本文档介绍如何配置思科自适应安全设备(ASA)版本9.2.1,以便针对思科身份服务引擎(ISE)对VPN用户进行安全评估,而无需内联状态节点(IPN)。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件版本:
Cisco ASA版本9.2.1支持RADIUS授权更改(CoA)(RFC 5176)。这允许对Cisco ISE进行VPN用户状态分析,无需IPN。在VPN用户登录后,ASA会将网络流量重定向到ISE,用户在此调配网络准入控制(NAC)代理或Web代理。代理对用户机器执行特定检查,以确定其是否符合一组已配置的状况规则,如操作系统(OS)、补丁、防病毒、服务、应用或注册表规则。
然后,将状态验证结果发送到ISE。如果认为计算机有投诉,则ISE可以使用新的授权策略集向ASA发送RADIUS CoA。在成功的安全状态验证和CoA后,允许用户访问内部资源。
如网络图所示,以下是流量传输:
使用此部分配置ASA和ISE。
以下是Cisco AnyConnect访问的基本ASA配置:
ip local pool POOL 10.10.10.10-10.10.10.100 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxxx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.111.10 255.255.255.0
aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.48.66.74
key cisco
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GP-SSL internal
group-policy GP-SSL attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
tunnel-group RA type remote-access
tunnel-group RA general-attributes
address-pool POOL
authentication-server-group ISE
default-group-policy GP-SSL
tunnel-group RA webvpn-attributes
group-alias RA enable
对于ASA与ISE终端安全评估集成,请确保您:
以下是配置示例:
access-list redirect extended deny udp any any eq domain
access-list redirect extended deny ip any host 10.48.66.74
access-list redirect extended deny icmp any any
access-list redirect extended permit tcp any any eq www
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server ISE (inside) host 10.48.66.74
key cisco
tunnel-group RA general-attributes
address-pool POOL
authentication-server-group ISE
accounting-server-group ISE
default-group-policy GP-SSL
完成以下步骤以配置ISE:
默认情况下,状态为一次性事件。但是,有时需要定期检查用户合规性并根据结果调整对资源的访问。此信息通过SWISS协议(NAC代理)推送或在应用(Web代理)中编码。
要检查用户合规性,请完成以下步骤:
这两种情况都可用于状况规则。第一条 规则仅匹配初始评估,第二条规则匹配所有后续评估:
为了确认您的配置是否正常工作,请确保按所述完成以下步骤:
aaa_url_redirect: Added url redirect:https://ise2.test-cisco.com:8443/
guestportal/gateway?sessionId=c0a8700a0000900052b840e6&action=cpp
acl:redirect for 10.10.10.10
ASA# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 9
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 16077 Bytes Rx : 19497
Pkts Tx : 43 Pkts Rx : 225
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP-SSL Tunnel Group : RA
Login Time : 14:55:50 CET Mon Dec 23 2013
Duration : 0h:01m:34s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8700a0000900052b840e6
Security Grp : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 10.147.24.61
Encryption : none Hashing : none
TCP Src Port : 50025 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 779
Pkts Tx : 4 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 50044
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 172
Pkts Tx : 4 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 63296
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5669 Bytes Rx : 18546
Pkts Tx : 35 Pkts Rx : 222
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ISE Posture:
Redirect URL : https://ise2.test-cisco.com:8443/guestportal/gateway?
sessionId=c0a8700a0000900052b840e6&action=cpp
Redirect ACL : redirect
aaa_url_redirect: Created proxy for 10.10.10.10
aaa_url_redirect: Sending url redirect:https://ise2.test-cisco.com:8443/
guestportal/gateway?sessionId=c0a8700a0000900052b840e6&action=cpp
for 10.10.10.10
cisco.cpm.posture.runtime.PostureHandlerImpl -:cisco:c0a8700a0000900052b840e6
:::- Decrypting report
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- User cisco belongs to groups NAC Group:NAC:IdentityGroups:User Identity
Groups:Employee,NAC Group:NAC:IdentityGroups:An
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- Posture report token for endpoint mac 08-00-27-CD-E8-A2 is Healthy
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- Posture state is compliant for endpoint with mac 08-00-27-CD-E8-A2
cisco.cpm.posture.runtime.PostureCoA -:cisco:c0a8700a0000900052b840e6
:::- Posture CoA is triggered for endpoint [null] with session
[c0a8700a0000900052b840e6]
ASA# Received RAD_COA_REQUEST
RADIUS packet decode (CoA-Request)
Radius: Value (String) =
41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure-
44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS
41 43 4c 23 2d 49 50 2d 50 45 52 4d 49 54 5f 41 | ACL#-IP-PERMIT_A
4c 4c 5f 54 52 41 46 46 49 43 2d 35 31 65 66 37 | LL_TRAFFIC-51ef7
64 62 31 | db1
Got AV-Pair with value audit-session-id=c0a8700a0000900052b840e6
Got AV-Pair with value ACS:CiscoSecure-Defined-ACL=
#ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
aaa_url_redirect: Deleted url redirect for 10.10.10.10
ASA# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 9
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 94042 Bytes Rx : 37079
Pkts Tx : 169 Pkts Rx : 382
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP-SSL Tunnel Group : RA
Login Time : 14:55:50 CET Mon Dec 23 2013
Duration : 0h:05m:30s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8700a0000900052b840e6
Security Grp : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 10.147.24.61
Encryption : none Hashing : none
TCP Src Port : 50025 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 24 Minutes
Client OS : win
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 779
Pkts Tx : 4 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 50044
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 24 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 172
Pkts Tx : 4 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 63296
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 83634 Bytes Rx : 36128
Pkts Tx : 161 Pkts Rx : 379
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
本部分提供了可用于对配置进行故障排除的信息。
导航到Administration > Logging > Debug Log Configuration以启用调试。Cisco建议您为以下各项启用临时调试:
在CLI中输入以下命令以查看调试:
ise2/admin# show logging application ise-psc.log tail count 100
导航至操作>报告> ISE报告>终端和用户>终端安全评估详细信息评估以查看终端安全评估报告:
在Posture More Detail Assessment页面上,将显示具有要求名称的策略名称,以及结果:
您可以在ASA上启用以下调试:
对于NAC代理,可以使用从GUI启动的Cisco Log Packager或CLI(CCAAgentLogPackager.app)收集调试。
要检索Web代理的日志,请导航到以下位置:
如果终端安全评估失败,用户会看到以下原因:
然后,如果配置了以下操作,则允许用户采取补救操作:
版本 | 发布日期 | 备注 |
---|---|---|
1.0 |
21-Apr-2016 |
初始版本 |