Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.
Many years ago, threats to the network were thought to come only from the outside in. Perimeter devices and endpoint images were largely responsible for ensuring that any threat did not come from the inside. However, in today’s environment, especially with “bring your own devices” (BYODs) and guest network access, there is a strong business and security need to ensure that the devices on the network have the appropriate level of patching, operating system, and antivirus and antispyware software installed, up to date, and running.
Consider, for example, a user that takes a work-issued laptop home for a long vacation with the intention of checking email and working on quarterly reports locally on the device. Because the device is not actively connected to the corporate environment, patching and a new group policy are not present on the device when the user returns after two weeks of vacation. How can you ensure that, prior to that device and user re-entering the network, all the critical criteria for preventing an inside threat is remediated?
The Cisco ISE posture service allows you to check the state, or posture, of all the endpoints that are connecting to a network for compliance with corporate security policies to determine which clients get access to protected areas of a network.
The posture service is an optional function of Cisco ISE that may or may not be deployed in a Cisco ISE environment. Clients interact with the ISE posture service through posture agents on the endpoint to enforce security policies, meet compliance standards, and allow the endpoint to gain access to protected resources.
The three main security posture components are client provisioning, assessment, and remediation. These components interoperate with the authorization policy to assess compliance and to enforce an appropriate access privilege for compliant and noncompliant endpoints.
Immediately after authentication, the posture status of the endpoint is unknown. The posture service interacts with the Cisco ISE authorization function via the change of authorization (CoA).
When the posture service is invoked and the endpoint status is assessed, the status will change to noncompliant or compliant:
When the noncompliant status is returned by the posture service, a CoA is issued, and Cisco ISE applies the appropriate authorization policy to the endpoint. This authorization policy typically enables the endpoint to access necessary remediation resources. After successful remediation, the endpoint is assessed again, and its status is changed to compliant.
When the compliant status is returned by the posture service, a CoA is issued and the Cisco ISE applies the appropriate authorization policy to the endpoint. This authorization policy enables the endpoint to access internal enterprise resources without a risk of infection. Periodic reassessment of the security posture helps ensure the health of the endpoint.
The Cisco ISE posture service allows you to check the security posture of connecting endpoints. Before granting access, ISE validates that endpoints are compliant with your corporate security policies.
Compliance agents communicate endpoint security posture to the Cisco ISE Policy Service Node (PSN). These agents are installed on endpoints and interact with the posture service to enforce policy. They help in evaluating clients against posture policies and validating conformance to security policies.
The Cisco ISE posture agent validates endpoints for compliance based on the requirements that are sent from ISE. The agent then determines endpoint posture.
Agents are applications that reside on client machines. Agents can be persistent (such as Cisco AnyConnect). Persistent agents remain on the client machine after installation, even when the client is not logged in to the network. Agents can also be temporal. Temporal agents remove themselves from the client machine after the login session has terminated.
In either case, the agent helps the user to authenticate, receive the appropriate access profile, and perform posture assessment. This assessment helps ensure endpoint compliance with network security guidelines before allowing access to sensitive network resources.
Agentless posture provides posture information from clients and completely removes itself when finished. No action is required from the end user. Unlike the temporal agent, agentless posture connects to the client as an administrative user.
For endpoints that are required to perform compliance checks, the network access device (NAD) redirects traffic to Cisco ISE. However, there is some traffic that cannot be redirected, either because the application that is being used does not support redirection, or because the traffic is destined for a device such as a remediation server.
In this tutorial, you will configure downloadable access control lists (dACLs) that will be used to help ensure that only traffic that is needed for compliance services is allowed. You will also verify that the redirect ACLs that are configured on the switch do not redirect traffic to a remediation server.
The following topology will be used for this tutorial:
The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference.
Note: Alternatively, you can reach this page via Policy > Policy Elements > Results and then Authorization > Downloadable ACLs.
dACL Name: ACL_POSTURE_REMEDIATION
dACL Description: Permit access to posture services and remediation and deny everything else.
dACL content:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.10.10.30 eq 8443
permit tcp any host 10.10.10.30 eq 8905
permit udp any host 10.10.10.30 eq 8905
dACL Name: ACL_AD_LOGIN
dACL Description: Permit access to Active Directory login services and deny everything else.
dACL content:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.10.4.20 eq 88
permit udp any host 10.10.4.20 eq 88
permit udp any host 10.10.4.20 eq ntp
permit tcp any host 10.10.4.20 eq 135
permit udp any host 10.10.4.20 eq netbios-ns
permit tcp any host 10.10.4.20 eq 139
permit tcp any host 10.10.4.20 eq 389
permit udp any host 10.10.4.20 eq 389
permit tcp any host 10.10.4.20 eq 445
permit tcp any host 10.10.4.20 eq 636
permit udp any host 10.10.4.20 eq 636
permit tcp any host 10.10.4.20 eq 1025
permit tcp any host 10.10.4.20 eq 1026
dACL Name: ACL_INTERNET_ONLY
dACL Description: Permit DHCP/DNS, permit ISE portal, deny internal, permit everything else.
dACL content:
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.10.10.30 eq 8443
deny ip any 10.10.0.0 0.0.255.255
permit ip any any
In the next few steps, you will verify a preconfigured URL redirect ACL on the pod switch. URL redirect ACLs need to be configured directly on a switch, and they cannot be dACLs.
Log in to the switch.
Enter the command show ip access-list ISE-URL-REDIRECT
, and verify that it matches the following output:
C3560-CX-PGxx-Pxx#show ip access-list ISE-URL-REDIRECT
Extended IP access list ISE-URL-REDIRECT
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 deny ip any any
If your organization is using a remediation server to allow clients to access remediation files, you need to deny redirection for that traffic. While line 30 in the preceding access list denies redirection to anything that is not HTTP on TCP port 80, or HTTPS on TCP port 443, if clients are using either of those protocols to access the remediation server, you need to deny the redirect for that server. In the next step, you will modify the ACL so as not to redirect traffic to the Corp server at 10.10.4.40.
C3560-CX-PGxx-Pxx(config)# ip access-list extended ISE-URL-REDIRECT
C3560-CX-PGxx-Pxx(config-ext-nacl)# 5 deny ip any host 10.10.4.40
You will be referencing the name of the URL in authorization profiles. Spelling must match exactly.
Once the dACLs have been created, you must create the authorization profiles that will be used to assign them to the endpoints in the authorization policies.
Note: Alternatively, you can reach the page by navigating to Policy > Policy Elements > Results and then Authorization > Authorization Profiles.
Name: Posture Remediation
dACL Name: ACL_POSTURE_REMEDIATION
Web Redirection: ACL: ISE-URL-REDIRECT (You will have to type the name of the ACL; it is case-sensitive.)
Name: CWA Posture Remediation
dACL Name: ACL_POSTURE_REMEDIATION
Web Redirection: ACL: ISE-URL-REDIRECT (You will have to type the name of the ACL; it is case-sensitive.)
Name: Internet Only Access
dACL Name: ACL_INTERNET_ONLY
The following screenshots can help you visualize the process:
Now that you have the dACLs configured and applied to the authorization profiles, you are ready to modify your authorization policy to send traffic to the posture service on Cisco ISE.
Note: Alternately, you can navigate to Policy > Policy Sets and then to Wired_Access > Authorization Policy.
Click the > at the end of the Wired Access Policy to examine the authorization policy rules. Expand the Authorization Policy at the bottom of the policy set.
Notice the logical printers rule, profiled IP phones rule, rules for employees or contractors, a rule for domain computer authentication, and a default deny rule at the end.
Overall access is split into wired and wireless policy sets. Creating all the guest access rules under the wireless access policy has allowed the wired policy to stay clean. Similarly, by using the condition function of policy sets to differentiate policy, it is advantageous to split wired access into two different parts.
You’ve completed this tutorial, advancing in your CCNP journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
Inside Cisco U.: Step-by-Step Guide to Learning Paths, Courses, Labs, and Tutorials
Explore more on Cisco U.:
To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.
Don’t forget to click Exit Tutorial to log your completed content.