Cisco Anyconnect Posture



Disclaimer The text above is not a piece of advice to uninstall Cisco AnyConnect Posture Module by Cisco Systems, Inc. From your computer, nor are we saying that Cisco AnyConnect Posture Module by Cisco Systems, Inc. Is not a good application for your computer. Cisco ISE: Anyconnect VPN posture configuration In Cisco Tags Cisco ASA, Cisco ISE, VPN August 25, 2019 Came across this task to set up a posture assessment for workstation domain membership check when connecting with Anyconnect (AC) VPN to Cisco ASA and enforce access based on compliance.

Came across this task to set up a posture assessment for workstation domain membership check when connecting with Anyconnect (AC) VPN to Cisco ASA and enforce access based on compliance. ISE was already deployed for simple VPN authentication so, first of all, I had to make a decision on what to use: ASA host scan (requires ASA APEX license) or ISE posture assessment. Great feature comparison here but if it comes down to price then it is about $10 versus $7 per user for ASA vs ISE. And since ISE offers more flexibility it was picked for the final solution.

  1. Feb 16, 2021 Cisco AnyConnect Secure Mobility Client; Known Affected Releases. Symptom: Windows 10 endpoint is failing a posture check after a new hot-fix had been applied for.
  2. Cisco AnyConnect ISE Posture Module A guide to uninstall Cisco AnyConnect ISE Posture Module from your PC Cisco AnyConnect ISE Posture Module is a Windows application. Read more about how to remove it from your computer. The Windows release was created by Cisco Systems, Inc. Go over here for more information on Cisco Systems, Inc.
  3. The AnyConnect Secure Mobility Client offers an VPN Posture (HostScan) Module and an ISE Posture Module. Both provide the Cisco AnyConnect Secure Mobility Client with the ability to assess an endpoint's compliance for things like antivirus, antispyware, and firewall software installed on the host.

There are a few Cisco 1, 2 and non Cisco guides there so here I’ll just fill in missing pieces.

  • Get APEX license to support posture for ISE in addition to Base License which you should have already.
  • Upload and enable proper AC package on ASA. The package you need is anyconnect-….webdeploy-k9.pkg. All necessary files will be included in it. At the time of writing, my file version was anyconnectwin-4.6.04056-webdeployk9.pkg. Once file is uploaded use this command to enable it.

webvpn

anyconnect-win-4.6.04056-webdeploy-k9.pkg 1

  • Enable ISE posture module to be installed on the endpoint.

group-policy DfltGrpPolicy attributes

webvpn

Cisco ISE 1.3 Administrators Guide

anyconnect modules value iseposture

  • Create ACL on ASA to allow DNS requests and traffic to ISE nodes. Redirect all other web traffic for posture to take place.

access-list redirect extended deny udp any any eq domain
access-list redirect extended deny ip any host <ISE IP>
access-list redirect extended permit tcp any any eq www

  • Add dynamic authorization under ISE aaa-server group

Cisco Anyconnect Posture Assessment Initiating Stuck

aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization

  • Make sure accounting is enabled under default tunnel-group

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ISE
accounting-server-group ISE

This will conclude ASA configuration.

Some good debugging commands to troubleshoot posture-related issues on ASA.

  • debug aaa url-redirect
  • debug aaa authorization
  • debug radius dynamic-authorization
  • debug radius decode
  • debug radius user <USERNAME>
  • show vpn-sessiondb detail anyconnect filter name <USERNAME>

Now move on to ISE.

First get you latest posture updates. Administration> System> Settings> Posture> Updates.

Make sure your posture portal is setup with publicly signed certificate otherwise users will get trust errors. With some providers, you can not generate a wildcard certificate so you will have to include all Policy Service Nodes (PSN) FQDN as a separate SAN field in CSR or generate individual certificate per node. When done attach certificate to proper Portal group.

Cisco Anyconnect Posture Assessment

Configure the following elements for Client Provisioning under Work Centers > Posture> Client Provisioning > Resources

  • Posture Agent Profile. Populate Discovery host with PSN FQDNs and Call Home list with PSN FQDNs and IP addresses.
Cisco
  • Next upload AC package to ISE. This is the anyconnect-…predeploy-k9.zip file that you can find on Cisco AC download page. Select “Agent resources from local disk“. Make sure and give a meaningful name so it will be easier to identify.

See Full List On Cisco.com

AC version on ISE has to match the one on ASA otherwise you will get an error message.

  • Download the latest compliance modules from Cisco for Windows/OSX and Supplicant Provisioning Wizard.
  • Finally, create AnyConnect configuration for use in client provisioning policy.

AC configuration settings are below.

  • Create Client Provisioning Policy under Policy> Client Provisioning

AnyConnect Host Scan - Cisco

Next, build a Posture Policy. I’m not going to cover different posture checks at this time. Remember on the policy there is an option to put it in audit mode so you can test it out before enforcing.

Cisco Anyconnect Posture Assesment Failed

Since ISE reporting is not the greatest for customization and flexibility I’m using Splunk searches to get quick reports. How to get ISE logs into Splunk I covered in this post.