Cisco ISE Distributed Deployment with AnyConnect VPN and Posture Check
1. Overview
According to Cisco, an ISE deployment with more than one Cisco ISE node is considered to be a distributed deployment. In this lab we will be using 8 ISE nodes to demonstrate high availability and scalability which is similar to large scale deployment. There are so many presentations available from Cisco Live regarding ISE deployment. One of the examples would be the BRKSEC-2660 from Cisco Live. I will be discussing based on this particular Due to resource constraint, I was not able to deploy more than two PSN nodes here.
2. Configuring ISE for Distributed Deployment
As Cisco ISE is a very heavy node, I was not able to deploy on EVE-NG directly at least in this type of 8 individual node deployments. So, I deployed as KVM virtual machines. The storage, even in evaluation environments so intensive and I have to take out so many VMs for this lab.
In terms of CPU and RAM resources, I set 8xvCPU and 32GB ram for all the nodes expect PxGrid nodes.
I also set "Jumbo MTU" for all the links from Ubuntu CLI hoping the replication between nodes will be faster and also reduce the CPU load. This is just for this lab only, so I set these temporary. If you want to make this permanent, you need to do it from "/etc/netplan/01-netcfg.yaml".
ip link set dev eth1 mtu 9000
ip link set dev eth2 mtu 9000
ip link set dev eth3 mtu 9000
ip link set dev pnet0 mtu 9000
ip link set dev pnet1 mtu 9000
ip link set dev pnet2 mtu 9000
ip link set dev pnet3 mtu 9000
ip link set dev pnet4 mtu 9000
ip link set dev pnet5 mtu 9000
ip link set dev pnet6 mtu 9000
ip link set dev pnet7 mtu 9000
ip link set dev pnet8 mtu 9000
ip link set dev pnet9 mtu 9000
ip link set dev virbr1 mtu 9000
ip link set dev virbr0 mtu 9000
ip link set dev virbr2 mtu 9000
ip link set dev vnet0_4 mtu 9000
ip link set dev vnet0_5 mtu 9000
ip link set dev vunl0_12_0 mtu 9000
ip link set dev vunl0_12_1 mtu 9000
ip link set dev vunl0_12_2 mtu 9000
ip link set dev vunl0_12_3 mtu 9000
ip link set dev vunl0_12_4 mtu 9000
ip link set dev vunl0_12_5 mtu 9000
ip link set dev vunl0_12_6 mtu 9000
ip link set dev vunl0_12_7 mtu 9000
ip link set dev vnet0_2 mtu 9000
ip link set dev vunl0_9_0 mtu 9000
ip link set dev vunl0_9_1 mtu 9000
ip link set dev vunl0_9_2 mtu 9000
ip link set dev vunl0_9_3 mtu 9000
ip link set dev vnet0_3 mtu 9000
ip link set dev vunl0_10_0 mtu 9000
ip link set dev vunl0_10_1 mtu 9000
ip link set dev vunl0_10_2 mtu 9000
ip link set dev vunl0_10_3 mtu 9000
ip link set dev vunl0_10_4 mtu 9000
ip link set dev vunl0_10_5 mtu 9000
ip link set dev vunl0_10_6 mtu 9000
ip link set dev vunl0_10_7 mtu 9000
ip link set dev vunl0_10_8 mtu 9000
ip link set dev vunl0_13_0 mtu 9000
ip link set dev vunl0_14_0 mtu 9000
ip link set dev vunl0_14_1 mtu 9000
ip link set dev vunl0_14_2 mtu 9000
ip link set dev vunl0_14_3 mtu 9000
ip link set dev vnet0 mtu 9000
ip link set dev vnet1 mtu 9000
ip link set dev vnet2 mtu 9000
ip link set dev vnet3 mtu 9000
ip link set dev vnet4 mtu 9000
ip link set dev vnet5 mtu 9000
ip link set dev vnet6 mtu 9000
ip link set dev vnet7 mtu 9000
ip link set dev vnet8 mtu 9000
ip link set dev vnet9 mtu 9000
ip link set dev vunl0_11_0 mtu 9000
Then, we can verify the MTU size from Linux CLI.
Now we have to go to ISE CLI and set the MTU size to 9000. You have to set it for all the ISE nodes in the deployment.
interface GigabitEthernet 0
ip mtu 9000
CPU utilization is as low as 8% as you can see in Figure 5, memory utilization is around 300 GB more or less.
You can also set the MTU size of the Windows Server 2022 as well.
I am only running ASAv, Server-1 (IOSvL3), Catalyst 8000, Catalyst 9K switch, and two Windows 10 evaluation VMs in EVE-NG. They are all linked to Windows Server and ISE nodes via EVE-NG Management Cloud.
The below is the sample configuration that you need to enter during the ISE setup. You just need to change hostname and IP address for other nodes. The setup takes a long time so does the node registration and adjusting the services.
Enter hostname: ISE-PSN-1
Enter IP address: 192.168.1.31
Enter IP netmask: 255.255.255.0
Enter IP default gateway: 192.168.1.55
Do you want to configure IPv6 address? Y/N [N]: N
Enter default DNS domain: ht.local
Enter primary nameserver: 192.168.1.168
Add secondary nameserver? Y/N [N]: N
Enter NTP server[time.nist.gov]: 192.168.1.168
Add another NTP server? Y/N [N]: N
Enter system timezone[UTC]: America/New_York
Enable SSH service? Y/N [N]: Y
Enter username[admin]: admin
Enter password:
Enter password again:
You might want to enable AD, DHCP, NTP, CA and DNS services in Microsoft AD.
I will not delve into details for AD configuration as you can find many resources online.
The DNS records for all the nodes should be configured correctly as well.
At the certificate authority, duplicate Web Server template and add "Client Authentication" as well.
To be more realistic, we will be using the Windows Server DHCP as well in this lab. The scopes are configured with required parameters as showed in Figure 11.
Nodes 1 to 6 are used for core services (i.e., not client facing) while providing high availability.
PSNs are used by clients for TACACS+ or RADIUS authentication
During the deployment, you cannot remove MnT services from ISE-PAN-1 until you register ISE-MnT-1 node.
As you can see the figure 10, ISE-PAN-1 is only running "Administration" service. The same applies for the ISE-PAN-2.
PAN failover is enabled between ISE-PAN-1 nodes and ISE-PAN-2 nodes. Primary Health Check Node for ISE-PAN-1 is ISE-MnT-1 and Primary Health Check Node for ISE-PAN-2 is configured as ISE-MnT-2.
ISE monitoring nodes are configured as shown in Figure 16. Dedicated MnT mode is enabled for the node as well. The same configuration is applied to the other MnT node as well.
ISE PxGrid node is configured as below. Only PxGrid service is running, and the same thing applies to PxGrid node 2.
ISE PSN node is configured with a quite a lot of services as you can see in Figure 18. In addition, we have configured with "Enabled Session Services and created PSN GROUP for the purpose of load balancing AAA requests between PSN node 1 and PSN node 2.
To enable, MAR Cache Distribution in PSN GROUP, first you should enable in ISE AD configuration. And to perform this task, we need to join our ISE to AD. In distributed deployment, only PAN node 1 need to join the AD.
We need to click on the check box "Enable Machine Access Restrictions" at ISE AD Advanced Settings as shown in Figure 20.
Finally, we can click "Enable MAR Cache Distribution" on the ISE. You can read more about MAR Cache here at https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html. This feature is related with machine authentication. There are pros and cons. You can implement depending on your organization policy requirements.
Before you configure anything, you might want to create update the certificates in Cisco ISE nodes. The first step is to upload the AD Root CA Certificate.
Depending on the requirements you can create certificates for each service for each node or just use a wildcard certificate for all. Using separate certificates for separate services, also for each node, is recommended and it can be tedious. I will just use wildcard certificate for this lab. The common name for certificate cannot be the wildcard certificate as there will be a problem with windows host. I used random common name for my wildcard certificate and add the wildcard certificate and other node DNS names at the subject alternative names' sections. I prefer to use "openssl" from linux cli to generate certificate signing request. The below is the configuration file that I used. You just need to use nano to create.
[ req ]
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
C = US
ST = NY
L = BROOKLYN
O = HT
OU = IT
CN = ise-saml.ht.local
[ req_ext ]
subjectAltName = @alt_names
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
certificatePolicies = @policy_section
[ alt_names ]
DNS.1 = *.ht.local
DNS.2 = ise-pan-1.ht.local
DNS.3 = ise-pan-2.ht.local
DNS.4 = ise-mnt-1.ht.local
DNS.5 = ise-mnt-2.ht.local
DNS.6 = ise-pxgrid-1.ht.local
DNS.7 = ise-pxgrid-2.ht.local
DNS.8 = ise-psn-1.ht.local
DNS.9 = ise-psn-2.ht.local
DNS.10 = 192.168.1.31
DNS.11 = 192.168.1.32
DNS.12 = 192.168.1.33
DNS.13 = 192.168.1.34
DNS.14 = 192.168.1.35
DNS.15 = 192.168.1.36
DNS.16 = 192.168.1.37
DNS.17 = 192.168.1.38
[ policy_section ]
policyIdentifier = 1.3.6.1.4.1.11129.2.5.3
Use the following commands to generate private key for the certificate.
openssl genpkey -algorithm RSA -out ISE-SERVICES-CERT-KEY.pem -pkeyopt rsa_keygen_bits:2048
Use the following command to generate certificate signing request and also using the "req.cnf" file that we created earlier.
openssl req -new -key ISE-SERVICES-CERT-KEY.pem -out ISE-SERVICES-CERT-CSR.pem -config req.cnf
Before you go to Windows Server certificate enrollment portal and generate, it is a good idea to verify the certificate that you created.
Then you go to the Microsoft Active Directory Certificate Services portal. This is the place where you can download the CA as well.
Then, click on "Request a certificate" and click on "advanced certificate request". Then paste the CSR. Select the Certificate Template that we created and click "Submit".
Then, download the certificate. You should use "Download certificate chain" option here.
The next step is uploading the certificate. You can use one wildcard certificate for all except SAML. For SAML you have to use a different certificate.
There is one additional step you need to do as ISE will not accept certificates with ".p7b". You need to convert to ".cer" format. You can use the following openssl command to convert.
openssl pkcs7 -print_certs -in ISE-SERVICES-CERT-CER.p7b -out ISE-SERVICES-CERT-CER.cer
While you are restarting ISE nodes for restart, ISE will prompt you to disable PAN failover.
Once this is done, the nodes will restart according to the time you set or just select all and restart now. In the production environment, you can restart one set of secondary nodes first. Once the secondary nodes are functional, restart the primary nodes.
In this lab, I used three types of certificates; one is for Admin, one is for SAML and one for the rest of the services (EAP Authentication, Radius DTLS, pxGrid, Portal, ISE Messaging Service, NativeIPSec).
We can add the user groups that we created in AD at the ISE. Later we will use to configure policy and user authentication.
The next step is to add Network Devices for RADIUS and TACACS+ authentication. Due to extreme slowness of the C9K virtual switch, I removed the TACACS+ authentication from C9K switch.
Adding devices in the security groups make it easier to configure policies, for example we can assign Firewall Admin groups from AD to have access to Firewalls. Likewise, we can configure the Network Admin groups from AD to have access to routers and switches.
As the next step, you can configure TACACS Command Sets. For the sake of simplicity, I will not be configuring much here. At least, we should prevent firewall admin from doing "write erase".
Similarly, we can configure to deny "write erase" and "reload".
We can configure two TACACS profiles as well; one for firewalls and one for routing and switching devices.
Now, we got all the profiles and groups, we can create device admin policies. We can create two Device Administration Policy set.
The Policy configuration is simple, as you can see in Figure 37, Cisco Firewalls must be in Cisco Firewall Device Group. The users must be from HT-AD-1.ht.local. If these conditions are matched, we will go to see what we can authorized based on their AD groups. If they belong to Firewall Administrator group, then we will authorize to have shell profile name Cisco Firewalls and Command Sets named "Cisco Firewall Commands" set.
Similarly, we will configure the same policy set for routing and switching devices. You can understand by the look of this in Figure 39.
You can see the login logs at Operation> TACACS>Live Logs
You can also see why the user is authenticated and which policy is used in the detailed live logs.
The same thing applies for Authorization logs.
At the accounting, Work Centers> Reports, Device Administration Reports, TACACS Accounting, you can see what commands is issued on which devices by which users.
3. Configuring Basic Device Configuration and Cisco AnyConnect VPN
Let's start with the basic configuration from Cisco Network Devices.
C8K Configuration
hostname C8K
!
!
aaa new-model
!
aaa group server tacacs+ ISE-PSN
server name ISE-PSN-1.ht.local
server name ISE-PSN-2.ht.local
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
license boot level network-premier addon dna-premier
!
enable secret Secure123!@#
!
username admin privilege 15 secret Secure123!@#
!
interface GigabitEthernet1
ip address 192.168.1.55 255.255.255.0
ip nat outside
no shutdown
!
interface GigabitEthernet2.1
encapsulation dot1Q 1 native
ip address 172.16.0.1 255.255.255.0
ip helper-address 192.168.1.168
no shutdown
!
interface GigabitEthernet2.2
encapsulation dot1Q 2
ip address 172.16.22.1 255.255.255.0
ip helper-address 192.168.1.168
ip nat inside
no shutdown
!
interface GigabitEthernet3.10
description ASA-OUTSIDE
encapsulation dot1Q 10
ip address 192.168.50.1 255.255.255.252
no shutdown
!
interface GigabitEthernet3.20
description ASA-INSIDE
encapsulation dot1Q 20
ip address 192.168.100.2 255.255.255.0
no shutdown
!
no ip http server
no ip http authentication local
no ip http secure-server
no ip http client source-interface GigabitEthernet1
!
ip nat inside source list 10 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list standard 10
10 permit 172.16.22.0 0.0.0.255
!
!
tacacs server ISE-PSN-1.ht.local
address ipv4 192.168.1.37
key secure123
tacacs server ISE-PSN-2.ht.local
address ipv4 192.168.1.38
key secure123
!
ntp server 192.168.1.168
clock summer-time EDT recurring
clock timezone EDT -5
C9K Configuration
hostname C9K-1
!
aaa new-model
!
!
aaa group server tacacs+ ISE-PSN
server name ISE-PSN-1
server name ISE-PSN-2
!
aaa group server radius ISE-PSN-RADIUS
server name ISE-PSN-1-RADIUS
server name ISE-PSN-2-RADIUS
!
aaa authentication dot1x default group ISE-PSN-RADIUS
aaa authorization network default group ISE-PSN-RADIUS
aaa accounting dot1x default start-stop group ISE-PSN-RADIUS
!
!
aaa server radius dynamic-author
client 192.168.1.37 server-key secure123
client 192.168.1.38 server-key secure123
!
license boot level network-advantage addon dna-advantage
!
dot1x system-auth-control
!
username admin privilege 15 secret Secure123!@#
!
no cdp run
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 1,2
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport mode access
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
!
interface Vlan1
ip address 172.16.0.254 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Vlan1 172.16.0.1
!
ip radius source-interface Vlan1
!
radius-server deadtime 30
!
radius server ISE-PSN-1-RADIUS
address ipv4 192.168.1.37 auth-port 1812 acct-port 1813
key secure123
!
radius server ISE-PSN-2-RADIUS
address ipv4 192.168.1.38 auth-port 1812 acct-port 1813
key secure123
!
ntp server 192.168.1.168
clock summer-time EDT recurring
clock timezone EDT -5
ASAv Configuration
I prefer to use Cisco FTD; however, AnyConnect license free trial is not available with Cisco FTD. That's the reason I used ASA here. ASA is now end-of-life.
# ASA Basic Configuration
hostname ASAv-1
!
domain-name ht.local
!
enable password Secure135
!
username admin password Secure135 privilege 15
!
license smart
feature tier standard
throughput level 1G
!
interface GigabitEthernet0/0.10
vlan 10
nameif OUTSIDE
security-level 0
ip address 192.168.50.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/0.20
vlan 20
nameif INSIDE
security-level 100
ip address 192.168.100.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.16.11.1 255.255.255.0
!
interface Management0/0
management-only
nameif MGMT
security-level 0
ip address 192.168.1.210 255.255.255.0
no shutdown
!
clock timezone EDT -5
clock summer-time EDT recurring
ntp server 192.168.1.168 source MGMT
!
asdm image boot:/asdm-7181152.bin
!
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.50.1
!
http server enable
http 192.168.1.0 255.255.255.0 MGMT
!
ssh 192.168.1.0 255.255.255.0 MGMT
!
dhcprelay server 192.168.1.168 MGMT
dhcprelay enable INSIDE
dhcprelay timeout 60
!
aaa-server ISE-PSN-TACACS protocol tacacs+
aaa-server ISE-PSN-TACACS (MGMT) host 192.168.1.37
key secure123
!
aaa-server ISE-PSN-TACACS (MGMT) host 192.168.1.38
key secure123
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
aaa authentication enable console ISE-PSN-TACACS LOCAL
aaa authentication ssh console ISE-PSN-TACACS LOCAL
aaa authentication http console ISE-PSN-TACACS LOCAL
aaa authorization command ISE-PSN-TACACS LOCAL
aaa accounting enable console ISE-PSN-TACACS
aaa accounting command ISE-PSN-TACACS
aaa accounting ssh console ISE-PSN-TACACS
aaa authorization exec authentication-server
aaa authentication login-history
The next step after completing basic configuration from CLI is to Import Root CA Certificate to ASA. You can use CLI as well. As I will be uploading images and certificates to ASA using ASDM.
The AnyConnect Image File that you upload here need to be something like "anyconnect-xxx-webdeploy-k9.pkg". It can be Linux or MacOS image as well. I am using Windows image here in this lab. You just need to click on Add and Upload. Then select the appropriate files from your local PC to upload.
I will delete all the default CA certificates and add Windows CA certificate.
I will be using "openssl" to generate the CSR and private key.
[ req ]
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
C = US
ST = NY
L = BROOKLYN
O = HT
OU = IT
CN = asav-1.ht.local
[ req_ext ]
subjectAltName = @alt_names
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
certificatePolicies = @policy_section
[ alt_names ]
DNS.1 = *.ht.local
DNS.2 = asav-1.ht.local
DNS.3 = 192.168.50.2
[ policy_section ]
policyIdentifier = 1.3.6.1.4.1.11129.2.5.3
Then, generate key file using the following command.
openssl genpkey -algorithm RSA -out ASAV-1-KEY.pem -pkeyopt rsa_keygen_bits:2048
Next step is to generate the certificate signing request.
openssl req -new -key ASAV-1-KEY.pem -out ASAV-1-CSR.pem -config asa.req.cnf
Then, go to Windows Server certificate portal and sign the certificate. For, ASA we need to combine private key and public key into a single "pkcs12" format file to import it into ASA. Use the following openssl command to get the combined "pkcs12" format file. This file requires a password.
openssl pkcs12 -export -out ASAV-1-CERT.pfx -inkey ASAV-1-KEY.pem -in ASAV-1.CER.cer
Now, once you get the certificate, you can select and import the file and enter the password that you created during the file integration.
Even though, we still call this as SSL, it is TLSv1.2 which is the most widely used standard for now. TLSv1.3 is not available with Cisco AnyConnect. That's another topic to discuss.
领英推荐
Then, we will revisit the CLI to configure the rest of the configuration.
# Redirect ACL Configuration
access-list ISE-REDIRECT extended deny udp any any eq domain
access-list ISE-REDIRECT extended deny ip any host 192.168.1.37
access-list ISE-REDIRECT extended deny ip any host 192.168.1.38
access-list ISE-REDIRECT extended deny icmp any any
access-list ISE-REDIRECT extended permit tcp any any eq www
# Enable CoA.
aaa-server ISE-PSN-RADIUS protocol radius
interim-accounting-update periodic 1
dynamic-authorization
# Configure Radius Servers
aaa-server ISE-PSN-RADIUS (MGMT) host 192.168.1.37
key secure123
!
aaa-server ISE-PSN-RADIUS (MGMT) host 192.168.1.38
key secure123
# AnyConnect Configuration - DHCP Pool
ip local pool ANYCONNECT-POOL 192.168.100.20-192.168.100.200 mask 255.255.255.0
# AnyConnect Configuration - WebVPN
webvpn
enable OUTSIDE
anyconnect image disk0:/cisco-secure-client-win-5.0.02075-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect enable
tunnel-group-list enable
# AnyConnect Configuration - GROUP POLICY
group-policy ANYCONNECT-POLICY internal
!
group-policy ANYCONNECT-POLICY attributes
dns-server value 192.168.1.168
dhcp-network-scope 192.168.100.0
vpn-tunnel-protocol ikev2 ssl-client
# AnyConnect Configuration - Tunnel Group
tunnel-group ANYCONNECT-GROUP type remote-access
!
tunnel-group ANYCONNECT-GROUP general-attributes
address-pool ANYCONNECT-POOL
authentication-server-group ISE-PSN-RADIUS
accounting-server-group ISE-PSN-RADIUS
default-group-policy ANYCONNECT-POLICY
dhcp-server subnet-selection 192.168.100.1
# AnyConnect Configuration - WebVPN Attributes
tunnel-group ANYCONNECT-GROUP webvpn-attributes
group-alias ANYCONNECT_TUNNEL enable
group-url https://192.168.1.38 enable
Then, go back to ASDM and select the certificate that we imported for AnyConnect VPN.
Now we can go and download the AnyConnect client at Windows PC named "Anyconnect-User-1" as follow. We can distribute from Cisco ISE as well. Since this is just VPN image, you still need to install the ISE Posture client later on.
The installation steps are pretty straight forward. You just need to follow the installation wizard.
To be able to connect, actually, we need to have some basic policy configured in the Cisco ISE. We will review the policies at the later section together with Cisco ISE Posture Configuration.
Depending on your design and security requirements, you can enable "Split-Tunnelling" as well. Split-tunneling can be useful if you want to allow local Internet access (i.e, not Internet from your organization) and enterprise network access at the same time. If we did not enable split tunneling, all the Internet access also go through via the AnyConnect VPN.
You will see the routes that you configured at the AnyConnect client' Route Details as well.
You will also see that the packets are protected with DTLSv1.2. However, when the packets are routed back to C8K Router, it is no longer protected. This is something that is expected.
Server-1 Configuration
hostname Server-1
!
interface GigabitEthernet0/0
ip address 172.16.11.100 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.16.11.1
There is no special configuration for Anyconnect-User-1 Windows PC. The PC is domain joined.
There are a ton of things you can set in Cisco AnyConnect profile. You can explore more if you want. I will not go into details of these preferences and settings here.
4. Configuring Cisco ISE Posture Check
You can follow the posture follow Work Centers>Posture Overview.
Since we have already configured the Network Devices, we will go to next step of preparation. In this step, we will be configuring "Posture Updates". We can set to download from Cisco website directly. You can also click "Update Now" to start downloading immediately.
The next step, as you can see in the Work Center>Posture is configuring Client Provisioning Resources. You can easily navigate from the Work Center.
To add a new profile, click Add and select Agent Posture Profile. Then, you can start configuring the profile.
We will set "Enable Rescan Button" to "Enabled". I think this might come in handy.
I will also select PSN 1 and PSN 2 here as Posture proving Backup List. You can leave it blank if you want.
You should know all those posture settings so you can manipulate if it is required.
I will be configuring Discovery host as my C8K router's WAN interface IP. It can be anything as long as it is routed through the NAD which is the C9K switch.
In addition, I will add PSN 1 and PSN 2 in the Discovery Backup Server List. Server name rules as you can see in the Figure 64 is a wildcard value of my lab AD domain "*.ht.local". I will add PSN 1 and PSN 2 in the Call Home List as well.
You can add all the messages according to your organization's policy. I will just leave them as blank.
Once it is done, you can click save. As the next step, we will be adding "Agent Configuration". I selected CiscoSecureClientDesktopWindows 5.1 and ISE Compliance Module for Windows 4.3. I only choose ISE Posture here as I don't need the rest of the modules for this lab.
At the profile selection, I will just use the ISE Posture Profile that was created at the previous step.
I will leave the rest of the settings as they are here.
You can either add a new rule or edit the existing one and attached the Agent configuration that we just configured. Click Done and Save after that.
This is not complete yet. I still need time to write all the steps above. More will be coming. The below is the final results.
As the next step, you can configure AUP (Acceptable User Policy). Even though, it is not important in the lab environment, it is really important in the production environment. AUP can act like legal "No Trespassing Sign" for our network. We can hold the unauthorized user or users with malicious intent accountable according to the law and regulations.
As you can see in Figure 72, I just configured simple AUP.
The next will be tweaking Posture General Settings. I just set the remediation timer to 10 minutes because EVE-NG Windows are really slow sometimes. I also set the Default Posture Status to NonCompliant. I did not Cache Last Known Posture Status, but you might want to enable in the production environment with thousands or tens of thousands of endpoints. You can click next once you are done.
You can define a lot of policy and verification here. Starting from Antimalware to USB sticks to BitLocker Encryption. You might be surprised by the list of malware vendors that Cisco ISE can support. The list goes on and on and on. You need to configure depending on your organization condition.
You can also set the Remediation policy.
You can also create Posture Requirements by combining these conditions.
Since this lab is more about setup, we are OK with the policy provided by default. As you can see in Figure 78, the Policy Options for the rule named "Default_AntiMalware_Policy_Win", we can define operating system requirements as Windows 10 or Windows 11, Compliance Module requirements for 4.x or later, Posture Type as Agent, and additionally we can select USB_Block.
The next step, if you follow the Work Center, is creating Authorization profiles. For this profile, I select the "Access Type" as ACCESS_ACCEPT and attached the DACL named "Quarantine_DACL". This is for the ISE-LAB-INTERNAL-PC-1.
Then, as part of the Quarantine_Profile, I will be assigning VLAN 1. Tag ID is always set to 1 in the enterprise environment. The ID/Name is where you enter your VLAN ID.
I will not be configuring portal redirection as I am not using a real Cisco switch and portal redirection somehow did not work with C9K Virtual. The switch is extremely slow. I have to disconnect from the switch and add the Anyconnect file manually. This really does not matter as we usually push these software and configuration from AD. Most of the users does not even have rights to install the software manually.
As I did not configure, NAT for Quarantine VLAN 1, quarantine PCs will not have Internet Access. I did deny their access to server farm servers with Quarantine_DACL.
Another Profile will be USER_Profile. The Access Type is set as "ACCESS_ACCEPT", DACL is set to "PERMIT_ALL_IPV4_TRAFFIC".
This profile will be assigned with VLAN 2.
For ASA, we also need two profiles, one for compliant and another for non-compliant devices. We will attach ASA_NONCOMPLIANT DACL here.
I also tried to configure Web Redirection to Client Provisioning Portal, but I do not think it will work. There is one more important point to remember, the ACL "ISE-REDIRECT" is not to be configured on ISE. It is to be configured on ASA where AnyConnect VPN connection is terminated. In other scenarios, you may need to configure REDIRECT-ACL on WLCs or Switches. Then, mapped those ACL names at Cisco ISE.
For ASA_NONCOMPLIANT DACL, access to Server Farm IPs and other users are denied on top and then permit all is configured as below.
ASA_COMPLAINT profile is configured with DACL "PERMIT_ALL_IPV4_TRAFFIC" and pretty much that's it.
Now, let's go and configure the real policy as we have configured all the required items.
As the first step of the policy, the access request must be Radius or 802.1X, then Default Network Access will be provided as a basic. We are not done yet. We were just given default access for authentication and authorization purposes only.
If you click the right arrow at the policy "HT Users", you will see more options.
As you can see in Figure 87, the users must belong to HT-AD-1.ht.local and I do not have any MAB (MAC Authentication Bypass) configured. So, if the Authentication against the AD is failed, ISE will reject the access. If the User is not found on AD will also reject, if the authentication process failed, also reject. But if you have MAB authentication configured you might want to select continue.
As you can see in the Figure 88, I have configured some basic authorization rules for this lab. The rules in the production environment can be quite complicated as you might want to tie sever factors.
The first three rules apply to users from "Remote Users" in AD. If their compliance status is unknown or non-compliant, they will be assigned with ASA_Redirect profile and Quarantine_Systems security group. If they are compliant, they will be assigned with ASA_COMPLIANT profile and Employees security group.
Similarly, users from Internal Users AD user group, will be assigned to Quarantine_Profile and Quarantined_Systems Security Group if their devices are unknown or non-compliant. If their devices are compliant, they will be assigned with USER_Profile and Employees Security Groups.
Now, let's download and configure posture at Anyconnect-User-1 PC.
To download the file, since redirection is not working, we can go to ISE portal by using Portal test URL.
After downloading the Posture Agent from ISE portal, you need as shown in Figure 90. You can simply follow the step to install it.
Once the installation is complete, you will see two modules with Cisco Secure Client; one is AnyConnect VPN, and another one is ISE Posture. Once you connect to AnyConnect VPN network, it will trigger ISE Posture and start the Posture check.
Once you are connected and posture check is completed, you can verify at Operations>Radius. You will see the CoA (Change of Authorization) action.
Now, let's go to ISE-INTERNAL-PC-1, I will reboot the PC so we can see the CoA action.
Initially, the PC is in the Quarantine VLAN, and it is assigned with 172.16.0.12 IP address. Then, once the compliant status kicks in you will see the network changes to User VLAN and the IP address as well.
I hope this lab is informative for anyone who will be testing Cisco ISE for learning or project. Later if I can spare time, I will try to