Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
2332
Views
0
Helpful
0
Comments

Cisco ISE Posture Configuration for VPN Remote Access

Meddane
VIP
VIP
‎09-04-2023 01:50 AM

Meddane_0-1693816640743.png

Step 1: Configure posture conditions

Windows Assets can be marked as ‘Compliant’ when:

  • Windows update agent is running
  • Any Firewall product is running
  • Any Anti-Malware software is installed

Create a condition for Anti-Malware, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Anti-Malware and press Add.

Click Submit to save the new condition.

Meddane_1-1693816640815.png

Create a condition for Firewall check, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Firewall Condition and press Add.

Click Submit to save the new condition.

Meddane_2-1693816640871.png

Create a condition for Windows update check, navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Conditions → (5)Patch Management and press Add.

Click Submit to save the new condition.

Meddane_3-1693816640982.png

Step 2: Configure posture requirements

Posture requirement is a configuration item on ISE which connects Posture Conditions with Posture Remediation actions. In other words, we define what the agent needs to check (Requirement) and what the agent needs to do in case the specified posture conditions have not been met (Remediation) such as'Message text only' remediation which could be defined directly in the posture requirement.

To create Posture Requirements, navigate to (1)Work Centers → (2)Posture → (3) Policy Elements → (4)Requirements.

  • Define a requirement name – TEST-AM
  • As OS select – Windows All
  • For compliance module select – 4.x or later
  • Select as agent – AnyConnect
  • Define a posture condition - Select the previously created TEST-AM condition from the list
  • Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt

The final configuration of the Anti-Malware requirement should look like the below example.

Meddane_4-1693816641279.png                                              

  • Define a requirement name – TEST-FW
  • As OS select – Windows All
  • For compliance module select – 4.x or later
  • Select as agent – AnyConnect
  • Define a posture condition - Select the previously created TEST-FW condition from the list
  • Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt

The final configuration of the Firewall requirement should look like the below example.

Meddane_5-1693816641510.png

  • Define a requirement name – TEST-PATCH
  • As OS select – Windows All
  • For compliance module select – 4.x or later
  • Select as agent – AnyConnect
  • Define a posture condition - Select the previously created TEST-PATCH condition from the list
  • Define a remediation action - In the remediation list, select ‘Message Text Only’ and add a txt

The final configuration of the Windows Update requirement should look like the below example.

Meddane_6-1693816641806.png

Meddane_7-1693816642140.png

Step 3: Configure a posture policy

We need to define a posture policy which will be used for both redirect and non-redirect flows.

To create a new posture policy, navigate to (1)Work Centers → (2)Posture → (3) Posture Policy.

  • Policy name – TEST-Win-Posture
  • Operation Systems – Windows All
  • Compliance Module – 4.x or later
  • Posture Type – AnyConnect
  • Requirements – Select all three requirements created in Step 2 (TEST-AM, TEST-FW and TEST-PATCH)

Final configuration of the posture policy should look like the below example.

Meddane_8-1693816642182.png

Meddane_9-1693816642213.png

Step 4: Configure AnyConnect ISE posture profile

ISE posture profile is an essential part of client provisioning configuration on ISE. Basically, we only need to define a profile name and specify the server name rules.

Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Resources.

Click Add and select “NAC Agent or AnyConnect Posture Profile”.

  • Choose agent type – AnyConnect
  • Define a profile name – POSTURE-REDIRECT
  • Specify Server name rules – put ‘*’ here. Server name rules instructs the AnyConnect ISE posture module to which PSNs it is allowed to connect. Validation happens based on PSN name provided during the posture process from ISE to the agent.

Meddane_10-1693816642316.png

Meddane_11-1693816642472.png

Step 5: Create AnyConnect configuration

We need to create an AnyConnect configuration which conbines together AnyConnect pkg version, compliance module version and posture profile. This is the place where an administrator can define which AnyConnect modules should be provisioned and with which profiles.

On the same page Click Add and select – AnyConnect Configuration as shown below.

Meddane_12-1693816642598.png

Step 6: Create Client Provisioning Policy

The Client Provisioning policy in ISE specifies which Resources (BYOD/Posture) should be provisioned to the end-user.

Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Policy.

The scenario has the following requirements for provisioning of the AC configuration which you've just created for the redirect-based flow:

  • User should belong to Internal Identity Group Employee (You can AD Group if you have Active Directory integrated)
  • VPN authentication should be performed over – MS-CHAPv2

Meddane_13-1693816642730.png

Meddane_14-1693816642805.png

Meddane_15-1693816642897.png

Step 7: Create Authorization Profiles

The first Authorization Profile must be applied to VPN User during the posture assessment, the goal is to provide limited access to internal ressources and redirection to the Client Provisioning Portal.

Navigate to (1)Work Centers → (2)Posture → (3)Client Provisioning → (4) Client Provisioning Portal. Create a Client Provisioning Portal named CP_PORTAL_REDIRECT.

Meddane_16-1693816643099.png

Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Downloadable ACLs to create a Downloadable ACL with some restriction (for example allow DNS, DHCP and SWISS protocol UDP and TCP Ports.

Meddane_17-1693816643205.png

Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles to create an Authorization Profile that must be applied during posture assessment. Associate the previous dACL.

Meddane_18-1693816643244.png

In the Common Task, select Client Provisioning (Posture) for web redirection, then the Redirection ACL (the name must match the name configured on the ASA), finally select the Client Provisioning Portal created previously CP_PORTAL_REDIRECT.

Meddane_19-1693816643272.png

Once the end user's PC is compliant, we need to change the authorization to provice full access to the internal ressources. This is the second authorization profile.

Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Downloadable ACLs to create a Downloadable ACL with permit ip any any.

Meddane_20-1693816643306.png

Navigate to (1)Work Centers → (2)Posture → (3)Policy Elements → (4)Authorization Profiles to create an Authorization Profile that must be applied after posture assessment. Associate the previous dACL.

Meddane_21-1693816643395.png

Finally we have two Authorization Profiles.

The Authorization Profile POSTURE_CPP_REDIRECT for pre-assesssment.

The Authorization Profile VPN-COMPLIANTE-ACCESS for post-assesssment.

Step 8: Create two Authorization Policies

In this step, we need to associate the Authorization Profiles created in step 7 to two Authorization Policies.

Navigate to (1)Work Centers → (2)Posture → (3)Policy Sets. Edit the Policy Set of VPN Access.

Under this this Policy Set, create two Authoriztion Policies.

Authorization Policy for compliant PCs.

  • Name: POSTURE_COMPLIANT
  • Conditions: InternalUser:IdentityGroup EQUALS User Identity Groups:Employee AND Session:PostureStatus EQUALS Compliant
  • Profiles: VPN_COMPLIANT_ACCESS

Authorization Policy for redirection.

  • Name: CPP_REDIRECT
  • Conditions: InternalUser:IdentityGroup EQUALS User Identity Groups:Employee AND Session:PostureStatus NOT_EQUALS Compliant
  • Profiles: POSTURE_CPP_REDIRECT

Meddane_22-1693816643628.png

Step 9: Test Posture

Let’s test from the remote user Employee PC.

Access the VPN AnyConnect.

Meddane_23-1693816643671.png

Open a web browser and type any URL.

The ISE redirects the http request to the Client Provisioning Portal. Click the Start Button.

Meddane_24-1693816643679.png

Click the This is my first time here button.

Meddane_25-1693816643747.png

The posture module is not provisioned yet on the remote PC. The purpose of the Client Provisioning Portal is to allow end users to download the AnyConnect Posture Module. Click on Click here to download and install AnyConnect button.

Meddane_26-1693816643842.png

The Network Setup Assistant is launched to download the posture module.

Meddane_27-1693816643895.png

AnyConnect Posture module and compliance module will start the download and installation process. The scan starts as shown below.

A warning indicates that the Firewall on the PC is not enabled.

Meddane_28-1693816644030.png

Meddane_29-1693816644085.png

On the PC, enable the Firewall Windows.

The user will gain access to the network with a Compliant status.

Meddane_30-1693816644150.png

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents