like www.google.com. It really doesn’t matter as long as the name can be resolved and the redirect URL is triggered

Posture module initialization pre-ISE 2.2

You log onto the network and the authorization rule you’re assigned requires posture assessment. AnyConnect launches and the ISE posture module starts running. In order to discover if posture assessment is required, the posture module initiates 4 probes to detect the client provisioning portal. The four probes are:

HTTP GET auth discovery to the default gateway IP
HTTP GET auth discovery to enroll.cisco.com
HTTP GET auth discovery to the configured Discovery Host
HTTP GET status check (SSL on TCP/8905) to previously connected PSN

The first three probes rely on a redirect ACL and URL to be present. The final probe is only initiated on a 2nd run of the probes if the first three fail the first time.

Posture module initialization post-ISE 2.2

In ISE 2.2, we still have the same four probes from above (stage 1) but two new probes have been added (stage 2). These new probes are:

Call Home List: Comma separated list of FQDNs and port numbers (FQDN and port number separated by colon). The port number is whatever port is configured for the client provisioning portal. The default port number is TCP/8443 if it is not specified in the list. The PSNs are accessed in the order in which they are presented in the list.
ConnectionData.xml: This XML file contains a list of PSNs which the posture module should attempt a connection if the Call Home List is empty or fails. This file is created the first time a successful posture connection is made.

The biggest advantage of these new probes is adding more support 3rd party NAD posture redirection. Cisco ISE also gained the ability to find the session owner if the PSN used in either probe is not the same PSN that owns the authentication session. The process is:

AC posture module sends client information to the PSN found in the CHL or ConnectionData.xml file. If that PSN is the session owner, posture assessment occurs with the connection to the PSN on TCP/8905.
If the PSN contacted is not the session owner, the PSN queries the MNT to find who owns the session. The MNT responds with who owns the session and the PSN notifies the client with the FQDN of the session owner. The client then connects to the right PSN for posture assessment and reporting.

The only thing we MUST fill out on the posture profile are the Server name rules. This defines the ISE server names that the Posture module is allowed to communicate with. This is a security measure to prevent your posture modules installed on corporate owned assets from communicating with an ISE server from another organization, potentially leaking information from your hosts to third parties

https://www.lookingpoint.com/blog/cisco-identity-services-engine-provisioning-anyconnect-for-ise-posture