Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CHAPTER 23 Configure Client Posture Policies PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork. •PostureService,page566 •PostureAdministrationSettings,page569 •DownloadPostureUpdatestoCiscoISE,page572 •ConfigureAcceptableUsePoliciesforPostureAssessment,page573 •PostureConditions,page574 •SimplePostureConditions,page574 •CreateSimplePostureConditions,page575 •CompoundPostureConditions,page575 •Cisco-PredefinedConditionforEnablingAutomaticUpdatesinWindowsClients,page575 •Cisco-PreconfiguredAntivirusandAntispywareConditions,page576 •AntivirusandAntispywareSupportChart,page576 •ComplianceModule,page576 •CreateCompoundPostureConditions,page577 •CreatePatchManagementConditions,page578 •CreateDiskEncryptionConditions,page578 •ConfigurePosturePolicies,page579 •PostureAssessmentOptions,page580 •PostureRemediationOptions,page580 •CustomConditionsforPosture,page581 •CustomPostureRemediationActions,page581 •PostureAssessmentRequirements,page586 Cisco Identity Services Engine Administrator Guide, Release 1.3 565
•CustomPermissionsforPosture,page587 •ConfigureStandardAuthorizationPolicies,page588 Posture Service PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork. ClientsinteractwiththepostureservicethroughtheAnyConnectISEPostureAgentorNetworkAdmission Control(NAC)Agentontheendpointtoenforcesecuritypolicies,meetcompliance,andallowtheendpoint togainaccesstoyourprotectednetwork.ClientProvisioningensurestheendpointsreceivetheappropriate PostureAgent. TheISEPostureAgentforCiscoISEdoesnotsupportWindowsFastUserSwitchingwhenusingthenative supplicant.Thisisbecausethereisnocleardisconnectoftheolderuser.Whenanewuserissent,theAgent ishungontheolduserprocessandsessionID,andhenceanewposturesessioncannottakeplace.Asperthe MicrosoftSecuritypolicies,itisrecommendedtodisableFastUserSwitching. Components of Posture Services CiscoISEpostureserviceprimarilyincludesthepostureadministrationservicesandtheposturerun-time services. Posture Administration Services IfyouhavenotinstalledtheApexlicenseinCiscoISE,thenthepostureadministrationservicesoptionisnot availablefromtheAdminportal. Administrationservicesprovidetheback-endsupportforposture-specificcustomconditionsandremediation actionsthatareassociatedwiththerequirementsandauthorizationpoliciesthatareconfiguredforposture service. Posture Run-Time Services Theposturerun-timeservicesencapsulatealltheinteractionsthathappenbetweentheclientagentandthe CiscoISEserverforpostureassessmentandremediationofclients. Posturerun-timeservicesbeginwiththeDiscoveryPhase.Anendpointsessioniscreatedaftertheendpoint passes802.1xauthentication.TheclientagentthenattemptstoconnecttoaCiscoISEnodebysending discoverypacketsthroughdifferentmethodsinthefollowingorder: 1viaHTTPtoPort80onaCiscoISEserver(ifconfigured) 2viaHTTPStoPort8905onaCiscoISEserver(ifconfigured) 3viaHTTPtoPort80onthedefaultgateway 4viaHTTPStoPort8905toeachpreviouslycontactserver 5viaHTTPtoPort80onenroll.cisco.com ThePosturePhasebeginswhentheAcceptableUserPolicy(ifany)isaccepted.TheCiscoISEnodeissues aposturetokenforthePostureDomaintotheclientagent.Theposturetokenallowstheendpointtoreconnect tothenetworkwithoutgoingthroughthepostureprocessagain.ItcontainsinformationsuchastheAgent GUID,theAcceptableUserPolicystatus,andendpointoperatingsysteminformation. Cisco Identity Services Engine Administrator Guide, Release 1.3 566 Posture Service
ThemessagesusedinthePosturePhaseareintheNEAPB/PAformat(RFC5792). Posture and Client-Provisioning Policies Workflow Figure 33: Posture and Client Provisioning Policies Workflow in Cisco ISE Posture Service Licenses CiscoISEprovidesyouwiththreetypesoflicenses,theBaselicense,thePluslicense,andtheApexlicense. IfyouhavenotinstalledtheApexlicenseonthePrimaryPAN,thentheposturerequestswillnotbeserved inCiscoISE.ThepostureserviceofCiscoISEcanrunonasinglenodeoronmultiplenodes. Posture Service Deployment YoucandeployCiscoISEinastandaloneenvironment(onasinglenode)orinadistributedenvironment(on multiplenodes). InastandaloneCiscoISEdeployment,youcanconfigureasinglenodeforalltheadministrationservices, themonitoringandtroubleshootingservices,andthepolicyrun-timeservices. InadistributedCiscoISEdeployment,youcanconfigureeachnodeasaCiscoISEnodeforadministration services,monitoringandtroubleshootingservices,andpolicyrun-timeservices,orasaninlineposturenode asneeded.AnodethatrunstheadministrationservicesistheprimarynodeinthatCiscoISEdeployment. Cisco Identity Services Engine Administrator Guide, Release 1.3 567 Posture Service
Theothernodesthatrunotherservicesarethesecondarynodeswhichcanbeconfiguredforbackupservices foroneanother. Enable Posture Session Service in Cisco ISE Before You Begin •YoumustenablesessionservicesinCiscoISEandinstalltheadvancedlicensepackagetoserveallthe posturerequestsreceivedfromtheclients. •Ifyouhavemorethanonenodethatisregisteredinadistributeddeployment,allthenodesthatyou haveregisteredappearintheDeploymentNodespage,apartfromtheprimarynode.Youcanconfigure eachnodeasaCiscoISEnode(Administration,PolicyService,andMonitoringpersonas)oranInline Posturenode. •ThepostureserviceonlyrunsonCiscoISEnodesthatassumethePolicyServicepersonaanddoesnot runonCiscoISEnodesthatassumetheadministrationandmonitoringpersonasinadistributed deployment. Procedure Step 1ChooseAdministration>System>Deployment>Deployment. Step 2ChooseaCiscoISEnodefromtheDeploymentNodeswindow. Step 3ClickEdit. Step 4UndertheGeneralSettingstab,checkthePolicyServicecheckbox, IfthePolicyServicecheckboxisunchecked,boththesessionservicesandtheprofilingservicecheckboxes aredisabled. Step 5ChecktheEnableSessionServicescheckbox,forthePolicyServicepersonatoruntheNetworkAccess, Posture,Guest,andClientProvisioningsessionservices.Tostopthesessionservices,uncheckthecheckbox. Step 6ClickSave. Run the Posture Assessment Report YoucanrunthePostureDetailAssessmentreporttogenerateadetailedstatusofcomplianceoftheclients againsttheposturepoliciesthatareusedduringpostureassessment. Procedure Step 1ChooseOperations>Reports>ISEReports>EndpointsandUsers>PostureDetailAssessment. Step 2FromtheTimeRangedrop-downlist,choosethespecifictimeperiod. Step 3ClickRuntoviewthesummaryofalltheendpointsthatwereactiveduringtheselectedtimeperiod. Cisco Identity Services Engine Administrator Guide, Release 1.3 568 Posture Service
Posture Administration Settings YoucangloballyconfiguretheAdminportalforpostureservices.Youcandownloadupdatesautomatically totheCiscoISEserverthroughthewebfromCisco.YoucanalsoupdateCiscoISEmanuallyofflinelater. Inaddition,havinganagentlikeAnyConnect,theNACAgent,ortheWebAgentinstalledontheclients providespostureassessmentandremediationservicestoclients.Theclientagentperiodicallyupdatesthe compliancestatusofclientstoCiscoISE.Afterloginandsuccessfulrequirementassessmentforposture,the clientagentdisplaysadialogwithalinkthatrequiresenduserstocomplywithtermsandconditionsofnetwork usage.Youcanusethislinktodefinenetworkusageinformationforyourenterprisenetworkthatendusers acceptbeforetheycangainaccesstoyournetwork. Timer Settings for Clients Youcansetuptimersforuserstoremediate,totransitionfromonestatetoanother,andtocontrolthelogin successscreen. Werecommendconfiguringagentprofileswithremediationtimersandnetworktransitiondelaytimersas wellasthetimerusedtocontroltheloginsuccessscreenonclientmachinessothatthesesettingsarepolicy based.YoucanconfigureallthesetimersforagentsinclientprovisioningresourcesintheNACorAnyConnect PostureProfilewindow(Policy>PolicyElements>Results>ClientProvisioning>Resources>Add >NACorAnyConnectPostureProfile). However,whentherearenoagentprofilesconfiguredtomatchtheclientprovisioningpolicies,youcanuse thesettingsintheGeneralSettingsconfigurationwindow(Administration>System>Settings>Posture >GeneralSettings). Set Remediation Timer for Clients to Remediate Within Specified Time Youcanconfigurethetimerforclientremediationwithinaspecifiedtime.Whenclientsfailtosatisfyconfigured posturepoliciesduringaninitialassessment,theagentwaitsfortheclientstoremediatewithinthetime configuredintheremediationtimer.Iftheclientfailstoremediatewithinthisspecifiedtime,thentheclient agentsendsareporttotheposturerun-timeservicesafterwhichtheclientsaremovedtothenoncompliance state. Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2IntheRemediationTimerfield,enteratimevalueinminutes. Thedefaultvalueis4minutes.Thevalidrangeis1to300minutes. Step 3ClickSave. Set Network Transition Delay Timer for Clients to Transition Youcanconfigurethetimerforclientstotransitionfromonestatetotheotherstatewithinaspecifiedtime usingthenetworktransitiondelaytimer,whichisrequiredforChangeofAuthorization(CoA)tocomplete. ItmayrequirealongerdelaytimewhenclientsneedtimetogetanewVLANIPaddressduringsuccessand Cisco Identity Services Engine Administrator Guide, Release 1.3 569 Posture Administration Settings
failureofposture.Whensuccessfullypostured,CiscoISEallowsclientstotransitionfromunknownto compliantmodewithinthetimespecifiedinthenetworktransitiondelaytimer.Uponfailureofposture,Cisco ISEallowsclientstotransitionfromunknowntononcompliantmodewithinthetimespecifiedinthetimer. Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2Enteratimevalueinseconds,intheNetworkTransitionDelayfield. Thedefaultvalueis3seconds.Thevalidrangeis2to30seconds. Step 3ClickSave. Set Login Success Window to Close Automatically Aftersuccessfulpostureassessment,theclientagentdisplaysatemporarynetworkaccessscreen.Theuser needstoclicktheOKbuttonintheloginwindowtocloseit.Youcansetupatimertoclosethisloginscreen automaticallyafterspecifiedtime. Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2ChecktheAutomaticallyCloseLoginSuccessScreenAftercheckbox. Step 3Enteratimevalueinseconds,inthefieldnexttoAutomaticallyCloseLoginSuccessScreenAftercheck box. Thevalidrangeis0to300seconds.Ifthetimeissettozero,thenAnyConnectdoesnotdisplaythelogin successscreen. Step 4ClickSave. Set Posture Status for Nonagent Devices Youcanconfiguretheposturestatusofendpointsthatrunonnon-agentdeviceslikeLinuxoriDevices.When AndroiddevicesandAppleiDevicessuchasaniPod,iPhone,oriPadconnecttoaCiscoISEenablednetwork, thesedevicesassumetheDefaultPostureStatussettings. ThesesettingscanalsobeappliedtoendpointsthatrunonWindowsandMacintoshoperatingsystemswhen amatchingpolicyisnotfoundduringpostureruntime. Before You Begin Inordertoenforcepolicyonanendpoint,youmustconfigureacorrespondingClientProvisioningpolicy (Agentinstallationpackage).Otherwise,theposturestatusoftheendpointautomaticallyreflectsthedefault setting. Cisco Identity Services Engine Administrator Guide, Release 1.3 570 Posture Administration Settings
Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2FromtheDefaultPostureStatusdrop-downlist,choosetheoptionasCompliantorNoncompliant. Step 3ClickSave. Posture Lease YoucanconfigureCiscoISEtoperformpostureassessmenteverytimeauserlogsintoyournetworkor performpostureassessmentinspecifiedintervals.Thevalidrangeis1to365days. ThisconfigurationappliesonlyforthosewhouseAnyConnectagentforpostureassessment. Periodic Reassessments Periodicreassessment(PRA)canbedoneonlyforclientsthatarealreadysuccessfullyposturedforcompliance. PRAcannotoccurifclientsarenotcompliantonyournetwork. APRAisvalidandapplicableonlyiftheendpointsareinacompliantstate.Thepolicyservicenodechecks therelevantpolicies,andcompilestherequirementsdependingontheclientrolethatisdefinedinthe configurationtoenforceaPRA.IfaPRAconfigurationmatchisfound,thepolicyservicenoderespondsto theclientagentwiththePRAattributesthataredefinedinthePRAconfigurationfortheclientbeforeissuing aCoArequest.TheclientagentperiodicallysendsthePRArequestsbasedontheintervalspecifiedinthe configuration.TheclientremainsinthecompliantstateifthePRAsucceeds,ortheactionconfiguredinthe PRAconfigurationistocontinue.IftheclientfailstomeetPRA,thentheclientismovedfromthecompliant statetothenoncompliantstate. ThePostureStatusattributeshowsthecurrentposturestatusascompliantinaPRArequestinsteadofunknown eventhoughitisaposturereassessmentrequest.ThePostureStatusisupdatedintheMonitoringreportsas well. Whenthepostureleasehasnotexpired,anendpointbecomescompliantbasedontheAccessControlList (ACL),andPRAisinitiated.IfPRAfails,theendpointisdeemednoncompliantandthepostureleaseisreset. Configure Periodic Reassessments Youcanconfigureperiodicreassessmentsonlyforclientsthatarealreadysuccessfullyposturedforcompliance. YoucanconfigureeachPRAtoauseridentitygroupthatisdefinedinthesystem. Before You Begin •EnsurethateachPRAconfigurationhasauniquegrouporauniquecombinationofuseridentitygroups assignedtotheconfiguration. •Youcanassignarole_test_1andarole_test_2,whicharethetwouniquerolestoaPRAconfiguration. YoucancombinethesetworoleswithalogicaloperatorandassignthePRAconfigurationasaunique combinationoftworoles.Forexample,role_test_1ORrole_test_2. •EnsurethattwoPRAconfigurationsdonothaveauseridentitygroupincommon. Cisco Identity Services Engine Administrator Guide, Release 1.3 571 Posture Administration Settings
•IfaPRAconfigurationalreadyexistswithauseridentitygroup“Any”,youcannotcreateotherPRA configurationsunlessyouperformoneofthefollowing: ◦UpdatetheexistingPRAconfigurationwiththeAnyuseridentitygrouptoreflectauseridentity groupotherthanAny. ◦DeletetheexistingPRAconfigurationwithauseridentitygroup“Any”. Procedure Step 1ChooseAdministration>System>Settings>Posture>Reassessments. Step 2ClickAdd. Step 3ModifythevaluesintheNewReassessmentConfigurationpagetocreateanewPRA. Step 4ClickSubmittocreateaPRAconfiguration. Download Posture Updates to Cisco ISE Postureupdatesincludeasetofpredefinedchecks,rules,andsupportchartsforantivirusandantispywarefor bothWindowsandMacintoshoperatingsystems,andoperatingsystemsinformationthataresupportedby Cisco.YoucanalsoupdateCiscoISEofflinefromafileonyourlocalsystem,whichcontainsthelatest archivesofupdates. WhenyoudeployCiscoISEonyournetworkforthefirsttime,youcandownloadpostureupdatesfromthe web.Thisprocessusuallytakesapproximately20minutes.Aftertheinitialdownload,youcanconfigure CiscoISEtoverifyanddownloadincrementalupdatestooccurautomatically. CiscoISEcreatesdefaultposturepolicies,requirements,andremediationsonlyonceduringaninitialposture updates.Ifyoudeletethem,CiscoISEdoesnotcreatethemagainduringsubsequentmanualorscheduled updates. Before You Begin Toensurethatyouareabletoaccesstheappropriateremotelocationfromwhichyoucandownloadposture resourcestoCiscoISE,youmayberequiredtoverifythatyouhavethecorrectproxysettingsconfiguredfor yournetworkasdescribedinSpecifyingProxySettingsinCiscoISE,page5-2. YoucanusethePostureUpdatepagetodownloadupdatesdynamicallyfromtheweb. Procedure Step 1ChooseAdministration>System>Settings>Posture>Updates. Step 2ChoosetheWeboptiontodownloadupdatesdynamically. Step 3ClickSettoDefaulttosettheCiscodefaultvaluefortheUpdateFeedURLfield. IfyournetworkrestrictsURL-redirectionfunctions(viaaproxyserver,forexample)andyouareexperiencing difficultyaccessingtheaboveURL,tryalsopointingyourCiscoISEtothealternativeURLintherelated topics. Cisco Identity Services Engine Administrator Guide, Release 1.3 572 Download Posture Updates to Cisco ISE
Step 4ModifythevaluesonthePostureUpdatespage. Step 5ClickUpdateNowtodownloadupdatesfromCisco. Step 6ClickOKtocontinuewithothertasksonCiscoISE. Onceupdated,thePostureUpdatespagedisplaysthecurrentCiscoupdatesversioninformationasaverification ofanupdateunderUpdateInformationsectioninthePostureUpdatespage. Download Posture Updates Automatically Afteraninitialupdate,youcanconfigureCiscoISEtocheckfortheupdatesanddownloadthemautomatically. Before You Begin •YoushouldhaveinitiallydownloadedthepostureupdatestoconfigureCiscoISEtocheckfortheupdates anddownloadthemautomatically. Procedure Step 1ChooseAdministration>System>Settings>Posture>Updates. Step 2InthePostureUpdatespage,checktheAutomaticallycheckforupdatesstartingfrominitialdelaycheck box. Step 3Entertheinitialdelaytimeinhh:mm:ssformat. CiscoISEstartscheckingforupdatesaftertheinitialdelaytimeisover. Step 4Enterthetimeintervalinhours. CiscoISEdownloadstheupdatestoyourdeploymentatspecifiedintervalsfromtheinitialdelaytime. Step 5ClickYestocontinue. Step 6ClickSave. Configure Acceptable Use Policies for Posture Assessment Afterloginandsuccessfulpostureassessmentofclients,theclientagentdisplaysatemporarynetworkaccess screen.Thisscreencontainsalinktoanacceptableusepolicy(AUP).Whenusersclickthelink,theyare redirectedtoapagethatdisplaysthenetwork-usagetermsandconditions,whichtheymustreadandaccept. EachAcceptableUsePolicyconfigurationmusthaveauniqueuseridentitygroup,orauniquecombination ofuseridentitygroups.CiscoISEfindstheAUPforthefirstmatcheduseridentitygroup,andthenit communicatestotheclientagentthatdisplaystheAUP. Cisco Identity Services Engine Administrator Guide, Release 1.3 573 Configure Acceptable Use Policies for Posture Assessment
Procedure Step 1ChooseAdministration>System>Settings>Posture>AcceptableUsePolicy. Step 2ClickAdd. Step 3ModifythevaluesintheNewAcceptableUsePolicyConfigurationpage. Step 4ClickSubmit. Posture Conditions Apostureconditioncanbeanyoneofthefollowingsimpleconditions:afile,aregistry,anapplication,a service,oradictionarycondition.Oneormoreconditionsfromthesesimpleconditionsformacompound condition,whichcanbeassociatedtoaposturerequirement. WhenyoudeployCiscoISEonyournetworkforthefirsttime,youcandownloadpostureupdatesfromthe webforthefirsttime.Thisprocessiscalledtheinitialpostureupdate. Afteraninitialpostureupdate,CiscoISEalsocreatesCiscodefinedsimpleandcompoundconditions.Cisco definedsimpleconditionshavepc_astheirprefixesandcompoundconditionshavepr_astheirprefixes. YoucanalsoconfigureCiscoISEtodownloadtheCisco-definedconditionsperiodicallyasaresultofdynamic postureupdatesthroughtheweb.YoucannotdeleteoreditCiscodefinedpostureconditions. AuserdefinedconditionoraCiscodefinedconditionincludesbothsimpleconditionsandcompoundconditions. Simple Posture Conditions YoucanusethePosturenavigationpanetomanagethefollowingsimpleconditions: •FileConditions—Aconditionthatcheckstheexistenceofafile,thedateofafile,andtheversionsofa fileontheclient. •RegistryConditions—Aconditionthatchecksfortheexistenceofaregistrykeyorthevalueofthe registrykeyontheclient. •ApplicationConditions—Aconditionthatchecksifanapplication(process)isrunningornotrunning ontheclient. •ServiceConditions—Aconditionthatchecksifaserviceisrunningornotrunningontheclient. •DictionaryConditions—Aconditionthatchecksadictionaryattributewithavalue. • Related Topics FileConditionSettings,onpage826 RegistryConditionSettings,onpage827 ApplicationConditionSettings,onpage828 ServiceConditionsSettings,onpage829 DictionarySimpleConditionsSettings,onpage833 Cisco Identity Services Engine Administrator Guide, Release 1.3 574 Posture Conditions