配置狀態狀態同步並對其進行故障排除

簡介

本文檔介紹在Cisco Identity Service Engine(ISE) 3.1版本中引入的狀態狀態同步的配置與使用。

必要條件

需求

思科建議您瞭解以下主題：

• 思科ISE上的狀態流
• 在Cisco ISE上配置終端安全評估元件

假設您有狀態配置來代替任何型別。

為了更好地理解稍後介紹的概念，建議進行以下操作：

• 思科身份服務引擎管理員指南3.1版
• 比較早期ISE版本與ISE 2.2中的ISE終端安全評估流程
• ISE會話管理和安全評估

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• Cisco ISE版本3.1
• 思科安全使用者端5.0.00556

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路運作中，請確保您瞭解任何指令可能造成的影響。

背景資訊

ISE終端安全評估流程通常不允許在客戶端上從ISE更新終端安全評估狀態。思科安全客戶端安全評估模組用於評估終端的安全評估狀態，並將其保留到網路更改、定期重新評估或其他客戶端觸發事件之前。如果終端安全評估狀態由於會話終止或其他原因在ISE上發生更改，安全客戶端安全評估模組可能不知道該更改，因此終端將處於安全評估未知狀態，網路訪問受限，直到某個客戶端觸發事件發生。

本文檔重點介紹一項新功能- Posture Status Synchronization，該功能旨在解決此類問題，並允許ISE向安全客戶端狀態模組提供有關終端當前狀態的反饋。

設定

啟用終端安全評估狀態同步時，每個ISE PSN節點上都會引入終端安全評估狀態探測埠-預設情況下為TCP 8449。如果Endpoint Posture狀態為Unknown或Pending，且如果Endpoint狀態為Compliant，則應該可從終端訪問它。

網路圖表

組態

狀態狀態同步功能配置包括兩部分：

1. AnyConnect終端安全評估配置檔案配置

1.1在Cisco ISE GUI中，導航到策略>策略元素>結果>客戶端調配>資源。 

1.2選擇您已使用的AnyConnect終端安全評估配置檔案，或建立新配置檔案。

1.3在「Agent Behavior」區域，將Posture State Synchronization Interval配置為介於1和300秒之間的任意值，0表示停用狀態同步

1.4 您可以配置終端安全評估探測備份清單-安全客戶端使用此清單檢查所選PSN上的終端安全評估狀態。如果不選擇任何PSN，則連線的PSN和任意兩台備份伺服器用作狀態同步的備份。 

2. 配置可下載ACL(dACL)，在客戶端狀態為合規或不合規時阻止對思科ISE上的安全評估狀態同步埠的訪問。如果終端狀態為已知，您需要為用於合規終端的ACL頂部的每個PSN增加具有狀態狀態狀態同步埠的訪問控制拒絕條目，以限制對狀態狀態同步埠的訪問，例如：

deny tcp any host PSN1-IP-ADDRESS eq 8449
deny tcp any host PSN2-IP-ADDRESS eq 8449
permit ip any any

permit ip any any不是必需的，您可以根據需要用任何規則集替換它。

可以在Client Provisioning Portal configuration頁面上更改狀態狀態同步埠（雙向埠）。導航到管理>裝置門戶管理>客戶端調配>選擇所需門戶>門戶行為和流設定，然後打開門戶設定。無法更改預設客戶端調配門戶的終端安全評估狀態同步埠。

驗證

從DART捆綁包

透過檢視DART捆綁包中的思科安全客戶端狀態模組日誌(AnyConnect_ISEPosture.txt)，可從客戶端驗證狀態同步：

1. 狀態評估已完成，狀態狀態為「合規」。

2022/11/09 12:22:47 [Information] aciseagent Function: Authenticator::sendUIStatus Thread Id: 0xC60 File: authenticator.cpp Line: 1905 Level: debug  MSG_SU_STEP_STATUS, {Status:4,Compliant:2,RemStatus:2,Phase:0,StepNumber:-1,Progress:-1,Attention:1,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"Compliant.",Description2:"Network access allowed."}. 

2. 狀態同步探測已啟動。

2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 143 Level: info  Session Sync Periodic Probing start. 
2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 335 Level: info  Session sync periodic probing thread start. 

3. 在狀態狀態同步埠(8449)上啟動到ISE PSN的HTTPS連線。

2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 357 Level: debug  Sending http session sync periodic probe to [ISE-PSN-FQDN]. 
2022/11/09 12:22:47 [Information] aciseagent Function: HttpConnection::MakeRequest Thread Id: 0x296C File: httpconnection.cpp Line: 330 Level: debug  Url=https://ISE-PSN-FQDN:8449/auth/StateSynch. 

4. 狀態狀態同步探測超時。

2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_winhttp_post Thread Id: 0x296C File: hs_transport_winhttp.c Line: 5815 Level: debug  unable to send request: 12002. 
2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_post Thread Id: 0x296C File: hs_transport.c Line: 1425 Level: trace  posting data failed. 
2022/11/09 12:22:54 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 394 Level: debug  HTTP Probe failed/timed-out, Retrying... 

從客戶端上的資料包捕獲

在客戶端上捕獲的資料包顯示，在沒有ISE PSN的SYN-ACK響應的情況下，在終端安全評估狀態同步埠(8449)上向ISE PSN節點傳送了SYN資料包：

從ISE

無法從ISE端驗證正確的終端安全評估狀態同步配置，因為終端安全評估狀態同步埠(8449)上的連線應該失敗。

狀態狀態更改時狀態重新啟動

1)當思科安全客戶端處於「相容」狀態時，從ISE收到的會話狀態資訊保安評估狀態為「未知」。

2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 430 Level: debug  --- Http Response Headers ---. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  HTTP-Version: 1.1. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Status-Code: 200. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Connection: keep-alive. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Date: Wed, 09 Nov 2022 11:26:24 GMT. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Keep-Alive: timeout=20. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Content-Length: 0. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Server: server. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-Frame-Options: SAMEORIGIN. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Strict-Transport-Security: max-age=31536000; includeSubDomains. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-Content-Type-Options: nosniff. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-XSS-Protection: 1; mode=block. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_STATUS: Unknown. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 442 Level: debug  --------------------. 

2)思科安全客戶端確認安全評估狀態更改並重新啟動安全評估發現：

2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 379 Level: debug  Different Session state on ISE = [ ISE-PSN-FQDN]. Restarting discovery. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 387 Level: debug  MSG_NS_SWIFT_RESTART_SEARCH, {manualRescan:0,stopPeriodicProbe:1}. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1431 Level: debug  Restarting Discovery. 

3)思科安全客戶端停止狀態同步，直到執行狀態評估：

2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::processMessage Thread Id: 0xC60 File: swifthttprunner.cpp Line: 383 Level: debug  Periodic Probes requested to be stopped. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1436 Level: debug  MSG_PN_STOP_PERIODIC_PROBE sent. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1437 Level: debug  MSG_PN_STOP_PERIODIC_PROBE, . 
2022/11/09 12:26:24 [Information] aciseagent Function: hs_transport_free Thread Id: 0xC60 File: hs_transport.c Line: 606 Level: trace  de-initialization done. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug  MSG_PN_STOP_PERIODIC_PROBE received.. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug  Periodic Probing stopped. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 411 Level: info  Session sync periodic probing thread end.

疑難排解

狀況狀態同步無法啟動

如果AnyConnect_ISEPosture.txt日誌檔案中沒有指示狀態同步啟動，並且客戶端未嘗試與狀態同步埠(8449)上的ISE PSN節點建立連線，請從DART捆綁包或直接在客戶端電腦上檢查狀態配置檔案ISEPostureCFG.xml：「%ProgramData%\Cisco\Cisco Secure Client\ISE Posture\」（適用於Windows PC）。

負責狀態同步的引數是「StateSyncProbeInterval」，應使用大於0的值進行設定：

缺少「StateSyncProbeInterval」或值為「0」表示狀態同步被停用。

如果在ISE的終端安全評估配置檔案中設定了「終端安全評估狀態同步時間間隔」，但它沒有反映在客戶端的配置檔案中，則需要調查終端安全評估調配。

安全評估狀態同步失敗，ISE控制台上出現警報

如果ISE上的安全狀態同步失敗並發出警報，則意味著思科安全客戶端能夠在安全狀態同步埠(8449)上訪問ISE，並請求會話的狀態為「相容」(Compliant)。

• ISE GUI中的警報：

• 驗證資料包捕獲

在狀態狀態同步埠(8449)上建立TCP連線：

• 從思科安全客戶端狀態模組日誌進行驗證

從DART捆綁包檢查AnyConnect_ISEPosture.txt：

1)在終端安全評估狀態同步埠(8449)上啟動到ISE PSN的HTTPS連線。

2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 357 Level: debug  Sending http session sync periodic probe to [ISE-PSN-FQDN]. 

2)從ISE收到的會話狀態資訊保安評估狀態為「相容」。

2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 430 Level: debug  --- Http Response Headers ---. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  HTTP-Version: 1.1. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Status-Code: 200. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Connection: keep-alive. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Date: Wed, 09 Nov 2022 11:26:34 GMT. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Keep-Alive: timeout=20. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Content-Length: 0. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Server: server. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-Frame-Options: SAMEORIGIN. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Strict-Transport-Security: max-age=31536000; includeSubDomains. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-Content-Type-Options: nosniff. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-XSS-Protection: 1; mode=block. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_STATUS: Compliant. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 442 Level: debug  --------------------. 

3)由於檢測到不正確的配置，Posture State Synchronization停止：

2022/11/09 12:26:34 [Error] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 370 Level: error  Incorrect configuration detected by ISE = [ISE-PSN-FQDN], compliant status is not expected. 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 371 Level: debug  MSG_PN_STOP_PERIODIC_PROBE, . 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug  MSG_PN_STOP_PERIODIC_PROBE received.. 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug  Periodic Probing stopped. 

無法通過重新啟動狀態評估或網路更改從思科安全客戶端GUI中重新啟動狀態狀態同步。相反，需要重新啟動Cisco Secure Client才能使狀態同步重新工作。

驗證為狀態「相容」授權配置檔案配置的dACL

1. 驗證為安全狀態「相容」授權配置檔案配置了正確的dACL：

2. 驗證詳細身份驗證報告dACL作為「相容」端點的身份驗證結果是否正確傳送。

3. 驗證dACL是否正確應用於網路訪問裝置：

avakhrus_3560C#sh authe sess int fa0/12 det
            Interface:  FastEthernet0/12
          MAC Address:  0050.56a8.be02
         IPv6 Address:  Unknown
         IPv4 Address:  192.168.255.193
            User-Name:  TRAINING\bob
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 92111s
       Session Uptime:  1515s
    Common Session ID:  C0A8FF0C00000012679EAF14
      Acct Session ID:  0x00000012
               Handle:  0x5D000005
       Current Policy:  POLICY_Fa0/12

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac

Method status list:
       Method           State

       mab              Stopped
       dot1x            Authc Success

avakhrus_3560C#sh access-lists | s  xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac
Extended IP access list xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac (per-user)
    1 deny tcp any host PSN1-IP-ADDRESS eq 8449
    2 deny tcp any host PSN2-IP-ADDRESS eq 8449
    3 permit ip any any

已知的問題

狀態狀態同步失敗，ISE上出現警報

即使在網路訪問裝置上對客戶端終端應用了正確的dACL，狀態同步也可能因ISE上的警報而失敗。如果Posture State Synchronization Probe的執行速度快於應用dACL的速度，或者如果Posture State Synchronization Probe在應用dACL時已在進行中，則會發生這種情況。思科漏洞ID CSCwd58316中調查了此問題 .解決方法是，您需要在Anyconnect終端安全評估配置檔案（ISE終端安全評估代理配置檔案設定）中將「網路轉換延遲」設定為10秒。