Ads

Anyconnect | AMP Posture

ISE Configuration – Anyconnect and AMP Posture

1.     Download the AMP Connector from the AMP cloud for Windows


2.     Go to the WLC and navigate to Security > Access Control Lists and add a new ACL

a.      Name – ACL_WEBAUTH_REDIRECT

b.     Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DNS – Destport = Any – Direc = Any

c.      Permit – Source = Any – Destination = ISE – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Any

d.     Permit – Source = ISE – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

e.     Permit – Source = Any – Destination = ISE– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

3.     On ISE Policy > Policy Elements > Results > Authorization > Downloadable ACLS create a new dACL

a.     Name – ACL_WEBAUTH_REDIRECT

deny tcp any host 192.168.32.228 eq 443

deny udp any eq bootpc any eq bootps

deny udp any any eq domain

deny tcp any any eq 8443

deny tcp any any eq 8905

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

4.     Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and click ADD - Network Admission Control (NAC) Agent or AnyConnect Posture Profile

a.     Select Anyconnect for the category

b.     Name it AC POSTURE PROFILE

c.      From the Posture Protocol section Server Name Rules add * in order to allow the Agent to connect to all servers

d.     Save

5.     Click ADD – AMP Enabler Profile

a.     Name it AMP PROFILE

b.     For Windows Installer https:// - enter a location on the network where the AMP connector is located for download. Example – webserver.company.com/Protect_FireAMPSetup.exe

c.      For MAC Installer, enter the location to the MAC AMP connector file location

d.     NOTE: the HTTPS certificate must be trusted my the client in order to download the AMP Connector install file

6.     Download the Anyconnect installer file manually from Cisco. Example - anyconnect-win-4.2.02075-k9.pkg

7.     Click ADD - Agent Resources From Local Disk

a.     Choose Cisco Provided Packages

b.     Click Browse and choose the anyconnect pkg file downloaded in step 6

8.     Create an XML file and name it VPNDisable_ServiceProfile.xml to be used to disable the VPN title for Anyconnect since the VPN Module will not be used for this configuration

a.     <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
  <ServiceDisable>true</ServiceDisable>
 </ClientInitialization>
</AnyConnectProfile>

9.     Click ADD - Agent Resources From Local Disk

a.     Choose Customer Created Packages

b.     Package type Anyconnect Profile

c.      Name VPNDisable_ServiceProfile

d.     Browse to and choose the VPNDisable_ServiceProfile.xml file created on step 8

10.  Click ADD - Agent Resources from Cisco site

a.     Choose AnyConnect Windows Compliance Module 4.2.488.0 and click on Save

11.  Click ADD - AnyConnect Configuration

a.     Name – ANYCONNECT CONFIGURATION AMP

b.     For Select Anyconnect Package – choose AnyconnectDesktopWindows 4.2.6014.0

c.      Compliance Module - AnyConnectComplianceModuleWindows 4.2.488.0

d.     In the AnyConnect Module Selection choose AMP Enabler and Diagnostic and Reporting Tool and VPN

e.     In the Profile Selection add

                                                    i.     AC POSTURE PROFILE for *ISE Posture

                                                  ii.     VPNDisable_ServiceProfile for VPN

                                               iii.     AMP PROFILE for AMP Enabler

12.  Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and Add new

a.     Name – AMP PROFILE

b.     Check – Web Redirection and choose

                                                    i.     Client Provisioning

                                                  ii.     ACL – type ACL_WEBAUTH_REDIRECT

                                               iii.     Value – Client Provisioning Portal

13.  Navigate to Policy > Policy Sets click on the existing Wired Dot1x

a.     Under the Authorization Policy edit the Employee Access rule

b.     Click on the Condition and choose to Add Condition from Library

c.      Add the Compound Condition Network_Access_Authentication_Passed

d.     Add another Condition from Library  / Compound Condition Compliant_Devices

e.     Click DONE

14.  Click to Insert new rule below directly below the Employee Access rule

a.     Name it Non Compliant Employee Access

b.     Leave if <any>

c.      Condition equals Existing Condition from Library

d.     Choose WIRED-EMPLOYEE-DOT1X

e.     Add Attribute /Value -  Session:PostureStatus NOT_EQUALS Compliant

f.       Then – AMP PROFILE

15.   Navigate to Policy > Policy Sets click on the existing Wireless Dot1x

a.     Under the Authorization Policy edit the Employee Access rule

b.     Click on the Condition and choose to Add Condition from Library

c.      Add the Compound Condition Network_Access_Authentication_Passed

d.     Add another Condition from Library  / Compound Condition Compliant_Devices

e.     Click DONE

16.  Click to Insert new rule below directly below the Employee Access rule

a.     Name it Non Compliant Employee Access

b.     Leave if <any>

c.      Condition equals Existing Condition from Library

d.     Choose WIRELESS-EMPLOYEE-DOT1X

e.     Add Attribute /Value -  Session:PostureStatus NOT_EQUALS Compliant

f.       Then – AMP PROFILE

17.   Navigate to Policy > Client Provisioning

18.  Add a new policy at the top

a.     Rule name - Windows_Posture_AMP

b.     Identity group = any

c.      Operating Systems – Windows all

d.     Then – ANYCONNECT CONFIGURATION AMP

19.  Navigate to Policy > Policy Elements > Conditions > Posture > File Condition and choose to add New. *this is so that ISE will always assume the client is not compliant initially and send the client to the client provisioning portal to verify the Anyconnect and AMP client is installed.

20.  Name – File_Condition

a.     Operating System = Windows all

b.     File type = FileExistence

c.      File type = absolute path, value can be anything, example c:\file.txt

d.     File operator – exists

21.  Navigate to Policy > Policy Elements > Results > Posture > Requirements

a.     Add New

b.     Name – File Requirements

c.      Operating systems – Windows All

d.     Compliance module – any

e.     Met if – File_Condition

f.       Then – Message Text only – insert a message of your choosing that the client will see.  It’s a requirement to enter some text

22.  Navigate to Policy > Posture

a.     Insert a new policy

                                                    i.     Name – Windows Posture

                                                  ii.     Identity groups – any

                                               iii.     Operating systems – Windows All

                                                iv.     Compliance Module – Any

                                                  v.     Requirements – File_Condition ( drop down the green check box next the requirement and choose Optional or Audit if you don’t want to require the client to be compliant to this policy..for Anyconnect and Amp install scenario)