Cisco ISE Posture compliance
Hello!
Is anyone know about Cisco ISE?
I have a problem with the respect of the Posture. I installed the NAC Agent on PC, Catalyst 2950, and ISE. Authentication is great, but the Posture of compliance does not. I'll send you information if you want to help me.
Thank you!
Catalyst 2950 does not support costs (RADIUS permission change) which is required for enforcement to work: http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
Tags: Cisco Security
Similar Questions
-
Cisco ISE posture assessment and client provisioning
Hello
I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.
Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.
In addition, please give me related to posture assessment and the provisioning client logs.
Thanks in advance.
You can go through the list link below to download a PDF link
Assessment of the posture with ISE.
http://www.Cisco.com/Web/CZ/expo2012/PDF/T_SECA4_ISE_Posture_Gorgy_Acs.PDF
~ BR
Jatin kone* Does the rate of useful messages *.
-
Issue of Posture 1.3 Cisco ISE.
Hi all
Small issue: assessment of posture for ISE customer how you configure ISE to use several AV vendors?
Example: I have configured ISE posture rating for Sophos AV definitions that works well, if I have introduced another provider of antivirus for the posture of the client assessment does not pass compliance because she's trying the two AV vendors? How do you ensure ISE verifies and marks as consistent customer for each suite AV?
Clients use AnyConnect V4.
Thanks in advance for any response.
Actually, after checking I don't think you can use two terms consisting of the VA, in another State, so you will need to create it using both your requirements in the same requirements, and then select "any condition to succeed", only problem is that you can have as a repair action, which can be a problem.
-
Cisco ISE 1.1.1 with Windows posturing
Hello
We tired for configured windows posturing here's the scenario
We saw five ise boxes 3315 with version 1.1.1 off them 2 is admin, 2 is PS and 1 MNT
and we have local Symantec and WSUS Server.
We make posturing for Windows where I have a few questions
(1) is there an integration here of the local WSUS server with Cisco ISE where Cisco ISE can automatically take all the mandatory WSUS update according to the crititcality of the WSUS server.
(2) what is advised to set up the strategy of the Posture of the posture of windows in Cisco ISE and if manually configure windows political posture using specific KB and if there is an update available on Microsoft will we be able to configure the policy for the new update.
(3) we have configured authentication dot1x in cisco ise and asked as well as on switch port where once the user must be connected to dot1x port of the switch it invites username and password dot1x and therefore, authorization policy, it gives vlan appropriate dynamics.
But what are the ways where we can restrict the machine which is rather than the assets of the company and even if the user's user name and password in short any employee aware how we can restrict the user making the machine rather than the assets of the company?
(4) can configure US policy posture for antivirus which will keep us in normal mode and at the same time, we can put posturing for windows which monioring mode which only monitor policy posture and reflected in the monitoring, log in which does not restrict the network for windows posturing
That will be great if any one can please help me to get the issues
Thank you
Pranav
What follows is under the POLICY-OF ELEMENTS of STRATEGY-POSTURE-> REQUIREMENTS > >
What follows is located under
POLICY OF-> ELEMENTS OF STRATEGY-> POSTURE->
REPAIR-> WINDOWS SERVER UPDATE SERVICES REMEDIATION ACTIONS
What follows is part POLICY-> POSTURE
These settings work ALMOST flawlessly for me by forcing her we approved on our WSUS server for our group of workstations updated (all of our laptops are members of the) which meet the criteria of severity EXPRESS (critical and Important). Now, what I've discovered in the last few days is that... MS seems a bit random in their identification of what severity level they assign to their updates. For example... I think that a service pack of the operating system would be considered IMPORTANT if not CRITICAL... however... Look at this from the identification of the server WSUS from Windows 7 Service Pack 1:
Thus, those who updates you deleted, I'd go throgh your WSUS server to identify how they are identified by gravity, then according to your needs set the parameters of the ISE accordingly to ensure that you get updates you plan.
Hope this helps everyone out there who has similar problems.
Thank you
Dirk
-
Cisco Ise 1.3 with Flex to connect wireless supported function
Hello
My environment is formed ROUND of flex-mode connection wireless and cisco Ise 1.3, these features are supported?
Basic functions of the AAA
profiling
posturing
Substitution VLAN
Substitution of the ACL
Comments commissioningTrustSec 2.0 this MDC is not supported? someone try this feature?
These all work with ISE 1.3 and FlexConnect WLAN.
You need the right license ISE - the type of mobility (wireless) license will cover everything. If you have wired and wireless, then you must have basic (for most features) + more (for profiling) + Apex (for Posturing).
-
Cisco ISE and the new Version of AntiVirus... not DAT
I am ready to go to our VPN ISE users. It was a great test and it seems that we are ready to roll.
Then comes a new version of our corporate AntiVirus software. We had Kaspersky EndPoint Security v8 since last August. Kaspersky now comes to Endpoint Security v10. It took about 3 months for compliance in ISE Module to allow the NAC Agent to recognize KESv10. But now, when we connect I get an error from the NAC stating bascially that the version of installed KES is no posture installation rules and he can't do anything. (see attachment for the exact wording)
I remember when we first set up the ISE, there was a screen that broke down the different manufacturers of AV and the different versions that would support ISE/NAC. I have no idea where it is now.
How to I update my sanitation/policies/rules to take account of two KES10 including, or simply change to allow version 8 +, or even ANY version?
I'm sure this is a simple solution, but I can't find it. I looked through a lot of documentation, and I even looked through a PDF of global laboratory on-site ISE posturing, and he can find.
Thank you
Dirk
Unfortunately, there are various known bugs related to the use of the browser "bad" that have been around for a while
-
ISE Posture Windows enter password to view the desktop very slow
Hello, had a problem of slowness that I don't know how to solve problems. ISE 2.0 patch3, AnyConnect 4.3.02
My setup is Anyconnect which is already on the computer windows laptop 10, EAP with TLS chaining for authentication of the host and PEAP for user auth. ISE Posture checks for windows AV defs and AV windows install. AnyConnect has 'start before logon' installed and * just work *. Boots of the user, auths from the machine before the connection of the user, user logs in and ISE Posture check runs and passes. The user gets the green checkmark on the line.
With a little problem. At the time wherever the user types the password and hit enter, the grip of the Welcome screen for about 45 to 60 seconds, a few rare occasions longer, my high water line is 1 minute 12 seconds. Meanwhile machine auth and auth user spend with the unknown state of compliance in the live of the radius of ISE log. Then welcome screen disappears and the bureau paints (finally), at this time, the machine cannot access anything on the network, 5 seconds later the Anyconnect client starts. 1 second later the bumps network connection, and the analysis of the Posture of ISE in the Anyconnect client starts. Analysis of the Posture of the ISE takes about 7-10 seconds to complete. After that everything is good and the user can access the network.
If control of Posture of ISE is deleted, the whole process takes 10-15 seconds password entry the user to be able to use the laptop and access the internet.
Does anyone have an idea whence this 'start delay '? Feels like a timeout of some sort. It happened on this latest version of the Anyconnect and 3 previous ones as well. I concentrate on my test machine windows 10 laptop, but the same thing happened on 4 other test systems which are a mixture of windows 7, 8.1 and 10. The 10 win test system is a lenovo x 1 carbon with an SSD and is normally fairly quick.
All the tips are greatly appreciated.
e-
Do you have the port in a vlan to auth machine and then change once the machine and the user connects? Also, you will probably need to open any acl you apply while the posture is 'unknown '. It is usually due to some AD access that is blocked.
-
I have a question
1. is it possible to install the Cisco ISE software on the server machine to physical HP (without solution VMware or without the use of SNS-3415-k9 cisco device)?
2. for 2500 users online, I'll order L-ISE-BSE-2550, L-ISE-PLS-S-2500 and L-ISE-APX-S-2500 of basis, more and apex licenses. My question is HA (primary and secondary) application I need 2 licenses for each? (2 * L - ISE - BSE - 2550, 2 * L - ISE - PLS - S - 2500 and 2 * L - ISE - APX - S - 2500)
or just a license for each is enough?
3. If I implement Cisco ISE and HA on VMware environment, can I 2 L-ISE-VM-K9 licenses for each VM machines? and also I need 2 licenses for each basic, plus, and at the apex?
4. What is smart net Cisco and Cisco SASU? need to buy these for support and ticketing system?
5. What is license for cisco anyconnect (L-AC-APX-1 year-G)?
thnx in adv.
You can install ISE on a HP ONLY Server if you are using software virtualization (VMware or KVM).
The Guide of Installation of ISE sets out three options:
1 hardware appliance from cisco SNS
2. virtual machine VMware
3 Linux KVM.
The AnyConnect license is required to qualify with the features of the Apex. It is not installed on the ISE server, however.
-
Cisco ISE with GANYMEDE + and RADIUS both?
Hello
I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?
Bob
I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Cisco ISE 1.1.2.145 Admin authentication via the LDAP protocol
I have configured the LDAP protocol and able to retrieve our LDAP directory structure. Now, I'm trying to point authentication "Admin Access" Source 'External identity', which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for some reason the LDAP configuration does not work. I learned that the ISE can automatically return to local auth as external sources Idenitity are inaccessible. How can I test the LDAP authentication with breaking them our Admin Access? I thought to open two parallel sessions, one with Super Admin account Local and one with the domain account. But I noticed that ISE communication is smart enough for the closing session/connection no matter what other sessions in different browsers so, basically, I can't open two parallel sessions the same machine to test. Suggestions? or am I missing something here?
Thanks in advance.
Hi Srinivas,
Even if you configure LDAP as a source of external identity of admin access, you can always internal relief without having locked. According to the ISE user guide:
During the operation, Cisco ISE is designed to "fall back" and try to perform the internal identity database authentication, if the communication with the external identity store has not been established, or if it fails. In addition, whenever an administrator for which you have configured external authentication launches a browser and initiates a logon session, the administrator must still the option authentication of demand through the local Cisco ISE database by choosing 'Internal' to the Selector drop-down storage of identity in the Connect dialog box.
http://www.Cisco.com/en/us/docs/security/ISE/1.1/user_guide/ise_man_identities.html#wp1351543
Please see the attached screenshot by my lab ISE:
I configured the admin authentication against AD, but I still see both 'Internal' and 'AD' at the time of the connection.
I hope this helps.
Thank you
Aastha
-
Hi all
I intend to implement cisco ISE in my network. I have 1000 endpoints and some mobile devices. I plan to use approach distributed and all licenses possible.
It is: should I buy licenses for all nodes. For example 1000 for the head node, 1000 for high school, 1000 for surveillance and so forth?
Or should I buy license only 1000 (I mean 1000 base + 1000 advances + 100 mobile) ones and apply them to all nodes?
Concerning
Max
Hi Max.
ISE is authorized by the deployment. So if you have a distributed with us deployment will tell ISE 10 nodes or servers you will always only the node main Administrator license.
Now, if you plan to have two deployments (say a deployment for the EMEA region and the other for APAC) then you would need licenses for both deployments (you allow the node primary admin in each deployment).
I hope this makes sense :)
Thank you for evaluating useful messages!
-
I am very new to Cisco ISE and Meraki. I try to get the Radius configuration for wireless authentication. When I do a test of the Meraki to ISE, it passes.
When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy. I keep hitting the default policy. I have my Meraki police above the default policy in the strategy defined in article. I have attached what looks like my strategy game.
Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:
And here is where I create the condition of strategy game and you should be able to select the Meraki access points:
This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.
-
Cisco ISE (Identity Services Engine) - seeds SGA device?
Hello
We have a LAB with Cisco ISE, certificates and list DACL. Everything works fine with the 1.1.1 version but now we want to use the functionality of CMS - SGT instead of the ACL and we found that we need seed for this device and the only device that takes in charge the Nexus 7000 is. Is this true? What is the only way that we can use LMS - SGT? Are there plans that any other device will be used to seed device?
BR, Marko
The device of seed set as first device that communicates with the ISE. It must be a link.
http://www.Cisco.com/en/us/docs/solutions/enterprise/security/TrustSec_2.0/trustsec_2.0_dig.PDF
In addition the Nexus needs a license of Advanced Services installed in order to support the Trustsec.
I can't comment on any future plans.
-
Group of endpoint Cisco ISE 1.4 hotspot
Patch 1.4 Cisco ISE 6
Cisco WLC 8.0.121
Setup
the WLC has a named Hotspot SSID. It uses mac auth with radius of the NAC to redirect to the Hotspot portal of reviews on the ISE.
drops flexconnect users in vlan 401 (with preAuthAcl), after the PSU, it is initially a COA to move users to VLANs 413 with permitInternetAcl
Description of the problem:
users connect to the SSID of the access point and get an IP address valid in vlan 401
redirected to the page of the hotspot on the ISE with a PSU and the PIN code request.
are they disconnect from the network and reconnect, the ISE sends a certificate of authenticity to move to 413 without the Hotspot portal.
what I've noticed, is that as soon as users get the redirect of the original Web page, they are moved to the endpoint group defined in the hotspot portal.
What I've read about this behavior makes me understand that it is a default behavior, but if that's the case then I'm not sure on how I can make my font to check if the PSU has been accepted.
Thank you
Maarten
Cisco WLC 8.2.100
Patch 1.4 ISE 6
Similar Hotspot ISE installation, of similar rules except change VLAN. I have observed the same behavior.
This configuration was working on patch 5.
Update:
I found a solution based on the following bug. Use the following attribute in the authorization rule. The success page remains but no Instant Internet access is available using this workaround solution.
https://Tools.Cisco.com/bugsearch/bug/CSCux22558/?referring_site=bugquic...
' Workaround:
"Use the LEAST 24 endpoints: LastAUPAcceptanceHours for example (means PUA agreed less than 24 hours ago). -
Cisco ISE comments Sponsor Isssue Portal
Hi all
We have insatalled 5 boxes of ise 3315 IOS 1.0.4 in our network where in two of them are admin node, two services strategy and has a node mnt. We using sponsor portal for guest user wirless comments where we integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid wlc and external aid redirected url to ise for the login page of comments.
But when we create a guest in the sponsor for guest user connection, user that we faced after publication
(1) when guest user gets connected to WiFi and connect to the portal of comments with credentials after putting the credentials then his new redirect to the same login page
wihout invites successful connection.
Can us guest login successful after comments connect to the portal of reviews or redirect any other link as google.com for guest user will be done the knowledge he is able to access the internet now
(2) we have appointed time profile 8hours first user login guest. When the guest user gets connected while putting in credentials on the portal of comments.
But we are facing problem after about 20 mins enhanced disconnects Internet and comments again Gets the login page of the portal of the guest and if we put the same credentials, then his work but after about 20 min interval disconnected Internet user.
Can someone help me resolved on observation about covers them cisco ise comments sponsor Portal
Thank you & best regards
Pranav Gade
Pranav your answers are online,
(1) when guest user gets connected to WiFi and connect to the portal of comments with credentials after putting the credentials then his new redirect to the same login page
wihout invites successful connection. When you use CWA (Central web authentication) there is no way we can redirect users by using the redirect url because it will always redirect users for each time they start a web request. There is no other cost functionality that will remove this condition because they have already been authenticated. Here is a guide that explains the user experience when using web Central auth -
http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Can us guest login successful after login guest Portal comments or redirect any other link as google.com for guest user will be acquainted with it is able to access the internet now This is not possible, you can change the verbage and force the AUP to be displayed to users informing them that they can start their web request after hitting the button I accept.
Here's to justify it experience, once users go through the process of reviews-
(2) we have appointed time profile 8hours first user login guest. When the guest user gets connected while putting in credentials on the portal of comments.
But we are facing problem after about 20 mins enhanced disconnects Internet and comments again Gets the login page of the portal of the guest and if we put the same credentials, then his work but after about 20 min interval disconnected Internet user. Check advance timer on your SSID you can be hitting the session on the WLC timeout. Please disable this option and let the functionality of COA ISE at expiration of the user on the controller sessions of.
Thank you
Tarik Admani
* Please note the useful messages *.
Maybe you are looking for
-
Thunderbird guard loading of copies of old messages
When I connect to Hotmail, thunderbird downloads all files in e-mail, as if they aren't already on my system. If I run a file of deleting duplicates, it did the same thing brand new the next time it checks the mail.
-
How to see the permanently in the iTunes menu bar 12.3?
cannot find out how to permanently display the menu bar in iTunes. help please... Thank you!
-
demolished mails, impossible to find
Running OS X Yosemite 21 "IMAC. 2.9GHz 8 GB (I have 840 GB free) lost most of my Outlook emails (20 k +). hoping that I could at least be able to recover some of the emails back (seems the only emails that have not been deleted are ones that I had sc
-
Why can't my androgenic computer on its own without warning?
While using my laptop, from time to time it will spontaneously turn off without warning, the screen is just blank. I have a dell Inspiron 1520, using windows XP.
-
I bought a 3.5 mm audio jack, standard usb cable to connect the clamp on my car radio usb port but no sound speakers, I also tried the clip connected to the laptop with the same cable, but still, no noise. is it possible to play the clip via an audio