ISE Wired PoC Prescriptive Guide

Gary Quinn Security TSA - 2019

Summary 2

Diagram 4
Diagram Note 4
Code Versions 5

ISE Installation 6
Summary 6
VM Resources 6

Catalyst3560 Configuration 6

Windows Server Setup 10

General Setup 10
Remote Desktop Access (Optional) 11
Active Directory Domain Services 12
Users and Groups 14
DNS Settings 16
DHCP 18
Certificate Authority 19
IIS Server 19
CA (Certificate Authority) Install 20
CA (Certificate Authority) Configuration 21
CA Templates 33
Group Policy Object 38

ISE Configuration 45
Bootstrapping 45
General 45
Navigation Howto 46
Certificates 46
Active Directory 52
Add Switch 54
 Profiling 56
Feed Service 59
Profiling - Where are we now? 60
Profile Weighting (a quick tutorial) 61
Ubuntu Corporate Workstation Profile 63
Ubuntu Corporate Asset Configuration (SNMP and DHCP) 66
Logical Profiles 67
Easy Connect/PassiveID 69
Summary 76
Client Provisioning 78
Bootstrapping ISE 79
ISE Posture Configuration Profile 82
Posture 86
Conditions 88
Requirements 92
Posture Policy 94
Anomalous Behavior Detection 95
General Policy 96
Bootstrapping 96
Captive Portals 96
Downloadable ACLS (dACLS) 103
Authorization Profiles 109
Authentication Policy MAB 117
Profiling Authorization Rules 118
Easy Connect Authorization 119
Ubuntu (and MAC) Connect Authorization 122
Posture 124
Anomalous Behavior Detection 131
802.1X Variant 132
Authentication Policy 132
Authorization Policy 133
Conclusion 133

Summary
Appalachian moonshiners operate in quick fashion, building their operations from the ground up,
brick by brick, for every run they make. Then they tear it all back down, move on and do it again
elsewhere. ISE wired demonstrations & use cases are a lot like that, lots of moving parts that
can prove daunting if you’ve never done it before and highly combustible when done incorrectly.

This guide is for those inexperienced individuals.. It’s only intended to show some nifty and
powerful use cases that a lot of customers either want or don’t know they want. There are tons
of other content out there for specific knobs or capabilities, but this is looking to be a more
complete guide.

“Popcorn” Sutton and J.B. Rader

Diagram

Diagram Note
This was done largely on:

● Standalone ESXi 6.5.0 Update 2 (Build 10884925)/Client version 1.33.1

○ Intel Nuc Skull Canyon​ (newer “Canyon” models available). Mine has 1TB and
32GB (the max) memory
○ This may be even easier if you have a bare metal Windows Server and load up
ISE in a Hyper-V VM.
● Catalyst 3560-CX switch (Any Catalyst that switches/routes should work great, bonus if it
has PoE)
● Various endpoints, however you can get them wired. Add in Rasperry PIs and IP
Telephones
Code Versions

Platform Version Notes

ISE 2.6 Patch1 (whatever’s ISE-2.6.0.156-virtual-SNS3615-

current) SNS3655-200.ova

Win Server 2012R2 Any modern Win server

works

Windows Client Win10 1903 Or whatever’s current

Linux Ubuntu 18 LTS Current

MacOS 10.14.5

Catalyst 3560-CX 15.2(6)E2

ISE Installation

Summary
Hopefully you know the general steps to install an ISE VM. This will note tips/tricks as we go.

This published ​guide​ is also quite helpful in installing on VMware (as well as hyper-v and KVM).

VM Resources
Note 200GB Thick Provisioned. For vCPUs, did 1 core x 2 Sockets (the default eval OVA
install). 8GB mem by default. Note you can always slide these higher to suit taste.

vNic was all e1000 (the default OVA option). 6 vNics were installed. Left them all on the same
network and only connected one of them.

Note ISE will install with 100GB but most likely won’t be able to be upgraded to newer versions
because the disk space isn’t available just to do the upgrade. Might be fine just for one and
down proof of concepts.

Catalyst3560 Configuration
aaa group server radius lab
server name lab
!
aaa authentication dot1x default group lab
aaa authorization network default group lab
aaa accounting dot1x default start-stop group lab
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.150.50 server-key [password]
!
!
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-description
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor accounting
device-sensor notify all-changes
ip routing
!
!
ip dhcp snooping vlan 1,51-53,99,250-252
no ip dhcp snooping information option
ip dhcp snooping
no ip igmp snooping
!
!
!
!
!
!
!
!
dot1x system-auth-control
!
device classifier
!
!
!
!
!
lldp run
!
!
!
!
!
interface GigabitEthernet0/1
description Uplink
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/8
description Link to ISE PassThrough
switchport access vlan 250
switchport mode access
switchport voice vlan 251
ip access-group ACL-DEFAULT in
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
 dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 2
spanning-tree portfast edge
!
interface Vlan150
description Server VLAN
ip address 192.168.150.1 255.255.255.0
!
interface Vlan250
description Access VLAN
ip address 172.16.150.1 255.255.255.0
ip helper-address 192.168.150.10
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
!
ip access-list extended ACL-DEFAULT
permit ip any host 192.168.150.10
permit ip any host 192.168.150.50
permit udp any eq bootpc any eq bootps
deny ip any any
ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
deny ip any host 192.168.150.10
deny ip any host 192.168.150.50
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
permit tcp any any eq www
permit tcp any any eq 443
!
snmp-server community [community] RO
snmp-server community [community] RW
snmp ifmib ifindex persist
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server lab
address ipv4 192.168.150.50 auth-port 1812 acct-port 1813
 pac key [secret]

Windows Server Setup

General Setup
I had some spare windows server activation keys laying around from MSDN days. Most
customers will bring their own AD so a lot of this will largely be handled prior.

I used the default VMWare settings for Win2012 which is:

● 1 vCPU
● 40GB Disk (thick provisioned)
● 4GB Memory

Check the time in the VM (mine defaulted to 8 hours off).

On install I immediately hardcoded a static IP (192.168.150.10) and a reachable name server

(Umbrella’s 208.67.222.222/208.67.220.220 are always great). This is purely for patching and
further server function turnups

Note this initial patching takes a long time. Probably a good hour of fetching/installing. 3GB+ in
updates, 3 reboots.

Installed the vmware guest tools after all the patching

Change the server name from the auto generated name (not crucial but not simplifies things)

Tip: I use ‘example.com’ as my AD name. While you can use anything you want, it’s
discouraged to use .local domains as they have special meaning for mDNS applications and
some Linux OSs will not care for resolving .local domains as a standard domain. See this ​link
for more information on this issue.
Remote Desktop Access (Optional)
Found it tremendously helpful to enable RDP services to the server to configure the other
settings.
Active Directory Domain Services
This online ​guide​ should be easy enough to follow to setup ADDS for the first time. There are
other, similar links out there to help. The biggest takeway is to not get hung up about no DNS
server turned up (this setup will enable DNS services on this VM).

This is the message you can safely skip over, the server promotion will create all the required
DNS server/zone configurations.
And you can ignore these warnings:
Users and Groups
Example Inc is a Financial institution (a Credit Union or a Bank) and as such there will be three
different roles that will directly influence IP access. These are the accounts we’ll be creating
(and corresponding groups):

Username Role (Group) Permissions Notes

gaquinn (Gary Quinn) Network Architect Full Access

bcole (Bob Cole) Teller Only access to Teller

Subnet

jsmith (Jason Smith) Finance Finance subnets and

Internet access
My finished product looks like this:

Pro Tip Add in email addresses into the user accounts. This value is used for automatic client
certification generation in the CA step later in this guide
DNS Settings
After ADDS installation and promotion DNS server is properly installed and these should be
where we are:
Some DNS records need to be created for ISE to function. They’re listed below:

DNS Record Function Note

ise1.example.com Staple Record Used for multi deployments

and Posturing

cpp.example.com Client Provisioning Portal Used for Posturing

This is what mine looks like at this point. Note that the reverse lookup zone must be manually
created before you make the new records. Just right click and create new, pretty easy.

DHCP
I’m using MS DHCP server in my lab because that’s what most organizations will be using so
I’m enclosing it here for completeness. The DHCP server is installed by the same ‘Add Roles
and Features’ wizard, taking the defaults.

I loaded up two DHCP scopes (one for Voice and one for Data). Additional ones could be used
for Guest, Quarantine, etc.

What mine looks like at this step:

Certificate Authority
The certificate authority configuration is probably the most confusing step of this build so I will
try to be as step-by-step as possible:

IIS Server
The IIS Server is required in order to access the Certificate Services web interface, so install
that before the CA. Just take the defaults:
Optional: Enable HTTPS on the web server (you may have to bounce back to this step after you
install the CA server). While not required, it’s good security hygiene

CA (Certificate Authority) Install

I take several passes at this. The first is to install the CA and configure the CA certificate
CA (Certificate Authority) Configuration
These are most of the screenshots of the CA configuration (if a step is missing, take the default)
Now go back and install the Web Services for the CA, take the defaults.
After installation of these new servers you may need to reboot in order for Windows Server to
give you the option to Configure the new Web services:
I used the built in app pool instead of creating a service account

Lastly navigate to the URL (https://<name>/certsrv) and login (any user works but I used the
Administrator account)

CA Templates

The purpose of using CA Templates is to automatically provision each user and computer their
own certificate when they log into the domain. The workstation (aka machine) certificate is
automatically setup in AD but the user template needs to be built. As before, all relevant
configurations are shown:

Right click on Certificate Templates and choose Manage. This should bring up the templates.

Right click on ‘User’ and choose ‘Duplicate’

Enable the new certificate template with the following:
Repeat that for the Workstation Authentication template as well
 

Group Policy Object

Now we can issue certificates automatically via GPO pushes. Let’s set that (we can control the
method the clients connect by setting it on the Catalyst switchport).

Right Click on Default Domain Policy and choose “edit”

Turn up the Wired Autoconfig (aka 802.1X) service in the following navigation:
Enable the 802.1X configuration for the clients
Enable the Computer Certificate Enrollment
Enable it for the user:
Protip, if you find certificates are not being issued to your domain-joined Windows workstations,
check the Event Viewer on the Server VM. The reasons will be logged there.
The Final GPO Policy should look something like this
ISE Configuration
Now we’re getting to some ISE Configuration. We’ll build using blocks and then pull it all
together into a functioning, useful architecture.

Bootstrapping

General
Just to level-set, this was my VM setup parameters for this lab. Two things of note here: the
use of UTC versus local timezones. Just go with whatever your organization’s standards are
(most multi-timezone orgs will default to one timezone or possibly use UTC). Just note that ISE
cannot easily (or even possibly) be changed from the timezone you pick here, so choose wisely.

Common Time Zones​ syntax are here for reference

Second point, I enabled SSH to the node. Most likely you wouldn’t leave this available in a
production environment and it can easily be turned off after install.

ISE installs with a 90 day eval (all features enabled licensed). You can safely ignore any
license warnings after you log into the GUI
Navigation Howto
I will reference GUI position by hierarchy. Basically ISE is configured top down by tabs and
then left to right from the column slider and into the main page. Here’s an example, I’d
recommend you disable password expiration for the admin account by going to
Administration--System--Admin Access--Authentication--Password Policy--Password Lifetime

Here’s an example

Certificates
Certificates are used predominantly in ISE, to form EAP tunnels and serve web portals. For the
use cases here we will only install 2 certs in ISE. One will be the internal CA root certificate and
the second will be a wildcard certificate for ISE signed by the internal CA. Typically you will
purchase a 3rd party certificate for ISE when used for Guest portals (which isn’t a use case
outlined here). Aaron Woland’s cert tutorial is still excellent and available ​here​.

First step is to grab the root CA by navigating to the CA URL @ http://<IP Address>/CertSrv (in
my example I’m using ​https://192.168.150.10/CertSrv​). Log in as the administrator user
This downloads a file named certnew.cer. In the ISE GUI navigate to
Administration--System--Certificates--Certificate Management--Trusted Certificates. Click
Import
This is what mine looks like

Now it’s time to generate a CSR and have it signed by the WinCA. Navigate to
Administration--System--Certificates--Certificate Management--Certificate Signing Requests and
Click Generate CSR

My parameters look like this

The result is an option to export the CSR, so grab that file.

Navigate back to https://<ip address>/CertSrv and choose ‘Request a certificate’ and then
‘advanced certificate request’ (if you’re not logged in with an administrative account you may not
have access to this option or the Web Server template we need.
Paste in the CSR text data and choose the web server template

Click Submit and download the cert in Base64 format (should come down as ‘certnew.cer’ or
possibly ‘certnew(1).cer’ if the Win CA cert is also in the directory.

Back on ISE Administration--System--Certificates--Certificate Management--Certificate Signing

Requests. You should see the CSR with an option to ‘bind’ the certificate to the CSR. Mine
looks like this:
Note that I am use this one cert for pretty much every service (pxGrid certs require more
permissions than the Web Server template so it cannot use this cert). Click submit. There will
be several warnings as these services are moved off the self-signed cert and to this new one.
At conclusion the server will restart.

After restart the Admin portal should now be serving this new certificate
Active Directory
ISE servers must be joined to Active Directory in order to authenticate users against it and
retrieve group memberships. We’re going to join the example.com domain and select the three
relevant AD groups that we will base policy off of.

Go to Administration--Identity Management--External Identity Sources--Active Directory. And

select “Add”
On Groups tab click “Add” and select the relevant groups for your use case

While you’re in this section, go to Administration--Identity Management--External Identity

Sources--Certificate Authentication Profile-Preloaded_Certificate_Profile. Change the default
‘Use Identity From” selection to “Subject Alternative Name”. See below. The reason this is
used is that’s where the Windows CA User template places the user’s logon name (the CN
contains their full name.)
Add Switch
Adding the lab Catalyst Switch. Adding in SNMPv2c and RADIUS information. That’s at
Administration--Network Resources--Network Devices
Profiling
Now we’re getting to the good stuff. Two excellent in-depth guides and tutorials can be found at
ISE Profiling Design Guide​ by Craig Hyps/Thomas Howard and also Katherine McNamara’s
recent ​ISE Profiling Deep-Dive​.

For the purposes of this article we’ll try to confine profiling to as few probes as possible and
make them across switch/wireless vendors (whenever possible).

Probe Description Notes Enabled by Default

DHCP Acquires Client One of the most Yes

information by its powerful probes
DHCP Discover available
Packet

HTTP Acquires HTTP Redirected web No

User-Agent portals capture the
information if the user-agent without
endpoint is running a the HTTP probe
browser explicitly enabled

RADIUS Leverages Probably the most Yes

Switch/WLC powerful probe and
intelligence (the can be used instead
Device Sensor of DHCP/HTTP
 feature) to provide probes if the
MAC address, switch/WLC supports
DHCP, CDP/LLDP, it
and HTTP User
Agent info

NMAP Direct Querying of NMAP is available in Yes

the endpoint to make some partial profile
more accurate profile matches but not
matches others by default
(such as Windows
Workstations) but can
be directly enabled
by default

SNMPQUERY Direct Query of Used for catchall Yes

switches for MAC endpoints that don’t
address, Port, frequently
CCDP/LLDP (among authenticate or have
others) static IP addresses

SNMPQUERY within Part of the NMAP This is useful to (as part of NMAP
NMAP probe is to SNMP authenticate printers probe)
query the endpoint that serve the correct
for more device SNMP parameters
information and back to ISE
rudimentary IoT
authentication

Active Directory Active Directory Useful for Yes

contains several determining endpoint
attributes for OS and whether this
Windows Joined is a corporate asset
Computers that can
be used for profiling

These profiles are modified via Administration--System--Deployment--Deployment Nodes

List--(server)--Profiling Configuration
Feed Service
The ISE node needs to have Internet access to check for updated Feed profile information
(checked nightly). It’s enabled out of the box but can be sideloaded if needed.

Work Centers--Profiler--Feeds
If you will be using SNMP on endpoint devices (typically IoT like printers) set those custom
community strings at Work Centers--Profiler--Settings--Profiler Settings. You can set multiple
strings, comma separated.

Profiling - Where are we now?

At this point in our network we have the following deployed:

● Active Directory Integration

● Profiling enabled on ISE
○ With NMAP/SNMP
● Switch defined in ISE with available SNMP read access
● Nothing special/additional on Cisco switch (note, going forward we would need more
infrastructure configuration, such as enabling RADIUS on the switch to capture DHCP
information or by adding DHCP helper addresses at the endpoint gateways… or adding
a DHCP span tap). See section on Catalyst Config for reference

With this config ISE will begin profiling all the endpoints connected to switches (just my one lab
switch for example). It will get MAC OUI, IP address (if it’s also collecting SNMP from upstream
gateway that has the ARP cache). And depending on the Profiling policy set, NMAP/SNMP
querying of the endpoint. ​NOTE, by default some endpoint profile types do not have NMAP
actions enabled to minimize the chance ISE will interfere/disrupt the endpoint if it is actively
scanned. Windows Workstations by default do not have NMAP scanning enabled but it can be
by the user. Here’s another quirk of NMAP history, NMAP won’t scan udp/tcp 9001 because
there are some printers out there that will print anything sent on those ports so reams of paper
would be used filled with binary TLS headers, etc if NMAP scanned.

The Active Directory Probe isn’t doing much at this point either because we do not have the
hostname of the endpoint and that is a prerequisite before we can check against Active
Directory for attributes for the endpoint. At this point one could enable the DNS probe to
perform reverse DNS queries to get those names (which should work well as most AD joined
endpoints update Dynamic DNS records).

Profile Weighting (a quick tutorial)

It’s important to note how ISE assigns an endpoint profile to an endpoint. There is a logical
hierarchy that goes from less specific to more specific with each step requiring a ‘Certainty
Factor’ threshold to qualify in each step. The endpoint profile will culminate in all the CF ‘points’
the endpoint has acquired Take this example:

Workstation (minimum Certainty factor is 10)--Linux Workstation (min CF is 10)--Ubuntu (min

CF is 20)

These are a series of gates. And endpoint must match the rules in Workstation to pass on to
passing the rules in ‘Linux Workstation’ before it can be evaluated to be an Ubuntu OS. At the
end of this process, a Ubuntu workstation will be at least 40 (though in practice will likely be
much more as some profile rules contribute more than the minimum CF… or the endpoint
matches several rules, adding more to its CF. The final CF determines whether ISE determines
this is a Ubuntu Linux Workstation.

Here’s an actual Ubuntu example:

The underlined attributes were how it arrived at this decision. Dhcp-class-identifier is ‘Linux’
meets the Linux-Workstation profile. The DHCP parameter list and hostname (contains
‘ubuntu’) trips it into the Ubuntu-Workstation profile. The total certainty factor is 80 from these
pieces.

So let’s take it one step further and check if SNMP is running on this endpoint and that it has
proper SysID values to assign it a ‘corporate’ profile setting (note this use case applies equally
to any IoT device that can run SNMP agents).
The certainty factor is now 110 that this is a Ubuntu Workstation Corporate asset. So how did I
build this policy?

Ubuntu Corporate Workstation Profile

So how did I build this policy for ‘Ubuntu-Workstation-Corporate_Local’?

Start by adding a Profiling Condition that looks for a specific SNMP systemcontact (SysContact).
Navigate to Policy--Policy Elements--Conditions--Profiling and add new (note I just used the
contact, but you can make partial/exact matches on several SNMP values, like Description or
location or name):

While you’re here in the conditions, note that I added a custom Ubuntu check for a new set of
DHCP requested parameters list because the feeder conditions did not match my lab Ubuntu
18.04.1LTS load. This is a great exercise for custom IoT devices and making custom matches
(note a lot of customers will make custom matches for DHCP User Class ID to denote customer
controlled assets):

Next step is to tweak the built-in Profiler Policy for Ubuntu-Workstation. This is at
Policy--Profiling--Profiling Policies--Ubuntu-Workstation. I made two tweaks. The first is I’m
now checking for the updated DHCP Parameter List outlined above. Second tweak is I’m
enabling an SNMP if any of the 4 Profiling conditions are met (you can see that in the following
screenshots)
And that’s it, this one is done.

Ubuntu Corporate Asset Configuration (SNMP and DHCP)

For details on how I made Ubuntu be a “corporate asset”, install snmpd (use this ​guide​). My
snmpd.conf file includes these relevant lines (you can find their placement when you open your
copy of /etc/snmp/snmpd.conf:

agentAddress udp:161,udp6:[::1]:161
rocommunity [community string] 192.168.150.0/24
sysLocation PoC Rack
sysContact [email protected]

And for DHCP, edit /etc/dhclient.conf

Uncomment the line:
send dhcp-client-identifier [some string];
And add:
send vendor-class-identifier “Linux”;

For Windows workstations using the built-in Active Directory Probe nicely handles if it’s a
company asset instead of doing SNMP checking. That will be called out in the Easy Connect
section next.

Logical Profiles
Logical Profiles are a grouping of several profiling policies that will be invoked in future policy
actions. I’ll simply make these three now and their use will be apparent later on. And also for
more ​information​.

Name Purpose

Windows To group all Windows OS Workstations

MacOS To group all Windows OS Workstations

Approved Linux Workstations All Linux workstations that respond to SNMP

querying

Navigate to Policy--Profiling--Logical Profiles

Click “Add” and fill out these Logical Profiles:

Windows
MacOS

Linux (note that you could easily add multiple “flavors” of Linux desktops with this construct)
Easy Connect/PassiveID
Definition: PassiveID identifies Active Directory users logging into AD joined computers (it’s the
basis of the ISE-PIC offering but the same capability is in the main ISE suite). It’s completely
out of band feature and does not require any participation/configuration from any switch/wlc. It’s
basically between ISE and Active Directory. There are several probes that can get this data but
I will just be using WMI. To enable PassiveID and learn more see this ​guide​. Showing config
steps here for completeness:

Administration--System--Deployment--Deployment--Node General Settings

Begin monitoring the Domain Controller(s) for login data here: Work
Centers--PassiveID--Providers--Active Directory--PassiveID
I manually ‘Add(ed) DC’ and then click Config WMI (it will log into the DC using previously
provided AD admin credentials.

Then I loaded up a Win10 computer. Before it was added to the domain, this is how it was
profiled.
And after I joined it to the domain
PassiveID shows the user at Work Centers--PassiveID--Overview--Live Sessions
To get the passiveID record in as an attribute to the endpoint we need to modify the
Authorization Profile to track PassiveID. That is done at Policy--Policy
Elements--Results--Authorization--Authorization Profiles

I created a new profile specifically to track PassiveID

And apply that profile to the Policy step this host is hitting (Policy--Policy
Sets--Default--Authorization Policy):

Now the attributes tab of the endpoint shows that gaquinn is logged into this endpoint
Summary
There has been no NAC at this point. We’re profiling endpoints and determining corporate
asset Linux and windows 10 workstations (with user identity).

EasyConnect utilizes this PassiveID information to enforce real NAC policies (such as deny
access or grant partial network access).

Another advanced use case for PassiveID is to use Machine certificates for 802.1X access but
also capture real person identity on the machine. This can be powerful instead of granting user
certificates.

And by the way, when I joined this windows 10 client, GPO autoconfigured its 802.1X NAC
settings (not yet used since the switch isn’t configured for it) and pushed certificates to it
(machine and user). Here is what it looks like on the client side (which will be used later):
Client Provisioning

Objective: Now we’re getting into actual policy creation and enforcement. It’ll be more Policy
and Portals at this point. This Client Provisioning Portal is dual purposed: to provision
Anyconnect for clients that don’t have it and to receive the posture report from the client (in the
same motion if the client is being installed for the first time).

For reference, here is how the pieces of client provisioning fit in ISE:
Bootstrapping ISE

Enable automatic client downloading (they can be downloaded one by one but this can shortcut
it). Note we will have to manually upload the anyconnect client in a subsequent step.

This is at Administration--System--Settings--Client Provisioning

While you’re in this same section make an update to Posture--Updates. Set it to automatically
check for updates and click the ‘update now’ button.

Download Anyconnect clients from Cisco’s ​website​.

I downloaded this windows client (same logic applies for mac os)
Now let’s move over to Policy--Policy Elements--Results--Client Provisioning--Resources

Choose “Add from Local Disk” and specify that it’s a Cisco provided package.

Also grab the VPN_Service_Disable profile from ​here​ and upload it the same way (except it’s a
“Customer Created Package”). It’s pasted here for completeness (save it to your file system
with .xml extension)

<?xml version="1.0" encoding="utf-8"?>

<!--
Cisco AnyConnect VPN Profile -

This profile is a sample intended to allow for the disabling of VPN

service
for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd">
<ClientInitialization>
 <ServiceDisable>true</ServiceDisable>
</ClientInitialization>
</AnyConnectProfile>

ISE Posture Configuration Profile

This is the configuration that tells the client how to connect to ISE and whether to show itself to
users (aka Stealth Mode). We’ll build a simple one from scratch here but is generally ok for
production use. Go to Policy--Policy Elements--Results--Client Provisioning and Click ‘Add’
and then ‘Anyconnect Posture Profile’. Mine looks like this (note you can toggle stealthmode
and stealthmode notifications in this page). For more info and caveats on stealthmode check
this ​guide​. Basically stealthmode is exactly what it sounds like: Anyconnect will run as a service
and no information will be shown to the enduser.
The only defaults I changed are in the Posture Protocol Section shown below. Note that this is
to give the client automatic information on how to find a Posture server without a formal URL
redirection happening at login. See this tech ​note​ on this new capability in 2.2.

Previously it was advised to create a cpp.example.com DNS A Record. CPP is an acronym for
‘client provisioning portal’. This piece informs the client to connect to this portal without a URL
redirection.

We must also tell the CPP portal that its name is ‘cpp.example.com’. That’s set at
Administration--Device Portal Management--Client Provisioning. Click the default portal labeled
‘Client Provisioning Portal (default)’. And put in that quick change (and also add in ​who​ can use
this portal). Customization of the Portal is also set here but we’ll leave it as defaults.
Now we need to create an Anyconnect Configuration that ties together the NoVPN profile and
the Posture Config. Head back to Policy--Policy Elements--Results--Client
Provisioning--Reources. Click ‘Add’ and Anyconnect Config. Mine is named AC_Example and
is shown below (note for values not shown, they were the defaults)
Now we have to tell ISE to deliver this Anyconnect Config when a user is sent to the Client
Provisioning Policy. That is Policy--Client Provisioning--Client Provisioning Policy. It defaults
Windows and MAC OS to use the temporal scanning policy. We’ll set the Windows one to use
the new AC config for a full agent
Note we’re not done yet. In the General Policy setting we’ll reference how to send clients to
CPP to get their agent and its configuration.

Posture
The Posture Policy is the set of policy rules and remediations that the client’s endpoint must
satisfy to be considered compliant. A full list of items that can be checked is ​here​.

At a high level Posture authentications are handled by these 6 steps:

I made a handy picture for how Posture Policy components are used:
For the purposes of this document we will simply check for these five:

Requirement Remediation Note

Endpoint Firewall Running Message to the user Anyconnect can automatically

enable the FW.

Missing file in the file system Message noting that this not Registry files, processes can
a corporate image also be used
 Running AntiMalware Message to the user Any AntiMalware will satisfy
this

Hardware Inventory N/A Retrieves the hardware

profile

Installed/Running Program N/A Retrieves the software profile

Inventory

First step is to build the requirements (note, looking at the above flow image, we’re going from
the bottom up instead of top down). All but the file check condition from the table are built-in but
I will show them all here for completeness.

Conditions

Navigate to Policy--Policy Elements--Conditions--Posture. Take note of the built-in Firewall

(note the built-in Firewall check looks for any running firewall but a user defined condition can
look for specific firewall(s) that the organization may use.
Let’s add the three new ones starting with a File Condition that looks for a specific file on the file
system (useful for fingerprinting Gold Image loads or potentially for out of date images).
Looking for registry keys or Services.

Navigate to File Conditions and click ‘add’. I picked generic options but there is more power to
find a specific hash file (or file date) in any specific place in the file system. I’m only looking for
c:\test.txt on windows operating systems.
Requirements
Now that the conditions are built, let’s wrap them as Requirements. We only need to create a
new one for the custom File Check one.

Navigate to Policy--Policy Elements--Results--Posture--Requirements

I wish there was an ‘add’ button but instead you create new Requirements by hovering by the
Edit button of an existing rule and choose ‘Insert New Requirement’. Demonstrated here:
My File System Check is listed here (note test_txt will be found in that box under User Defined
Conditions--File Conditions):

Note the other Requirements from the table are built in but they are screenshot here for
completeness
Posture Policy
This is where everything comes together. The Policy isn’t a ‘first match exit’ style. So the order
does not matter. Everything that matches a user/operating system/and other defined criteria,
will be subjected to the Posture rule. An endpoint is considered compliant if it checks true for
every posture rule it’s subjected to. Most of the items we’re using in our scenario just need to
be enabled (they’re already written). Navigate to Policy--Posture.

Enable the Firewall requirement for Windows/Anyconnect like so (click ‘Edit’ in the far right and
change the status column on the far left):

Hardware:
Application Visibility:

Antimalware:

And lastly create the File Policy check by clicking ‘Edit’ beside any rule and ‘Insert New Policy’.
Mine looks like this:

Anomalous Behavior Detection

This is an antispoof policy to determine if security controls are being evaded. Basically it’s
looking to see if someone is mac spoofing a printer/phone or is just completely different than
what the authentic MAC address is presenting. The exact configuration and detailed
capabilities are documented ​here​.

In this guide we will enable detection and enforcement. In production I’d advise caution and
begin with Detection to minimize potential disruption. Note it’s unlikely to trip this feature in a
PoV or trial, without explicitly trying to.

Enable the feature with Administration--System--Settings--Profiling.

The Policy to use this new feature will be documented in the General Policy section coming up
next.

General Policy
This section puts together all the constructs and applies it to incoming user authentication
requests. Notably the Authentication and Authorization steps.

Bootstrapping
This builds out the building blocks of Authorization Policies, notably dACLs and Authorization
Profiles. But starts with Captive Portals

Captive Portals

We’ll be creating three captive portals that are doing different things. Defined:

Client Provisioning Portal​ - Users are sent to this portal to be provisioned (and then postured)
with Anyconnect. Or if Anyconnect is already installed, perform posture only.

Profiling Portal​ - Technically a Hot Spot portal to present a user with a webpage stating that the
network is trying to ascertain what kind of endpoint this is. ISE should be able to grab a
user-agent string from the endpoint, assign a profile and then re-send it through the
Authorization policy again.

Central Web Authentication​ - Used for MAC and Linux endpoints that are not supported with
PassiveID in order for them to authenticate to the network.
For ​Client Provisioning Portal (CPP)​, navigate to Work Centers--Posture--Client
Provisioning--Client Provisioning Portal. Note the built-in portal named: Client Provisioning
Portal (default). We can use this same portal, just give it a FQDN (cpp.example.com) as in this
picture:

Profiling Portal​. Navigate to Work Centers--Guest Access--Portals & Components--Guest

Portals. Click ‘Create’ and ‘Hotspot Guest Portal’. Mine looks like the below. Click to save
when done.
And let’s click the Portal Page Customization to add a little more info for the user to see if they
land on this portal:
(​Hold on, we're trying to figure out what you are. You may have to reboot your PC after 90 seconds if
you are wired connected.)

Central Web Authentication

As before, navigate to Work Centers--Guest Access--Portals & Components--Guest Portals.

Click Create and choose “Sponsored-Guest Portal” as the type.
Here is a look at my CWA. I take out most of the steps to make it as frictionless as possible.
Most things are deselected (illustrated here)
Downloadable ACLS (​dACLS)
This section will build the dACLS that will be used throughout the Policies. All dACLs are
housed in Policy--Policy Elements--Authorization--Downloadable ACLS.

This is the included list:

ISE_Profiling
​#This will allow the endpoint to use AD DNS and Kerberos and permits access to ISE for
#NMAP probing and captive portals
permit ip any host 192.168.150.10
permit ip any host 192.168.150.50
ISE_Profiling_internet
#same as above but gives the endpoint Internet Access
#this may be useful for posture conditions when the computer needs Windows updates or smartscreen
#to run
permit ip any host 192.168.150.10
permit ip any host 192.168.150.50
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.12.255.255
permit ip any any
Printer
#useful to only allow profiled printers to accept print jobs
permit udp any eq 9100 any
Teller
#dACL for Tellers to access the DC but nothing else
permit ip any 192.168.150.0 0.0.0.255
Finance

This dACL allows Finance to get to the DC but no other RFC1918 space. Also allows internet
access
Authorization Profiles
To set the authorization profiles navigate to Policy--Policy Elements--Results--Authorization
Profiles. Click Add

The Client Provisioning Portal Policy. This policy steers the session to the CPP portal. It also
applies a dACL to the user and cites a named ACL for web redirection (that must live on the
switch). That redirect ACL is listed here for completeness:

ip access-list extended CISCO-CWA-URL-REDIRECT-ACL

deny ip any host 192.168.150.10
deny ip any host 192.168.150.50
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
permit tcp any any eq www
Central Web Authentication policy for sending (approved) Linux workstations and MacOS
endpoints in order to retrieve their AD credentials in order to gain access
Profiling Policy, this will be a policy that grants limited access to the network while ISE inspects
it.
ISE Profiling Policy with User Acceptance Policy (basically the same as above but includes a
Hot Spot Redirection so ISE can capture the user agent string if the endpoint is running a
browser
Finance Authorization Policy (for users that are in the Finance AD group)
Teller Authorization Policy (for users that are in the Teller AD group)

For Network Architects (or really anyone that needs full access) this policy will lay down a permit
ip any any dACL
Authentication Policy MAB

We will notably use the defaults whenever possible. Navigate to Policy--Policy Sets. It should
look like this (the default):
Profiling Authorization Rules
This use case is straight wired MAC Auth Bypass (MAB) and profiling. Simply stated there are
only two Authorization rules:

if Windows OS (notably determined by DHCP/RADIUS/AD probes), only allow it access to AD

infrastructure and to ISE for PassiveID (used in another use case).

If Anything else, only allow it access to AD/ISE but also provide it with a Hotspot captive portal
in order to do HTTP User Agent detection and provide for an NMAP scan.

Slide into this Default Policy and it should look like this

Expand the Authorization Policy section and there will be 12 built-in items.

The item (next to the end) is “Basic_Authenticated_Access”. This is a catchall that will permit all
access. We’ll change it (and the very last one named “Default”) so they will be ​Authenticating
rules. It should look like this when finished:
With this config not much access will be granted. Only phones and printers (the default rules)
will be allowed. And any detected Windows workstations will only be able to communicate to
AD (including DNS) and ISE. Non Windows workstations will be hit with a captive portal

For example:

Easy Connect Authorization

Now that we have Profiling at work, it’s just another couple of Authorization rules to put in Easy
Connect identity AND segmentation. First housekeeping: we have to tell ISE that any
endpoints that land on the ISE_Profiling (and ISE_Profiling_UAP for good measure) need to be
checked against Windows AD for AD logons. Navigate to Policy--Policy
Elements--Results--Authorization--Authorization Profiles. And edit those two like so:

Now, we just need to add in new authorization rules that will send a unique dACL based on AD
group membership:
And that’s all. Some sample testing:

When Bob Cole logs in (same workstation) his permissions change to match his Teller role:
Ubuntu (and MAC) Connect Authorization

This one is pretty simple, just need to add in a few lines. At this point we’ve discovered
corporate asset Linux. So now we present those endpoints with a captive portal to pass its AD
credentials. Based on those creds we grant it access and push the relevant dACL. See the
new rules (note we could also add in duplicates for Teller and Finance but are leaving it for just
Architects because most likely those would be who would have that access).

I number the steps the endpoint would take through this sequence:

1. Brand new endpoints would go to step 1 where we NMAP/SNMP scan and determine if
it’s a Corporate Linux workstation (or MacOS). This is only done for the very first time an
endpoint is ever seen
2. This presents the Corporate Linux workstation or MacOS a Captive Portal to retrieve and
authenticate their AD Credentials
3. This is where we send enforcements to the switchport if the Corp Linux/MacOS
workstation if the user’s account is in the Architect AD group. Note the ‘guest_flow’
qualifier, that is a built-in construct that basically says we won’t apply this rule unless the
session has been previously authenticated by a Captive Portal
From the client’s perspective it would look like the following. Note that the text shown to the
user (along with branding and color schemes) are customizable. Also it is possible to have ISE
immediately CoA reauth this first step when we determine this is a Corporate Linux endpoint.
But decided to keep it simpler for this. And even those measurements would not work if the
endpoint is hardwired behind an IP Phone.
This same flow would work fine for MacOS. And you can further disaggregate the policy to say
only admins and developers can use Linux workstations and only Marketing and C-Suites use
MacOS for an example.

Posture
Now we’ll stitch in Posture checking. We’ll use a very narrow use case of Windows (though
MacOS can easily be added with that flow and will be screenshotted for reference). The
“waterfall” flow is illustrated here. The first two blocks already exist per the config at this point
and the constructs for the last two also exist, we just need to get it in policy.
The new policy steps listed here (and should be available for you at this point in the guide if
you’ve built these blocks from previous steps):

So what does look like for an end-user’s perspective? Let’s see for a brand new AD Joined
computer that has not been seen and does not have Anyconnect software.

First step is user is redirected to the captive portal where they’ll be pushed to download and
install Anyconnect Client, illustrated here. Note that client would most likely be deployed
through software distribution channels like SCCM but can be deployed (and updated) this way.
Also note that the smartscreen notice is illustrating that the endpoint cannot reach Microsoft
over the Internet and can be taken out of the end-user visibility but is left here for information.
Note that Windows is showing lack of Internet access (the system tray indication beside the
speaker icon); which is fitting since Bob Cole’s role does not have Internet access, only limited
internal access. This notification can be disabled in Windows GPO.
And the view for ISE is below:

And the posture report for this endpoint

Bonus Credit​: this is what it looks like for MacOS Captive Portal and Anyconnect Posture
(splitting out MAC and Linux policies from above, it will work just fine)

Anomalous Behavior Detection

Probably the simplest configuration of all. You can review (and make sure you enabled the
service) the ​section​ detailing what this capability is.

The policy for making use of it is super easy. Go to Policy--Policy Sets--Default--Authorization

Policy - Local Exceptions. Add in what you see below:
Basically if an endpoint acquires the Anomalous attribute flag it will immediately be boxed in and
only be able to communicate with the ISE servers. Other options could be to add in more
remediation servers or simply deny access outright (and follow up notification).

802.1X Variant
This is the penultimate section and will simply illustrate how this policy would look using 802.1X
instead of MAB to make the authentication flows happen. Everything else (profiling and posture
notably) are exactly the same. If you followed the ​section​ on GPO and Client Certificates, the
Windows endpoints should try for 802.1X EAP-TLS using their certificates.

Note this could be combined with MAB policies: Windows workstations could use 802.1X and
Mac/Linux/IoT can use MAB.

Go to Policy--Policy--Sets. Add a new Policy set by clicking on the gear on the right hand side
of the Default policy and choose “insert new row above”

Make yours look like mine (basically any wired 802.1X requests will take the new policy set
because it’s ordered sooner):

Authentication Policy
Authorization Policy
One little tweak you’ll notice is I negate Posture Compliance so that only endpoints that are not
checked as compliant will match it. That signals to ISE that this endpoint needs to go through
the Client Provisioning Portal to be checked or to have a client installed and then be checked for
compliance.

Conclusion

You made it to the end. Hopefully you found this helpful in general or even partially. Some new
tips and tricks are always beneficial. ISE is a quality product that takes some skill and risk to
master… as you can see most of it is having it work well with AD and network infrastructure.
Ask questions and try to make it do new and different things and you will most likely be
rewarded for your efforts. Happy NAC’ing!