The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure the ASA to posture VPN users against the ISE.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The Cisco ASA Version 9.16 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application or Registry rules.
The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
Here is the traffic flow, as illustrated in the network diagram:
Tip: The Domain Name System (DNS) servers that are assigned to the VPN clients must be able to resolve the Fully Qualified Domain Name (FQDN) that is returned in the redirect URL. If the VPN filters are configured in order to restrict access at the tunnel-group level, ensure that the client pool is able to access the ISE server on the configured port (TCP 8443 in this example).
Note: The RADIUS CoA is always confirmed; that is, the ASA sends a response to the ISE in order to confirm.
Note: This flow model differs from most scenarios that use RADIUS CoA. For wired/wireless 802.1x authentications, RADIUS CoA does not include any attributes. It only triggers the second authentication in which all attributes, such as DACL, are attached. For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings.
Use this section in order to configure the ASA and the ISE.
Here is the basic ASA configuration for Cisco AnyConnect access:
ip local pool POOL 10.10.10.10-10.10.10.100 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxxx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 162.168.111.10 255.255.255.0
aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.48.66.74
key cisco
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-arm64-4.10.06079-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GP-SSL internal
group-policy GP-SSL attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
tunnel-group RA type remote-access
tunnel-group RA general-attributes
address-pool POOL
authentication-server-group ISE
default-group-policy GP-SSL
tunnel-group RA webvpn-attributes
group-alias RA enable
For ASA integration with the ISE posture, ensure that you:
Note: Only registered Cisco users can access internal Cisco tools and information.
Here is the configuration example:
access-list redirect extended deny udp any any eq domain
access-list redirect extended deny ip any host 10.48.66.74
access-list redirect extended deny icmp any any
access-list redirect extended permit tcp any any eq www
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server ISE (inside) host 10.48.66.74
key cisco
tunnel-group RA general-attributes
address-pool POOL
authentication-server-group ISE
accounting-server-group ISE
default-group-policy GP-SSL
ASA accounting mode:
The accounting mode on ASA needs to be single (default) otherwise ASA is not able to correctly process ISE sessions; that is, ASA rejects the CoA request with “Action not supported”.
Complete these steps in order to configure the ISE:
Note: In a normal scenario, the File Remediation action can be used (the ISE provides the downloadable file).
By default, posture is a one-time event. However, there is sometimes a need to periodically check the user compliance and adjust the access to the resources based on the results. This information is pushed via SWISS protocol (NAC Agent) or encoded within the application (Web Agent).
Complete these steps in order to check the user compliance:
Both of these conditions can be used in the posture rules. The first rule matches only the initial assessments and the second one matches all of the subsequent assessments:
In order to confirm that your configuration works correctly, ensure that these steps are completed as described:
aaa_url_redirect: Added url redirect:https://ise2.test-cisco.com:8443/
guestportal/gateway?sessionId=c0a8700a0000900052b840e6&action=cpp
acl:redirect for 10.10.10.10
ASA# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 9
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 16077 Bytes Rx : 16497
Pkts Tx : 43 Pkts Rx : 225
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP-SSL Tunnel Group : RA
Login Time : 14:55:50 CET Mon Dec 23 2013
Duration : 0h:01m:34s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8700a0000900052b840e6
Security Grp : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 10.147.24.61
Encryption : none Hashing : none
TCP Src Port : 50025 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : win
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 779
Pkts Tx : 4 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 50044
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 172
Pkts Tx : 4 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 63296
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5669 Bytes Rx : 18546
Pkts Tx : 35 Pkts Rx : 222
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ISE Posture:
Redirect URL : https://ise2.test-cisco.com:8443/guestportal/gateway?
sessionId=c0a8700a0000900052b840e6&action=cpp
Redirect ACL : redirect
aaa_url_redirect: Created proxy for 10.10.10.10
aaa_url_redirect: Sending url redirect:https://ise2.test-cisco.com:8443/
guestportal/gateway?sessionId=c0a8700a0000900052b840e6&action=cpp
for 10.10.10.10
cisco.cpm.posture.runtime.PostureHandlerImpl -:cisco:c0a8700a0000900052b840e6
:::- Decrypting report
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- User cisco belongs to groups NAC Group:NAC:IdentityGroups:User Identity
Groups:Employee,NAC Group:NAC:IdentityGroups:An
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- Posture report token for endpoint mac 08-00-27-CD-E8-A2 is Healthy
cisco.cpm.posture.runtime.PostureManager -:cisco:c0a8700a0000900052b840e6
:::- Posture state is compliant for endpoint with mac 08-00-27-CD-E8-A2
cisco.cpm.posture.runtime.PostureCoA -:cisco:c0a8700a0000900052b840e6
:::- Posture CoA is triggered for endpoint [null] with session
[c0a8700a0000900052b840e6]
ASA# Received RAD_COA_REQUEST
RADIUS packet decode (CoA-Request)
Radius: Value (String) =
41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure-
44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS
41 43 4c 23 2d 49 50 2d 50 45 52 4d 49 54 5f 41 | ACL#-IP-PERMIT_A
4c 4c 5f 54 52 41 46 46 49 43 2d 35 31 65 66 37 | LL_TRAFFIC-51ef7
64 62 31 | db1
Got AV-Pair with value audit-session-id=c0a8700a0000900052b840e6
Got AV-Pair with value ACS:CiscoSecure-Defined-ACL=
#ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
aaa_url_redirect: Deleted url redirect for 10.10.10.10
ASA# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 9
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 94042 Bytes Rx : 37079
Pkts Tx : 169 Pkts Rx : 382
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP-SSL Tunnel Group : RA
Login Time : 14:55:50 CET Mon Dec 23 2013
Duration : 0h:05m:30s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8700a0000900052b840e6
Security Grp : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 10.147.24.61
Encryption : none Hashing : none
TCP Src Port : 50025 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 24 Minutes
Client OS : win
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 779
Pkts Tx : 4 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 50044
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 24 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 5204 Bytes Rx : 172
Pkts Tx : 4 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.10.10 Public IP : 10.147.24.61
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 63296
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 3.1.02040
Bytes Tx : 83634 Bytes Rx : 36128
Pkts Tx : 161 Pkts Rx : 379
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Note: The ASA always removes the redirect rules, even when the CoA does not have any DACL attached.
This section provides information you can use in order to troubleshoot your configuration.
Navigate to Administration > Logging > Debug Log Configuration in order to enable debugs. Cisco recommends that you enable temporary debugs for:
Enter this command in the CLI in order to view the debugs:
ise2/admin# show logging application ise-psc.log tail count 100
Navigate to Operations > Reports > ISE Reports > Endpoints and Users > Posture Details Assessment in order to view the posture reports:
On the Posture More Detail Assessment page, there is policy name with a requirement name that is displayed, along with the results:
You can enable these debugs on the ASA:
For the NAC Agent, it is possible to gather the debugs with the Cisco Log Packager, which is initiated from the GUI or with the CLI; use CCAAgentLogPackager.app
.
Tip: You can decode the results with the Technical Assistance Center (TAC) tool.
In order to retrieve the logs for the Web Agent, navigate to these locations:
Note: If the logs are not in these locations, then verify the TEMP Environment variable.
If the posture fails, the user is presented with the reason:
The user is then allowed remediation actions if they are configured:
Revision | Publish Date | Comments |
---|---|---|
1.0 |
09-May-2014 |
Initial Release |