ISE Wired PoC Prescriptive Guide v.5
ISE Wired PoC Prescriptive Guide v.5
Summary 2
Diagram 4
Diagram Note 4
Code Versions 5
ISE Installation 6
Summary 6
VM Resources 6
Catalyst3560 Configuration 6
ISE Configuration 45
Bootstrapping 45
General 45
Navigation Howto 46
Certificates 46
Active Directory 52
Add Switch 54
Profiling 56
Feed Service 59
Profiling - Where are we now? 60
Profile Weighting (a quick tutorial) 61
Ubuntu Corporate Workstation Profile 63
Ubuntu Corporate Asset Configuration (SNMP and DHCP) 66
Logical Profiles 67
Easy Connect/PassiveID 69
Summary 76
Client Provisioning 78
Bootstrapping ISE 79
ISE Posture Configuration Profile 82
Posture 86
Conditions 88
Requirements 92
Posture Policy 94
Anomalous Behavior Detection 95
General Policy 96
Bootstrapping 96
Captive Portals 96
Downloadable ACLS (dACLS) 103
Authorization Profiles 109
Authentication Policy MAB 117
Profiling Authorization Rules 118
Easy Connect Authorization 119
Ubuntu (and MAC) Connect Authorization 122
Posture 124
Anomalous Behavior Detection 131
802.1X Variant 132
Authentication Policy 132
Authorization Policy 133
Conclusion 133
Summary
Appalachian moonshiners operate in quick fashion, building their operations from the ground up,
brick by brick, for every run they make. Then they tear it all back down, move on and do it again
elsewhere. ISE wired demonstrations & use cases are a lot like that, lots of moving parts that
can prove daunting if you’ve never done it before and highly combustible when done incorrectly.
This guide is for those inexperienced individuals.. It’s only intended to show some nifty and
powerful use cases that a lot of customers either want or don’t know they want. There are tons
of other content out there for specific knobs or capabilities, but this is looking to be a more
complete guide.
Diagram Note
This was done largely on:
MacOS 10.14.5
Summary
Hopefully you know the general steps to install an ISE VM. This will note tips/tricks as we go.
This published guide is also quite helpful in installing on VMware (as well as hyper-v and KVM).
VM Resources
Note 200GB Thick Provisioned. For vCPUs, did 1 core x 2 Sockets (the default eval OVA
install). 8GB mem by default. Note you can always slide these higher to suit taste.
vNic was all e1000 (the default OVA option). 6 vNics were installed. Left them all on the same
network and only connected one of them.
Note ISE will install with 100GB but most likely won’t be able to be upgraded to newer versions
because the disk space isn’t available just to do the upgrade. Might be fine just for one and
down proof of concepts.
Catalyst3560 Configuration
aaa group server radius lab
server name lab
!
aaa authentication dot1x default group lab
aaa authorization network default group lab
aaa accounting dot1x default start-stop group lab
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.150.50 server-key [password]
!
!
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-description
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor accounting
device-sensor notify all-changes
ip routing
!
!
ip dhcp snooping vlan 1,51-53,99,250-252
no ip dhcp snooping information option
ip dhcp snooping
no ip igmp snooping
!
!
!
!
!
!
!
!
dot1x system-auth-control
!
device classifier
!
!
!
!
!
lldp run
!
!
!
!
!
interface GigabitEthernet0/1
description Uplink
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/8
description Link to ISE PassThrough
switchport access vlan 250
switchport mode access
switchport voice vlan 251
ip access-group ACL-DEFAULT in
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 2
spanning-tree portfast edge
!
interface Vlan150
description Server VLAN
ip address 192.168.150.1 255.255.255.0
!
interface Vlan250
description Access VLAN
ip address 172.16.150.1 255.255.255.0
ip helper-address 192.168.150.10
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
!
ip access-list extended ACL-DEFAULT
permit ip any host 192.168.150.10
permit ip any host 192.168.150.50
permit udp any eq bootpc any eq bootps
deny ip any any
ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
deny ip any host 192.168.150.10
deny ip any host 192.168.150.50
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
permit tcp any any eq www
permit tcp any any eq 443
!
snmp-server community [community] RO
snmp-server community [community] RW
snmp ifmib ifindex persist
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server lab
address ipv4 192.168.150.50 auth-port 1812 acct-port 1813
pac key [secret]
General Setup
I had some spare windows server activation keys laying around from MSDN days. Most
customers will bring their own AD so a lot of this will largely be handled prior.
● 1 vCPU
● 40GB Disk (thick provisioned)
● 4GB Memory
Note this initial patching takes a long time. Probably a good hour of fetching/installing. 3GB+ in
updates, 3 reboots.
Change the server name from the auto generated name (not crucial but not simplifies things)
Tip: I use ‘example.com’ as my AD name. While you can use anything you want, it’s
discouraged to use .local domains as they have special meaning for mDNS applications and
some Linux OSs will not care for resolving .local domains as a standard domain. See this link
for more information on this issue.
Remote Desktop Access (Optional)
Found it tremendously helpful to enable RDP services to the server to configure the other
settings.
Active Directory Domain Services
This online guide should be easy enough to follow to setup ADDS for the first time. There are
other, similar links out there to help. The biggest takeway is to not get hung up about no DNS
server turned up (this setup will enable DNS services on this VM).
This is the message you can safely skip over, the server promotion will create all the required
DNS server/zone configurations.
And you can ignore these warnings:
Users and Groups
Example Inc is a Financial institution (a Credit Union or a Bank) and as such there will be three
different roles that will directly influence IP access. These are the accounts we’ll be creating
(and corresponding groups):
Pro Tip Add in email addresses into the user accounts. This value is used for automatic client
certification generation in the CA step later in this guide
DNS Settings
After ADDS installation and promotion DNS server is properly installed and these should be
where we are:
Some DNS records need to be created for ISE to function. They’re listed below:
DHCP
I’m using MS DHCP server in my lab because that’s what most organizations will be using so
I’m enclosing it here for completeness. The DHCP server is installed by the same ‘Add Roles
and Features’ wizard, taking the defaults.
I loaded up two DHCP scopes (one for Voice and one for Data). Additional ones could be used
for Guest, Quarantine, etc.
IIS Server
The IIS Server is required in order to access the Certificate Services web interface, so install
that before the CA. Just take the defaults:
Optional: Enable HTTPS on the web server (you may have to bounce back to this step after you
install the CA server). While not required, it’s good security hygiene
Lastly navigate to the URL (https://<name>/certsrv) and login (any user works but I used the
Administrator account)
CA Templates
The purpose of using CA Templates is to automatically provision each user and computer their
own certificate when they log into the domain. The workstation (aka machine) certificate is
automatically setup in AD but the user template needs to be built. As before, all relevant
configurations are shown:
Right click on Certificate Templates and choose Manage. This should bring up the templates.
Now we can issue certificates automatically via GPO pushes. Let’s set that (we can control the
method the clients connect by setting it on the Catalyst switchport).
Bootstrapping
General
Just to level-set, this was my VM setup parameters for this lab. Two things of note here: the
use of UTC versus local timezones. Just go with whatever your organization’s standards are
(most multi-timezone orgs will default to one timezone or possibly use UTC). Just note that ISE
cannot easily (or even possibly) be changed from the timezone you pick here, so choose wisely.
Second point, I enabled SSH to the node. Most likely you wouldn’t leave this available in a
production environment and it can easily be turned off after install.
ISE installs with a 90 day eval (all features enabled licensed). You can safely ignore any
license warnings after you log into the GUI
Navigation Howto
I will reference GUI position by hierarchy. Basically ISE is configured top down by tabs and
then left to right from the column slider and into the main page. Here’s an example, I’d
recommend you disable password expiration for the admin account by going to
Administration--System--Admin Access--Authentication--Password Policy--Password Lifetime
Here’s an example
Certificates
Certificates are used predominantly in ISE, to form EAP tunnels and serve web portals. For the
use cases here we will only install 2 certs in ISE. One will be the internal CA root certificate and
the second will be a wildcard certificate for ISE signed by the internal CA. Typically you will
purchase a 3rd party certificate for ISE when used for Guest portals (which isn’t a use case
outlined here). Aaron Woland’s cert tutorial is still excellent and available here.
First step is to grab the root CA by navigating to the CA URL @ http://<IP Address>/CertSrv (in
my example I’m using https://192.168.150.10/CertSrv). Log in as the administrator user
This downloads a file named certnew.cer. In the ISE GUI navigate to
Administration--System--Certificates--Certificate Management--Trusted Certificates. Click
Import
This is what mine looks like
Now it’s time to generate a CSR and have it signed by the WinCA. Navigate to
Administration--System--Certificates--Certificate Management--Certificate Signing Requests and
Click Generate CSR
Navigate back to https://<ip address>/CertSrv and choose ‘Request a certificate’ and then
‘advanced certificate request’ (if you’re not logged in with an administrative account you may not
have access to this option or the Web Server template we need.
Paste in the CSR text data and choose the web server template
Click Submit and download the cert in Base64 format (should come down as ‘certnew.cer’ or
possibly ‘certnew(1).cer’ if the Win CA cert is also in the directory.
After restart the Admin portal should now be serving this new certificate
Active Directory
ISE servers must be joined to Active Directory in order to authenticate users against it and
retrieve group memberships. We’re going to join the example.com domain and select the three
relevant AD groups that we will base policy off of.
For the purposes of this article we’ll try to confine profiling to as few probes as possible and
make them across switch/wireless vendors (whenever possible).
SNMPQUERY within Part of the NMAP This is useful to (as part of NMAP
NMAP probe is to SNMP authenticate printers probe)
query the endpoint that serve the correct
for more device SNMP parameters
information and back to ISE
rudimentary IoT
authentication
Work Centers--Profiler--Feeds
If you will be using SNMP on endpoint devices (typically IoT like printers) set those custom
community strings at Work Centers--Profiler--Settings--Profiler Settings. You can set multiple
strings, comma separated.
With this config ISE will begin profiling all the endpoints connected to switches (just my one lab
switch for example). It will get MAC OUI, IP address (if it’s also collecting SNMP from upstream
gateway that has the ARP cache). And depending on the Profiling policy set, NMAP/SNMP
querying of the endpoint. NOTE, by default some endpoint profile types do not have NMAP
actions enabled to minimize the chance ISE will interfere/disrupt the endpoint if it is actively
scanned. Windows Workstations by default do not have NMAP scanning enabled but it can be
by the user. Here’s another quirk of NMAP history, NMAP won’t scan udp/tcp 9001 because
there are some printers out there that will print anything sent on those ports so reams of paper
would be used filled with binary TLS headers, etc if NMAP scanned.
The Active Directory Probe isn’t doing much at this point either because we do not have the
hostname of the endpoint and that is a prerequisite before we can check against Active
Directory for attributes for the endpoint. At this point one could enable the DNS probe to
perform reverse DNS queries to get those names (which should work well as most AD joined
endpoints update Dynamic DNS records).
It’s important to note how ISE assigns an endpoint profile to an endpoint. There is a logical
hierarchy that goes from less specific to more specific with each step requiring a ‘Certainty
Factor’ threshold to qualify in each step. The endpoint profile will culminate in all the CF ‘points’
the endpoint has acquired Take this example:
These are a series of gates. And endpoint must match the rules in Workstation to pass on to
passing the rules in ‘Linux Workstation’ before it can be evaluated to be an Ubuntu OS. At the
end of this process, a Ubuntu workstation will be at least 40 (though in practice will likely be
much more as some profile rules contribute more than the minimum CF… or the endpoint
matches several rules, adding more to its CF. The final CF determines whether ISE determines
this is a Ubuntu Linux Workstation.
So let’s take it one step further and check if SNMP is running on this endpoint and that it has
proper SysID values to assign it a ‘corporate’ profile setting (note this use case applies equally
to any IoT device that can run SNMP agents).
The certainty factor is now 110 that this is a Ubuntu Workstation Corporate asset. So how did I
build this policy?
While you’re here in the conditions, note that I added a custom Ubuntu check for a new set of
DHCP requested parameters list because the feeder conditions did not match my lab Ubuntu
18.04.1LTS load. This is a great exercise for custom IoT devices and making custom matches
(note a lot of customers will make custom matches for DHCP User Class ID to denote customer
controlled assets):
Next step is to tweak the built-in Profiler Policy for Ubuntu-Workstation. This is at
Policy--Profiling--Profiling Policies--Ubuntu-Workstation. I made two tweaks. The first is I’m
now checking for the updated DHCP Parameter List outlined above. Second tweak is I’m
enabling an SNMP if any of the 4 Profiling conditions are met (you can see that in the following
screenshots)
And that’s it, this one is done.
agentAddress udp:161,udp6:[::1]:161
rocommunity [community string] 192.168.150.0/24
sysLocation PoC Rack
sysContact [email protected]
For Windows workstations using the built-in Active Directory Probe nicely handles if it’s a
company asset instead of doing SNMP checking. That will be called out in the Easy Connect
section next.
Logical Profiles
Logical Profiles are a grouping of several profiling policies that will be invoked in future policy
actions. I’ll simply make these three now and their use will be apparent later on. And also for
more information.
Name Purpose
Windows
MacOS
Linux (note that you could easily add multiple “flavors” of Linux desktops with this construct)
Easy Connect/PassiveID
Definition: PassiveID identifies Active Directory users logging into AD joined computers (it’s the
basis of the ISE-PIC offering but the same capability is in the main ISE suite). It’s completely
out of band feature and does not require any participation/configuration from any switch/wlc. It’s
basically between ISE and Active Directory. There are several probes that can get this data but
I will just be using WMI. To enable PassiveID and learn more see this guide. Showing config
steps here for completeness:
Then I loaded up a Win10 computer. Before it was added to the domain, this is how it was
profiled.
And after I joined it to the domain
PassiveID shows the user at Work Centers--PassiveID--Overview--Live Sessions
To get the passiveID record in as an attribute to the endpoint we need to modify the
Authorization Profile to track PassiveID. That is done at Policy--Policy
Elements--Results--Authorization--Authorization Profiles
Now the attributes tab of the endpoint shows that gaquinn is logged into this endpoint
Summary
There has been no NAC at this point. We’re profiling endpoints and determining corporate
asset Linux and windows 10 workstations (with user identity).
EasyConnect utilizes this PassiveID information to enforce real NAC policies (such as deny
access or grant partial network access).
Another advanced use case for PassiveID is to use Machine certificates for 802.1X access but
also capture real person identity on the machine. This can be powerful instead of granting user
certificates.
And by the way, when I joined this windows 10 client, GPO autoconfigured its 802.1X NAC
settings (not yet used since the switch isn’t configured for it) and pushed certificates to it
(machine and user). Here is what it looks like on the client side (which will be used later):
Client Provisioning
Objective: Now we’re getting into actual policy creation and enforcement. It’ll be more Policy
and Portals at this point. This Client Provisioning Portal is dual purposed: to provision
Anyconnect for clients that don’t have it and to receive the posture report from the client (in the
same motion if the client is being installed for the first time).
For reference, here is how the pieces of client provisioning fit in ISE:
Bootstrapping ISE
Enable automatic client downloading (they can be downloaded one by one but this can shortcut
it). Note we will have to manually upload the anyconnect client in a subsequent step.
Choose “Add from Local Disk” and specify that it’s a Cisco provided package.
Also grab the VPN_Service_Disable profile from here and upload it the same way (except it’s a
“Customer Created Package”). It’s pasted here for completeness (save it to your file system
with .xml extension)
This is the configuration that tells the client how to connect to ISE and whether to show itself to
users (aka Stealth Mode). We’ll build a simple one from scratch here but is generally ok for
production use. Go to Policy--Policy Elements--Results--Client Provisioning and Click ‘Add’
and then ‘Anyconnect Posture Profile’. Mine looks like this (note you can toggle stealthmode
and stealthmode notifications in this page). For more info and caveats on stealthmode check
this guide. Basically stealthmode is exactly what it sounds like: Anyconnect will run as a service
and no information will be shown to the enduser.
The only defaults I changed are in the Posture Protocol Section shown below. Note that this is
to give the client automatic information on how to find a Posture server without a formal URL
redirection happening at login. See this tech note on this new capability in 2.2.
Previously it was advised to create a cpp.example.com DNS A Record. CPP is an acronym for
‘client provisioning portal’. This piece informs the client to connect to this portal without a URL
redirection.
We must also tell the CPP portal that its name is ‘cpp.example.com’. That’s set at
Administration--Device Portal Management--Client Provisioning. Click the default portal labeled
‘Client Provisioning Portal (default)’. And put in that quick change (and also add in who can use
this portal). Customization of the Portal is also set here but we’ll leave it as defaults.
Now we need to create an Anyconnect Configuration that ties together the NoVPN profile and
the Posture Config. Head back to Policy--Policy Elements--Results--Client
Provisioning--Reources. Click ‘Add’ and Anyconnect Config. Mine is named AC_Example and
is shown below (note for values not shown, they were the defaults)
Now we have to tell ISE to deliver this Anyconnect Config when a user is sent to the Client
Provisioning Policy. That is Policy--Client Provisioning--Client Provisioning Policy. It defaults
Windows and MAC OS to use the temporal scanning policy. We’ll set the Windows one to use
the new AC config for a full agent
Note we’re not done yet. In the General Policy setting we’ll reference how to send clients to
CPP to get their agent and its configuration.
Posture
The Posture Policy is the set of policy rules and remediations that the client’s endpoint must
satisfy to be considered compliant. A full list of items that can be checked is here.
I made a handy picture for how Posture Policy components are used:
For the purposes of this document we will simply check for these five:
Missing file in the file system Message noting that this not Registry files, processes can
a corporate image also be used
Running AntiMalware Message to the user Any AntiMalware will satisfy
this
First step is to build the requirements (note, looking at the above flow image, we’re going from
the bottom up instead of top down). All but the file check condition from the table are built-in but
I will show them all here for completeness.
Conditions
Navigate to File Conditions and click ‘add’. I picked generic options but there is more power to
find a specific hash file (or file date) in any specific place in the file system. I’m only looking for
c:\test.txt on windows operating systems.
Requirements
Now that the conditions are built, let’s wrap them as Requirements. We only need to create a
new one for the custom File Check one.
I wish there was an ‘add’ button but instead you create new Requirements by hovering by the
Edit button of an existing rule and choose ‘Insert New Requirement’. Demonstrated here:
My File System Check is listed here (note test_txt will be found in that box under User Defined
Conditions--File Conditions):
Note the other Requirements from the table are built in but they are screenshot here for
completeness
Posture Policy
This is where everything comes together. The Policy isn’t a ‘first match exit’ style. So the order
does not matter. Everything that matches a user/operating system/and other defined criteria,
will be subjected to the Posture rule. An endpoint is considered compliant if it checks true for
every posture rule it’s subjected to. Most of the items we’re using in our scenario just need to
be enabled (they’re already written). Navigate to Policy--Posture.
Enable the Firewall requirement for Windows/Anyconnect like so (click ‘Edit’ in the far right and
change the status column on the far left):
Hardware:
Application Visibility:
Antimalware:
And lastly create the File Policy check by clicking ‘Edit’ beside any rule and ‘Insert New Policy’.
Mine looks like this:
This is an antispoof policy to determine if security controls are being evaded. Basically it’s
looking to see if someone is mac spoofing a printer/phone or is just completely different than
what the authentic MAC address is presenting. The exact configuration and detailed
capabilities are documented here.
In this guide we will enable detection and enforcement. In production I’d advise caution and
begin with Detection to minimize potential disruption. Note it’s unlikely to trip this feature in a
PoV or trial, without explicitly trying to.
General Policy
This section puts together all the constructs and applies it to incoming user authentication
requests. Notably the Authentication and Authorization steps.
Bootstrapping
This builds out the building blocks of Authorization Policies, notably dACLs and Authorization
Profiles. But starts with Captive Portals
Captive Portals
We’ll be creating three captive portals that are doing different things. Defined:
Client Provisioning Portal - Users are sent to this portal to be provisioned (and then postured)
with Anyconnect. Or if Anyconnect is already installed, perform posture only.
Profiling Portal - Technically a Hot Spot portal to present a user with a webpage stating that the
network is trying to ascertain what kind of endpoint this is. ISE should be able to grab a
user-agent string from the endpoint, assign a profile and then re-send it through the
Authorization policy again.
Central Web Authentication - Used for MAC and Linux endpoints that are not supported with
PassiveID in order for them to authenticate to the network.
For Client Provisioning Portal (CPP), navigate to Work Centers--Posture--Client
Provisioning--Client Provisioning Portal. Note the built-in portal named: Client Provisioning
Portal (default). We can use this same portal, just give it a FQDN (cpp.example.com) as in this
picture:
This dACL allows Finance to get to the DC but no other RFC1918 space. Also allows internet
access
Authorization Profiles
To set the authorization profiles navigate to Policy--Policy Elements--Results--Authorization
Profiles. Click Add
The Client Provisioning Portal Policy. This policy steers the session to the CPP portal. It also
applies a dACL to the user and cites a named ACL for web redirection (that must live on the
switch). That redirect ACL is listed here for completeness:
For Network Architects (or really anyone that needs full access) this policy will lay down a permit
ip any any dACL
Authentication Policy MAB
We will notably use the defaults whenever possible. Navigate to Policy--Policy Sets. It should
look like this (the default):
Profiling Authorization Rules
This use case is straight wired MAC Auth Bypass (MAB) and profiling. Simply stated there are
only two Authorization rules:
If Anything else, only allow it access to AD/ISE but also provide it with a Hotspot captive portal
in order to do HTTP User Agent detection and provide for an NMAP scan.
Slide into this Default Policy and it should look like this
Expand the Authorization Policy section and there will be 12 built-in items.
The item (next to the end) is “Basic_Authenticated_Access”. This is a catchall that will permit all
access. We’ll change it (and the very last one named “Default”) so they will be Authenticating
rules. It should look like this when finished:
With this config not much access will be granted. Only phones and printers (the default rules)
will be allowed. And any detected Windows workstations will only be able to communicate to
AD (including DNS) and ISE. Non Windows workstations will be hit with a captive portal
For example:
Now, we just need to add in new authorization rules that will send a unique dACL based on AD
group membership:
And that’s all. Some sample testing:
When Bob Cole logs in (same workstation) his permissions change to match his Teller role:
Ubuntu (and MAC) Connect Authorization
This one is pretty simple, just need to add in a few lines. At this point we’ve discovered
corporate asset Linux. So now we present those endpoints with a captive portal to pass its AD
credentials. Based on those creds we grant it access and push the relevant dACL. See the
new rules (note we could also add in duplicates for Teller and Finance but are leaving it for just
Architects because most likely those would be who would have that access).
I number the steps the endpoint would take through this sequence:
1. Brand new endpoints would go to step 1 where we NMAP/SNMP scan and determine if
it’s a Corporate Linux workstation (or MacOS). This is only done for the very first time an
endpoint is ever seen
2. This presents the Corporate Linux workstation or MacOS a Captive Portal to retrieve and
authenticate their AD Credentials
3. This is where we send enforcements to the switchport if the Corp Linux/MacOS
workstation if the user’s account is in the Architect AD group. Note the ‘guest_flow’
qualifier, that is a built-in construct that basically says we won’t apply this rule unless the
session has been previously authenticated by a Captive Portal
From the client’s perspective it would look like the following. Note that the text shown to the
user (along with branding and color schemes) are customizable. Also it is possible to have ISE
immediately CoA reauth this first step when we determine this is a Corporate Linux endpoint.
But decided to keep it simpler for this. And even those measurements would not work if the
endpoint is hardwired behind an IP Phone.
This same flow would work fine for MacOS. And you can further disaggregate the policy to say
only admins and developers can use Linux workstations and only Marketing and C-Suites use
MacOS for an example.
Posture
Now we’ll stitch in Posture checking. We’ll use a very narrow use case of Windows (though
MacOS can easily be added with that flow and will be screenshotted for reference). The
“waterfall” flow is illustrated here. The first two blocks already exist per the config at this point
and the constructs for the last two also exist, we just need to get it in policy.
The new policy steps listed here (and should be available for you at this point in the guide if
you’ve built these blocks from previous steps):
So what does look like for an end-user’s perspective? Let’s see for a brand new AD Joined
computer that has not been seen and does not have Anyconnect software.
First step is user is redirected to the captive portal where they’ll be pushed to download and
install Anyconnect Client, illustrated here. Note that client would most likely be deployed
through software distribution channels like SCCM but can be deployed (and updated) this way.
Also note that the smartscreen notice is illustrating that the endpoint cannot reach Microsoft
over the Internet and can be taken out of the end-user visibility but is left here for information.
Note that Windows is showing lack of Internet access (the system tray indication beside the
speaker icon); which is fitting since Bob Cole’s role does not have Internet access, only limited
internal access. This notification can be disabled in Windows GPO.
And the view for ISE is below:
Probably the simplest configuration of all. You can review (and make sure you enabled the
service) the section detailing what this capability is.
802.1X Variant
This is the penultimate section and will simply illustrate how this policy would look using 802.1X
instead of MAB to make the authentication flows happen. Everything else (profiling and posture
notably) are exactly the same. If you followed the section on GPO and Client Certificates, the
Windows endpoints should try for 802.1X EAP-TLS using their certificates.
Note this could be combined with MAB policies: Windows workstations could use 802.1X and
Mac/Linux/IoT can use MAB.
Go to Policy--Policy--Sets. Add a new Policy set by clicking on the gear on the right hand side
of the Default policy and choose “insert new row above”
Make yours look like mine (basically any wired 802.1X requests will take the new policy set
because it’s ordered sooner):
Authentication Policy
Authorization Policy
One little tweak you’ll notice is I negate Posture Compliance so that only endpoints that are not
checked as compliant will match it. That signals to ISE that this endpoint needs to go through
the Client Provisioning Portal to be checked or to have a client installed and then be checked for
compliance.
Conclusion
You made it to the end. Hopefully you found this helpful in general or even partially. Some new
tips and tricks are always beneficial. ISE is a quality product that takes some skill and risk to
master… as you can see most of it is having it work well with AD and network infrastructure.
Ask questions and try to make it do new and different things and you will most likely be
rewarded for your efforts. Happy NAC’ing!