Configure Cisco ISE 3.1 Posture with Linux

Introduction

This document describes the procedure to configure and implement a file posture policy for Linux and the Identity Services Engine (ISE).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Anyconnect
• Identity Services Engine (ISE)
• Linux

Components Used

 The information in this document is based on these software and hardware versions:

• Anyconnect 4.10.05085
• ISE version 3.1 P1
• Linux Ubuntu 20.04
• Cisco Switch Catalyst 3650. Version 03.07.05.E (15.12(3)E5)

Configure

Configurations on ISE

Step 1. Update posture service:

Navigate to Work Centers > Posture > Settings > Software Updates > Posture Updates. Select Update now and wait for the process to finish:

A Cisco-provided package is a software package that you download from the Cisco.com site, such as the AnyConnect software packages. A customer-created package is a profile or a configuration that you created outside the ISE user interface and want to upload to ISE for use with posture assessment. For this exercise, you can download the AnyConnect webdeploy package “anyconnect-linux64-4.10.05085-webdeploy-k9.pkg”.

Note: Due to updates and patches, the recommended version can change. Use the latest recommended version from the cisco.com site.

Step 2.Upload AnyConnect package:

From within the Posture Work center, navigate to Client Provisioning > Resources

Step 3. Select Add > Agent Resources from Local Disk

Step 4. Select Cisco Provided Packages from the Category dropdown.

Step 5. Click Browse.

Step 6. Choose one of the AnyConnect packages that you downloaded in the previous step. The AnyConnect image is processed, and the information about the package is displayed

Step 7. Click Submit. Now that AnyConnect is uploaded to ISE, you can have ISE contact and get the other client resources from Cisco.com.

Note: Agent Resources include modules used by the AnyConnect Client that provides the ability to assess an endpoint's compliance for a variety of condition checks such as Anti-Virus, Anti-Spyware, Anti-Malware, Firewall, Disk Encryption, File, and so on.

Step 8. Click Add > Agent Resources from Cisco Site. It takes a minute for the window to populate as ISE reaches out to Cisco.com and retrieves a manifest of all the published resources for client provisioning.

Step 9. Select the latest AnyConnect compliance modules for Linux. In addition, you can also select the compliance module for Windows and Mac.

Step 10. Select the latest temporal agents for Windows and Mac.

Step 11. Click Save.

Note: MAC and Windows Posture configurations are out of the scope of this configuration guide.

At this point, you have uploaded and updated all the required parts. It is now time to build the configuration and profiles required to use those components.

Step 12. Click Add > NAC Agent or AnyConnect Posture Profile.

The parameters that need to be modified are:

• VLAN detection interval: This setting enables you to set the number of seconds the module waits between probing for VLAN changes. The recommendation is 5 seconds.
• Ping or ARP: This is the actual VLAN change detection method. The agent can ping the default gateway or monitor the ARP cache for the default gateway’s entry to timeout or both. The recommended setting is ARP.

• Remediation timer: When an endpoint’s posture is unknown, the endpoint is put through a posture assessment flow. It takes time to remediate failed posture checks; the default time is 4 minutes before marks the endpoint as noncompliant, but the values can range from 1 to 300 minutes (5 hours). The recommendation is 15 minutes; however, this can require adjustments if remediation is expected to take longer.

Note: Linux File Posture does not support automatic remediation.

For a comprehensive description of all the parameters please refer to the ISE or AnyConnect posture documentation.

Step 13. Agent Behavior select Posture probes Backup List and select Choose, select the PSN/Standalone FQDN and Select Save

Step 14. Under Posture Protocols > Discovery Host define the PSN/Standalone node ip address.

Step 15. From Discovery backup server list and Select choose, select your PSN or standalone FQDN and select Select.

Step 16. Under Server name rules type * to contact all the servers and define the PSN/Standalone IP address under call home list. Alternatively, a wildcard can be used to match all potential PSNs in your network (that is *.acme.com).

Step 17. Click Add > AnyConnect Configuration

Scroll down and select Submit

Step 18. When you finished to make selections, click Submit.

Step 19. Select Work Centers > Posture > Client Provisioning > Client Provisioning Portals.

Step 20. Under the Portal Settings section, where you can select the interface and port, as well as the groups that are authorized to the page Select Employee, SISE_Users  and Domain Users.

Step 21. Under Log in Page Settings, ensure Enable auto Log In option is enabled

Step 22. On the upper right corner Select Save

Step 23.Select Work Centers > Posture > Client Provisioning > Client Provisioning Policy.

Step 24. Click the down arrow next to the IOS rule in the CPP and choose Duplicate Above

Step 25. Name the rule LinuxPosture

Step 26. For Results, select the AnyConnect Configuration as the agent.

Note: In this case, you do not see a compliance module dropdown because it is configured as part of the AnyConnect configuration.

Step 27.Click Done.

Step 28. Click Save.

Posture Policy Elements

Step 29.Select Work Centers > Posture > Policy Elements > Conditions > File. Select Add.

Step 30.Define TESTFile as the file condition name and define the next values

Note: Path is based on the file location.

Step 31. Select Save

FileExistence.This file type of condition looks to see if a file exists in the system where it is supposed to—and that is all. With this option selected, there is no concern at all for validate the file dates, hashes, and so on

Step 32. Select Requirements and create a new policy as follows:

 

Note: Linux does not support Message text only as remediation action

Requirement components

• Operating system: Linux All
• Compliance module: 4.x
• Posture type: AnyConnect
• Conditions: Compliance modules and agents (which become available after you select the OS)
• Remediation actions: Remediations that become available for selection after all the other conditions have been chosen.

Step 33. Select Work Centers > Posture > Posture Policy

Step 34. Select Edit on any policy and Select Insert New policy Define LinuxPosturePolicy Policy as the name and ensure you add your requirement created in step 32.

Step 35. Select Done and Save

Other Important Posture Settings (Posture General Settings section)

The important settings in the Posture General Settings section are as follows:

• Remediation Timer: This setting defines the amount of time a client has to correct a failed posture condition. There is also a remediation timer in the AnyConnect configuration; this timer is for ISE, not AnyConnect.
• Default Posture Status: This setting provides the posture status for devices without the posture agent or operating systems that cannot run the temporal agent, such as Linux-based operating systems.
• Continuous Monitoring Interval: This setting applies to the application and hardware conditions that are taking inventory of the endpoint. The setting specifies how often AnyConnect must send the monitoring data.
• Acceptable Use Policy in Stealth Mode: The only two choices for this setting are to block or continue. Block prevents stealth mode AnyConnect clients from proceeding if the AUP has not been acknowledged. Continue allows the stealth mode client to proceed even without acknowledging the AUP (which is often the intent when using the stealth mode setting of AnyConnect).

Reassessment Configurations

Posture reassessments are a critical component of the posture workflow. You saw how to configure the AnyConnect agent for posture reassessment in the “Posture Protocol” section. The agent periodically checks in with the PSNs defined based on the timer in that configuration.

When a request reaches the PSN, the PSN determines whether a posture reassessment is needed, based on the ISE configuration for that endpoint’s role. If the client passes the reassessment, the PSN maintains the endpoint’s posture-compliant state, and the posture lease is reset. If the endpoint fails the reassessment, the posture status changes to noncompliant, and any posture lease that existed is removed.

Step 36. Select Policy > Policy Elements > Results > Authorization > Authorization Profile. Select Add

Step 37. Define Wired_Redirect as the Authorization Profile and configure the next parameters

Step 38. Select Save

Step 39. Configure Authorization policies

There are three preconfigured authorization rules for posture:

1. The first is configured to match when authentication succeeds, and a device’s compliance is unknown.
2. The second rule matches successful authentications with non-compliant endpoints.

Note: Both of the first two rules have the same result, which is to use a preconfigured authorization profile that redirects the endpoint to the Client Provisioning portal.

3. The final rule matches successful authentication and posture-compliant endpoints and uses the prebuilt PermitAccess authorization profile.

Select Policy > Policy Set and select the right arrow for Wired 802.1x - MAB Created in the previous lab.

Step 40. Select Authorization Policy and create the next rules

Configurations on the switch

Note: The below configuration refers to IBNS 1.0. There can be differences for IBNS 2.0 capable switches. It includes Low Impact mode deployment.

username <admin> privilege 15 secret <password>
aaa new-model
!
aaa group server radius RAD_ISE_GRP
server name <isepsnnode_1>
server name 
!
aaa authentication dot1x default group RAD_ISE_GRP
aaa authorization network default group RAD_ISE_GRP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group RAD_ISE_GRP
aaa accounting dot1x default start-stop group RAD_ISE_GRP
!
aaa server radius dynamic-author
 client  server-key 
 client  server-key 
!
aaa session-id common
!
authentication critical recovery delay 1000
access-session template monitor
epm logging
!
dot1x system-auth-control
dot1x critical eapol
!

# For Access Interfaces:
interface range GigabitEthernetx/y/z - zz
 description VOICE-and-Data
 switchport access vlan 
 switchport mode access
 switchport voice vlan 
 ip access-group ACL_DEFAULT in
 authentication control-direction in # If supported
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto

 # Enables preiodic re-auth, default = 3,600secs
 authentication periodic

 # Configures re-auth and inactive timers to be sent by the server
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout server-timeout 10
 dot1x max-req 3
 dot1x max-reauth-req 3
 auto qos trust

# BEGIN - Dead Server Actions -
 authentication event server dead action authorize vlan 
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
# END - Dead Server Actions -
 spanning-tree portfast
!

# ACL_DEFAULT #
! This ACL can be customized to your needs, this is the very basic access allowed prior
! to authentication/authorization. Normally ICMP, Domain Controller, DHCP and ISE
! http/https/8443 is included. Can be tailored to your needs.
!
ip access-list extended ACL_DEFAULT
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit icmp any any
 permit udp any any eq tftp
 permit ip any host 
 permit ip any host 
 permit tcp any host  eq www
 permit tcp any host  eq 443
 permit tcp any host  eq 8443
 permit tcp any host  eq www
 permit tcp any host  eq 443
 permit tcp any host  eq 8443
!
# END-OF ACL_DEFAULT #
!

# ACL_REDIRECT #
! This ACL can be customized to your needs, this ACL defines what is not redirected
! (with deny statement) to the ISE. This ACL is used for captive web portal,
! client provisioning, posture remediation, and so on.
!
ip access-list extended ACL_REDIRECT_AV
 remark Configure deny ip any host  to allow access to 
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   udp any eq bootps any
 deny   udp any any eq bootpc
 deny   udp any eq bootpc any
 remark deny redirection for ISE CPP/Agent Discovery
 deny   tcp any host  eq 8443
 deny   tcp any host  eq 8905
 deny   udp any host  eq 8905
 deny   tcp any host  eq 8909
 deny   udp any host  eq 8909
 deny   tcp any host  eq 8443
 deny   tcp any host  eq 8905
 deny   udp any host  eq 8905
 deny   tcp any host  eq 8909
 deny   udp any host  eq 8909
 remark deny redirection for remediation AV servers
 deny   ip any host 
 deny   ip any host 
 remark deny redireciton for remediation Patching servers
 deny   ip any host 
 remark redirect any http/https
 permit tcp any any eq www
 permit tcp any any eq 443
!
# END-OF ACL-REDIRECT #
!
ip radius source-interface 
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server vsa send accounting
radius-server vsa send authentication
radius-server dead-criteria time 30 tries 3
!
ip http server
ip http secure-server
ip http active-session-modules none
ip http secure-active-session-modules none
!
radius server 
 address ipv4  auth-port 1812 acct-port 1813
 timeout 10
 retransmit 3
 key 
!
radius server 
 address ipv4  auth-port 1812 acct-port 1813
 timeout 10
 retransmit 3
 key 
!
aaa group server radius RAD_ISE_GRP
 server name 
 server name 
!
mac address-table notification change
mac address-table notification mac-move

Verify

ISE Verification:

This section assumes that AnyConnect with the ISE posture module has been previously installed on the Linux System.

Authenticate PC using dot1x

Step 1. Navigate to Network Settings

Step 2. Select the Security tab and provide 802.1x configuration and user credentials

Step 3.Click “Apply”.

Step 4.Connect the Linux system to the 802.1x wired network and validate in the ISE live log:

 

In ISE, use the horizontal scroll bar to view additional information, such as the PSN that served the flow or the posture status:

Step 5. On the Linux client, redirection must occurs, and it presents the client provisioning portal indicating posture check occurs and to click “Start”:

Wait a few seconds while the connector tries to detect AnyConnect:

Due to a known caveat, even if AnyConnect is installed it does not detect it. Use Alt-Tab or the Activities menu to switch to the AnyConnect client.

AnyConnect attempts to reach the PSN for posture policy and assess the endpoint against it.

AnyConnect reports its determination of the posture policy back to ISE. In this case, compliant

 

On the other hand, if the file does not exist, the AnyConnect posture module reports the determination to ISE

 

Note: ISE FQDN needs to be resolvable on Linux system through DNS or local host file.

 

Troubleshoot

show authentication sessions int fa1/0/35

Redirect in place:

Authorization succeeded:

Not Compliant, moved to quarantine VLAN and ACL: