Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.

What You’ll Learn

What You’ll Need

Many years ago, threats to the network were thought to come only from the outside in. Perimeter devices and endpoint images were largely responsible for ensuring that any threat did not come from the inside. However, in today’s environment, especially with “bring your own devices” (BYODs) and guest network access, there is a strong business and security need to ensure that the devices on the network have the appropriate level of patching, operating system, and antivirus and antispyware software installed, up to date, and running.

Consider, for example, a user that takes a work-issued laptop home for a long vacation with the intention of checking email and working on quarterly reports locally on the device. Because the device is not actively connected to the corporate environment, patching and a new group policy are not present on the device when the user returns after two weeks of vacation. How can you ensure that, prior to that device and user re-entering the network, all the critical criteria for preventing an inside threat is remediated?

Cisco ISE Posture Service

The Cisco ISE posture service allows you to check the state, or posture, of all the endpoints that are connecting to a network for compliance with corporate security policies to determine which clients get access to protected areas of a network.

The posture service is an optional function of Cisco ISE that may or may not be deployed in a Cisco ISE environment. Clients interact with the ISE posture service through posture agents on the endpoint to enforce security policies, meet compliance standards, and allow the endpoint to gain access to protected resources.

ISE Posture Services

The three main security posture components are client provisioning, assessment, and remediation. These components interoperate with the authorization policy to assess compliance and to enforce an appropriate access privilege for compliant and noncompliant endpoints.

Immediately after authentication, the posture status of the endpoint is unknown. The posture service interacts with the Cisco ISE authorization function via the change of authorization (CoA).

When the posture service is invoked and the endpoint status is assessed, the status will change to noncompliant or compliant:

Cisco ISE Posture Flow

The Cisco ISE posture service allows you to check the security posture of connecting endpoints. Before granting access, ISE validates that endpoints are compliant with your corporate security policies.

Compliance agents communicate endpoint security posture to the Cisco ISE Policy Service Node (PSN). These agents are installed on endpoints and interact with the posture service to enforce policy. They help in evaluating clients against posture policies and validating conformance to security policies.

Cisco ISE Posture Agents

The Cisco ISE posture agent validates endpoints for compliance based on the requirements that are sent from ISE. The agent then determines endpoint posture.

Agents are applications that reside on client machines. Agents can be persistent (such as Cisco AnyConnect). Persistent agents remain on the client machine after installation, even when the client is not logged in to the network. Agents can also be temporal. Temporal agents remove themselves from the client machine after the login session has terminated.

In either case, the agent helps the user to authenticate, receive the appropriate access profile, and perform posture assessment. This assessment helps ensure endpoint compliance with network security guidelines before allowing access to sensitive network resources.

Agentless posture provides posture information from clients and completely removes itself when finished. No action is required from the end user. Unlike the temporal agent, agentless posture connects to the client as an administrative user.

For endpoints that are required to perform compliance checks, the network access device (NAD) redirects traffic to Cisco ISE. However, there is some traffic that cannot be redirected, either because the application that is being used does not support redirection, or because the traffic is destined for a device such as a remediation server.

In this tutorial, you will configure downloadable access control lists (dACLs) that will be used to help ensure that only traffic that is needed for compliance services is allowed. You will also verify that the redirect ACLs that are configured on the switch do not redirect traffic to a remediation server.

The following topology will be used for this tutorial:

Topology

The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference.

Building the Policy Elements for Compliance

  1. Create dACLs for compliance. Navigate to Work Centers > Posture > Policy Elements. From the bottom of the navigation tree in the left pane, click Downloadable ACLs.

Note: Alternatively, you can reach this page via Policy > Policy Elements > Results and then Authorization > Downloadable ACLs.

ise-1

  1. Using the Add button at the top of the table, create the following posture remediation dACL. Click Submit when finished.
permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit tcp any host 10.10.10.30 eq 8443

permit tcp any host 10.10.10.30 eq 8905

permit udp any host 10.10.10.30 eq 8905
  1. Create the following Active Directory login access dACL, allowing for users to log in to the network using Active Directory. Click Submit when finished.
permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit tcp any host 10.10.4.20 eq 88

permit udp any host 10.10.4.20 eq 88

permit udp any host 10.10.4.20 eq ntp

permit tcp any host 10.10.4.20 eq 135

permit udp any host 10.10.4.20 eq netbios-ns

permit tcp any host 10.10.4.20 eq 139

permit tcp any host 10.10.4.20 eq 389

permit udp any host 10.10.4.20 eq 389

permit tcp any host 10.10.4.20 eq 445

permit tcp any host 10.10.4.20 eq 636

permit udp any host 10.10.4.20 eq 636

permit tcp any host 10.10.4.20 eq 1025

permit tcp any host 10.10.4.20 eq 1026
  1. Create the following dACL allowing access to the internet only. Click Submit when finished.
permit udp any any eq domain

permit icmp any any

permit tcp any host 10.10.10.30 eq 8443

deny ip any 10.10.0.0 0.0.255.255

permit ip any any

Configuring the Redirect ACL on the Switch

In the next few steps, you will verify a preconfigured URL redirect ACL on the pod switch. URL redirect ACLs need to be configured directly on a switch, and they cannot be dACLs.

  1. Log in to the switch.

  2. Enter the command show ip access-list ISE-URL-REDIRECT, and verify that it matches the following output:

C3560-CX-PGxx-Pxx#show ip access-list ISE-URL-REDIRECT
Extended IP access list ISE-URL-REDIRECT
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 deny ip any any
If your organization is using a remediation server to allow clients to access remediation files, you need to deny redirection for that traffic. While line 30 in the preceding access list denies redirection to anything that is not HTTP on TCP port 80, or HTTPS on TCP port 443, if clients are using either of those protocols to access the remediation server, you need to deny the redirect for that server. In the next step, you will modify the ACL so as not to redirect traffic to the Corp server at 10.10.4.40.
  1. Edit the ISE-URL-REDIRECT ACL by entering the following commands:
C3560-CX-PGxx-Pxx(config)# ip access-list extended ISE-URL-REDIRECT
C3560-CX-PGxx-Pxx(config-ext-nacl)# 5 deny ip any host 10.10.4.40
You will be referencing the name of the URL in authorization profiles. Spelling must match exactly.

Create Authorization Profiles for Compliance

Once the dACLs have been created, you must create the authorization profiles that will be used to assign them to the endpoints in the authorization policies.

  1. Navigate to Work Centers > Posture > Policy Elements. At the bottom of the navigation tree in the left pane, select Authorization Profiles.

Note: Alternatively, you can reach the page by navigating to Policy > Policy Elements > Results and then Authorization > Authorization Profiles.

  1. Click +Add at the top of the table in the right pane, and create each of the following authorization profiles. Remember to click Submit to save your configurations after each addition.

Posture Remediation—Authorization Profile

CWA Posture Remediation—Authorization Profile

Internet Only—Authorization Profile

The following screenshots can help you visualize the process:

posture-1

posture-2

posture-3

Domain Computer Access

  1. Modify the existing Domain Computer Access profile to use the newer port restrictive dACL for Active Directory login, ACL_AD_LOGIN, and then click Save.

posture-4

Now that you have the dACLs configured and applied to the authorization profiles, you are ready to modify your authorization policy to send traffic to the posture service on Cisco ISE.

Policy Set Evaluation

  1. From the Posture Work Center, select Policy Sets. If you have navigated away from the Posture Work Center, navigate to Work Centers > Posture > Policy Sets.

Note: Alternately, you can navigate to Policy > Policy Sets and then to Wired_Access > Authorization Policy.

  1. Click the > at the end of the Wired Access Policy to examine the authorization policy rules. Expand the Authorization Policy at the bottom of the policy set.

  2. Notice the logical printers rule, profiled IP phones rule, rules for employees or contractors, a rule for domain computer authentication, and a default deny rule at the end.

Overall access is split into wired and wireless policy sets. Creating all the guest access rules under the wireless access policy has allowed the wired policy to stay clean. Similarly, by using the condition function of policy sets to differentiate policy, it is advantageous to split wired access into two different parts.

policy-1

You’ve completed this tutorial, advancing in your CCNP journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.

Why Create a Free Cisco U. Account?

A Cisco U. account helps you:

Further Learning Resources

Training Resources

Need Help or Want to Engage?

Finishing Up

Don’t forget to click Exit Tutorial to log your completed content.