Posture is the term that describes the collection of credentials and attributes that define the state or health of a user's computer and the applications on that computer, which this book refers to as the host. With NAC, a posture agent is required and resides on the host, or subject, and communicates information such as device operating system and application-level information, in the form of credentials. The posture agent also performs a variety of functions, such as informing the user by a custom configurable message notification that is sent to the user describing the posture condition of his host.
The following is a notification example for a noncompliant host: "Your computer is lacking the necessary updates and therefore is not granted access to the network. In order to resume normal network access, please update your computer now at the following location.
Cisco Trust Agent log file and the type of events captured, which are useful for troubleshooting host problems with NAC. First, we walk you through the architecture of posture agents, beginning with the mandatory component, Cisco Trust Agent, as shown in Figure Cisco Trust Agent resides on the host and runs in the background as a service.
Services exist and vary by Cisco Trust Agent version. These services should be automatically started and running; they include the following:. Cisco Trust Agent can collect information regarding the host operating system through internal posture plug-ins and acts as a broker by collecting credentials from third-party host application posture plug-ins. Note - For Cisco Trust Agent includes two posture plug-ins of its own: one to report the status of the posture agent itself and one to report some basic information about the host that it's running on.
Each of these posture plug-ins returns a credential as part of the validation process. Cisco Trust Agent can also launch a web browser at the conclusion of the validation process. This is enabled by placing a URL in the notification string of the corresponding ACS configuration for posture validation.
When arbitrary information about a host is needed to make a complete posture assessment, the CTASI can be used. This database is then sent as an additional credential for the posture decision-making process. Cisco Trust Agent has two primary versions: one with an Beginning with the core mandatory functionality, Cisco Trust Agent can operate solely for posture assessment using EoU with either version.
Specify the Add Posture Policy parameters as described in the following table:. The Windows System Health Validator permits or denies client computers to connect to your network. The Windows System Health Validator also restricts client access to computers that have a service pack less than service pack x.
The Windows System Health Validator allows you to configure client computers that can connect to your network, and clients that are restricted from your network.
Access is determined by a check of the service pack level. You can determine the service pack level. The configurable parameter categories for this validator allow you to configure parameters that permit or deny client computers access to your network, subject to checks of the client's system for Firewall, Virus Protection, Spyware Protection, Automatic Updates, and Security Updates.
OnGuard Agent Posture Plug-ins. Click the Add link. Policy Name. Enter the name assigned to the policy by the ClearPass Policy Manager administrator. Launch a Browser and you will be redirected to the Client Provisioning Portal. Click Start. This checks if the AnyConnect agent is installed and running. Save the Cisco Anyconnect. For Windows, run the. Ensure that you do not use the ARM64 version of AnyConnect in the client provisioning policy, otherwise it might cause failure on the client side.
Restart the client if Anyconnect is not working properly because of this issue. One or more conditions from these simple conditions form a compound condition, which can be associated with a posture requirement.
After an initial posture update, Cisco ISE also creates Cisco-defined simple and compound conditions. A user-defined condition or a Cisco-defined condition includes both simple and compound conditions. A custom posture remediation action is a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services WSUS remediation types. A file remediation allows clients to download the required file version for compliance.
The client agent remediates an endpoint with a file that is required by the client for compliance. You can filter, view, add, or delete file remediations in the File Remediations window, but you cannot edit file remediations. The File Remediations window displays all the file remediations along with their name and description and the files that are required for remediation. Click Remediation Actions. Click File Remediation.
Enter the name and description of the file remediation in the Name and Description fields. Modify the values in the New File Remediation window. A link remediation allows clients to click a URL to access a remediation window or resource. The client agent opens a browser with the link and allow the clients to remediate themselves for compliance.
The Link Remediation window displays all the link remediations along with their name and description and their modes of remediation. Click Link Remediation. Modify the values in the New Link Remediation window. You can create a patch management remediation, which updates clients with up-to-date file definitions for compliance after remediation. The Patch Management Remediation window displays the remediation type, patch management vendor names, and various remediation options.
Click Patch Mangement Remediation. Modify the values in the Patch Management Remediation window. Click Submit to add the remediation action to the Patch Management Remediations window.
You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.
The AV Remediations window displays all the antivirus remediations along with their name and description and their modes of remediation. Click AV Remediation. Modify the values in the New AV Remediation window. You can create an antispyware remediation, which updates clients with up-to-date file definitions for compliance after remediation. The AS Remediations window displays all the antivirus remediations along with their name and description and their modes of remediation.
Click AS Remediation. Modify the values in the New AS Remediations window. You can create a launch program remediation, where the client agent remediates clients by launching one or more applications for compliance. The Launch Program Remediations page displays all the launch program remediations along with their name and description and their modes of remediation.
Click Launch Program Remediation. Modify the values in the New Launch Program Remediation page. When an application is launched as a remediation using Launch Program Remediation, the application is successfully launched observed in the Windows Task Manager , however, the application UI is not visible.
Windows Vista: ISD is in stop state by default. The Windows Update Remediations page displays all the Windows update remediations along with their name and description and their modes of remediation. Click Windows Update Remediation.
Modify the values in the New Windows Update Remediation window. A posture requirement is a set of compound conditions with an associated remediation action that can be linked with a role and an operating system. All the clients connecting to your network must meet mandatory requirements during posture evaluation to become compliant on the network. Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies. If requirements are optional and clients fail these requirements, then the clients have an option to continue during posture evaluation of endpoints.
Posture checks are evaluated in the order of mandatory, optional, and audit. If a mandatory check fails, the related audit checks will not be carried out. During policy evaluation, the agent provides remediation options to clients who fail to meet the mandatory requirements defined in the posture policy. End users must remediate to meet the requirements within the time specified in the remediation timer settings. If the file does not exist, the mandatory requirement fails and the user will be moved to Non-Compliant state.
During policy evaluation, the agent provides an option to clients to continue, when they fail to meet the optional requirements specified in the posture policy. End users are allowed to skip the specified optional requirements.
For example, you have specified an optional requirement with a user-defined condition to check for an application running on the client machine, such as Calc. Although, the client fails to meet the condition, the agent prompts an option to continue further so that the optional requirement is skipped and the end user is moved to Compliant state.
Audit requirements are specified for internal purposes and the agent does not prompt any message or input from end users, regardless of the pass or fail status during policy evaluation. For example, you are in the process of creating a mandatory policy condition to check if end users have the latest version of the antivirus program. If you want to find out the non-compliant end users before actually enforcing it as a policy condition, you can specify it as an audit requirement.
During policy evaluation, the agent reports compliance data for visibility requirements, every five to ten minutes. You can restart the posture session as follows:. In wired and wireless Change of Authorization CoA in an You can configure the Reauthentication timer for a specific authorization policy when you create a new authorization profile in the New Authorization Profiles page. Wired users can get out of the quarantine state once they disconnect and reconnect to the network.
In a wireless environment, the user must disconnect from the wireless lan controller WLC and wait until the user idle timeout period has expired before attempting to reconnect to the network. You can create a requirement in the Requirements window where you can associate user-defined conditions and Cisco defined conditions, and remediation actions. Once created and saved in the Requirements window, user-defined conditions and remediation actions can be viewed from their respective list windows.
You must have an understanding of acceptable use policies AUPs for a posture. Enter the values in the Requirements window. Click Done to save the posture requirement in read-only mode. A custom permission is a standard authorization profile that you define in Cisco ISE. Standard authorization profiles set access privileges based on the matching compliance status of the endpoints. The posture service broadly classifies the posture into unknown, compliant, and noncompliant profiles.
The posture policies and the posture requirements determine the compliance status of the endpoint. You must create three different authorization profiles for an unknown, compliant, and noncompliant posture status of endpoints that can have different set of VLANs, DACLs, and other attribute value pairs. These profiles can be associated with three different authorization policies.
To differentiate these authorization policies, you can use the Session:PostureStatus attribute along with other conditions. If no matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint may be set to unknown. A posture compliance status of unknown can also apply to an endpoint where a matching posture policy is enabled but posture assessment has not yet occurred for that endpoint and, therefore no compliance report has been provided by the client agent.
If a matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint is set to compliant. When the posture assessment occurs, the endpoint meets all the mandatory requirements that are defined in the matching posture policy. For an endpoint that is postured compliant, it can be granted privileged network access on your network.
The posture compliance status of an endpoint is set to noncompliant when a matching posture policy is defined for that endpoint but it fails to meet all the mandatory requirements during posture assessment. An endpoint that is postured noncompliant matches a posture requirement with a remediation action, and it should be granted limited network access to remediation resources in order to remediate itself. You can define two types of authorization policies in the Authorization Policy page, standard exceptions authorization policies.
The standard authorization policies that are specific to posture are used to make policy decisions based on the compliance status of endpoints. Choose one of the matching rule type to apply from the drop-down list shown at the top of the Authorization Policy page. Click the down arrow next to Edit in the default standard authorization policy row. Click Insert New Rule Above. Enter a rule name, choose identity groups and other conditions, and associate an authorization profile in the new authorization policy row that appears above the default standard authorization policy row.
Click Done to create a new standard authorization policy in read-only mode. It is referred to as stealth mode because it allows posture to be run as a service without any user interaction. Stealth Mode is of two types—Standard and Clientless.
In the standard mode, it deploys the AnyConnect agent to monitor and enforce Cisco ISE posture policies that require client interaction. In the Clientless mode, it allows posture to be run as a service without any user interaction. When you choose Clientless mode in the posture requirement, some of the conditions, remediations, or attributes in a condition are disabled grayed out. For example, when you enable Clientless Mode requirement, the Manual Remediation Type is disabled grayed out because this action requires client-side interaction.
Mapping the posture profile to the AnyConnect configuration, and then mapping the Anyconnect configuration to the Client Provisioning page for clientless mode deployment supports:. AnyConnect to read the posture profile and set it to the intended mode.
AnyConnect to send information related to the selected mode to Cisco ISE during initial posture request. Cisco ISE to match the right policy, based on the mode and other factors, such as identity group, OS, and compliance module.
AnyConnect version 4. When you change the Stealth Mode selection in the posture policy, it clears the selected Requirement. When the Stealth Mode is Clientless, the remediation list filters out the remediations that contain the Remediation Type as Manual.
If you have associated a remediation type with a policy requirement, you will not be able to switch the Remediation Type from Automatic to Manual. During posture assessment of a Windows endpoint, the endpoint user may encounter a delay in accessing the desktop. This may be due to Windows trying to restore the file server drive letter mappings before providing the user access to the desktop.
The best practices to avoid the delay during posture are:. Endpoints should be able to reach the Active Directory server because the file server drive letter cannot be mapped without reaching the AD. You should set a delay for the login script until posture completes and then you have to set the Persistence attribute to NO.
Windows tries to reconnect all the network drives during login and this cannot be done until AnyConnect ISE posture agent gains full network access. The process of configuring AnyConnect in the clientless mode involves a series of steps. You should perform the following steps in Cisco ISE. Create a Client Provisioning Policy, see Create a client provisioning policy. Create a Posture Condition, see Create the posture condition.
Create Posture Remediation, see Create the posture remediation. Create Posture Policy, see Create the posture policy. Click Add and enter the Name of the profile. From the Add drop-down list, choose AnyConnect Configuration.
You should upload the Open DNS profile to be pushed to the client. From the Category drop-down list, choose Customer Created Packages. From the Type drop-down list, choose AnyConnect Profile. Enter the required name for example, filechk. From the Operating Systems drop-down list, choose Windows 7 All. From the File Type drop-down list, choose FileExistence. The file condition checks if test.
If it does not exist, the remediation is to block the USB port and prevent the installation of the file using a USB device. Ensure that the posture policy requirement and the policy are created in the clientless mode. Create the required rule. For Client Provisioning without URL redirection, configuring the conditions with attributes specific to Network Access or Radius will not work and matching of the client provisioning policy might fail due to the non-availability of session information for the specific user in the Cisco ISE server.
However, Cisco ISE allows configuring conditions for the externally added identity groups. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: August 23, Chapter: Configure Client Posture Policies.
Configure Client Posture Policies Posture is a service in Cisco Identity Services Engine Cisco ISE that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. Note In ISE, session control is done on multiple nodes. On an MnT node, sessions are removed: If there was accounting start, but no accounting stop stale session , the session is removed in five days.
If there was no accounting start or stop, the session is removed in a few hours. On a PSN node, sessions are removed: When accounting stop is received. Posture Run-Time Services The posture run-time services encapsulate all the interactions that happen between the client agent and the Cisco ISE server for posture assessment and remediation of clients. Posture Service Deployment You can deploy Cisco ISE in a standalone environment on a single node or in a distributed environment on multiple nodes.
Step 3 Click Edit. Step 4 Under the General Settings tab, check the Policy Service check box, If the Policy Service check box is unchecked, both the session services and the profiling service check boxes are disabled. Step 6 Click Save. Run the Posture Assessment Report You can run the Posture Detail Assessment report to generate a detailed status of compliance of the clients against the posture policies that are used during posture assessment. Step 2 From the Time Range drop-down list, choose the specific time period.
Step 3 Click Run to view the summary of all the end points that were active during the selected time period. Posture Administration Settings You can globally configure the Admin portal for posture services. Step 2 In the Remediation Timer field, enter a time value in minutes. Step 3 Click Save. Set Network Transition Delay Timer for Clients to Transition You can configure the timer for clients to transition from one state to the other state within a specified time using the network transition delay timer, which is required for Change of Authorization CoA to complete.
Step 2 Enter a time value in seconds, in the Network Transition Delay field. Set Login Success Window to Close Automatically After successful posture assessment, the client agent displays a temporary network access screen. Step 4 Click Save. Set Posture Status for Nonagent Devices You can configure the posture status of endpoints that run on non-agent devices. Before you begin In order to enforce policy on an endpoint, you must configure a corresponding Client Provisioning policy Agent installation package.
Posture Lease You can configure Cisco ISE to perform posture assessment every time a user logs into your network or perform posture assessment in specified intervals. Example Use Case Scenario: The user logs on to the endpoint and gets it posture compliant with the posture lease set to one day. Four hours later the user logs off the posture lease now has 15 hours left.
Periodic Reassessments Periodic reassessment PRA can be done only for clients that are already successfully postured for compliance. Configure Periodic Reassessments Configure Periodic Reassessments You can configure periodic reassessments only for clients that are already successfully postured for compliance. Before you begin Ensure that each Periodic reassessment PRA configuration has a unique group or a unique combination of user identity groups assigned to the configuration.
If a PRA configuration already exists with a user identity group Any , you cannot create other PRA configurations unless you perform one of the following: Update the existing PRA configuration with the Any user identity group to reflect a user identity group other than Any. Step 2 Click Add. Related Concepts Periodic Reassessments Download Posture Updates to Cisco ISE Posture updates include a set of predefined checks, rules, and support charts for antivirus and antispyware for both Windows and Macintosh operating systems, and operating systems information that are supported by Cisco.
Before you begin To ensure that you are able to access the appropriate remote location from which you can download posture resources to Cisco ISE, you may be required to verify that you have the correct proxy settings configured for your network as described in Specifying Proxy Settings in Cisco ISE.
Step 2 Choose the Web option to download updates dynamically. Step 4 Modify the values in the Posture Updates window. Step 5 Click Update Now to download updates from Cisco. Step 6 Click Yes to continue. Before you begin You should have initially downloaded the posture updates to configure Cisco ISE to check for the updates and download them automatically. Step 2 In the Posture Updates window, check the Automatically check for updates starting from initial delay check box. Step 3 Enter the initial delay time in hh:mm:ss format.
Step 4 Enter the time interval in hours. Step 5 Click Save. Configure Acceptable Use Policies for Posture Assessment After login and successful posture assessment of clients, the client agent displays a temporary network access screen. Step 4 Click Submit. Posture Conditions A posture condition can be any one of the following simple conditions: a file, a registry, an application, a service, or a dictionary condition.
Note If a process is installed and running, user is compliant. Step 3 Click Add. Step 4 Enter the appropriate values in the fields. Step 5 Click Submit. Compound Posture Conditions Compound conditions are made up of one or more simple conditions, or compound conditions.
Preconfigured Antivirus and Antispyware Conditions Cisco ISE loads preconfigured antivirus and antispyware compound conditions in the AV and AS Compound Condition windows, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems.
0コメント