Cisco Identity Services Engine (ISE) version 2.0 along with AnyConnect Secure Mobility Client 4.2 supports posture for disk encryption. This document describes how to encrypt endpoint's disk partition using Microsoft BitLocker and how to configure ISE to provide full access to the network only when the correct encryption is configured.
Cisco recommends that you have knowledge of these topics:
Basic knowledge of Adaptive Security Appliance (ASA) CLI configuration and Secure Socket Layer (SSL) VPN configuration
Basic knowledge of remote access VPN configuration on the ASA
Basic knowledge of ISE and posture services
The information in this document is based on these software versions:
Cisco ASA software Versions 9.2.1 and later
Microsoft Windows Version 7 with Cisco AnyConnect Secure Mobility Client Version 4.2 and later
Cisco ISE, Release 2.0 and later
The flow is the following:
VPN session initiated by AnyConnect client is authenticated via ISE. Posture status of the endpoint is not known, rule "ASA VPN unknown" is hit and as a result the session will be redirected to the ISE for provisioning.
User opens web browser, HTTP traffic is redirected by ASA to ISE. ISE pushes the newest version of AnyConnect along with posture and compliance module to the endpoint
Once posture module is executed it checks if partition "E:" is fully encrypted by BitLocker. If yes the report is sent to ISE, which is triggering Radius Change of Authorization (CoA) without any ACL (full access)
VPN session on ASA is updated, redirect ACL is removed and session is having full access
VPN session has been presented just as the example. Posture functionality is working fine also for other types of the access.
Is configured from remote SSL VPN access using ISE as AAA server. Radius CoA along with REDIRECT ACL needs to be configured:
access-list REDIRECT extended deny udp any any eq domain access-list REDIRECT extended deny ip any host 10.48.17.235 access-list REDIRECT extended deny icmp any any access-list REDIRECT extended permit tcp any any eq www
ip local pool POOL 172.16.31.10-172.16.31.20 mask 255.255.255.0
From Administration > Network Resources > Network Devices add ASA with Device Type = ASA. That will be used as a condition in authorization rules but is not mandatory (other types of conditions can be used).
If appropriate Network Device Group does not exist create it from Administration > Network Resources >Network Device Groups.
Step2 Posture condition and policies
Make sure posture conditions are updated: From Administration -> System -> Settings -> Posture -> Updates Update now option.
From Policy -> Policy Elements -> Conditions -> Posture -> Disk Encryption Condition add a new condition:
This condition will check if BitLocker for Windows 7 is installed and if E: partition is fully encrypted. Please notice BitLocker is disk level encryption and it does not support Specific Location with path argument, only disk letter.
From Policy -> Policy Elements -> Results -> Posture -> Requirements create a new requirement which is using that condition:
From Policy -> Posture add a condition for all Windows to use that requirement:
Step3 Client Provisioning resources and policy
From Policy -> Policy Elements -> Client Provisioning -> Resources download compliance module from Cisco.com and upload manually AnyConnect 4.2 package:
Using Add -> NAC Agent or AnyConnect Posture Profile create AnyConnect Posture profile (name: AnyConnectPosture) with default settings.
From Policy -> Client Provisioning modify default policy for Windows to use configured AnyConnect profile:
Step4 Authorization rules
From Policy -> Policy Elements -> Results -> Authorization add Authorization Profile (name: RedirectForPosture) redirecting to a default Client Provisioning Portal:
REDIRECT ACL is defined on ASA.
From Policy -> Authorization create 3 authorization rules:
If the endpoint is compliant full access is provided. If status is unknown or non compliant redirection for Client Provisioning is returned.
Step1 VPN session establishment
Once the VPN session is established ASA might want to perform upgrade of AnyConnect modules:
On ISE the last rule is hit, as a result RedirectForPosture permissions are returned:
Once ASA finishes building VPN session it reports that redirection should occur:
ASAv# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : cisco Index : 32 Assigned IP : 172.16.31.10 Public IP : 10.61.90.226 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 53201 Bytes Rx : 122712 Pkts Tx : 134 Pkts Rx : 557 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 21:29:50 UTC Sat Nov 14 2015 Duration : 0h:56m:53s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a80101000200005647a7ce Security Grp : none
<some output omitted for clarity>
ISE Posture: Redirect URL : https://mgarcarz-ise20.example.com:8443/portal/gateway?sessionId=&portal=0d2ed780-6d90-11e5-978e-00505... Redirect ACL : REDIRECT
Step2 Client Provisioning
At that stage endpoint web browser traffic is redirected to ISE for client provisioning:
If needed AnyConnect along with Posture and compliance module is updated:
Step3 Posture check and CoA
Posture module is executed, discover ISE (it might be required to have DNS A record for enroll.cisco.com to succeed), download and check posture conditions:
Once it's confirmed that "E:" partition is fully encrypted by BitLocker the correct report is sent to ISE
That is triggering CoA reauthorizing VPN session:
ASA removes redirection ACL providing full access. AnyConnect reports compliance:
Also detailed reports on ISE can confirm that both conditions are satisfied (Posture Assesment by Condition is new ISE 2.0 report showing every condition). The first condition (hd_inst_BitLockerDriveEncryption_6_x) is checking for the installation/process, the second one (hd_loc_bitlocker_specific_1) is checking if specific location ("E:") is fully encrypted:
ISE Posture Assesment by Endpoint report confirms all conditions are satisfied:
The same could be confirmed from ise-psc.log debugs. Posture request received by ISE and the response:
2015-11-14 14:59:01,963 DEBUG [portal-http-service28] cisco.cpm.posture.runtime.PostureHandlerImpl -::c0a801010001700056473ebe:::- Received posture request [parameters: reqtype=validate, userip=10.62.145.44, clientmac=08-00-27-81-50-86, os=WINDOWS, osVerison=184.108.40.206.1.1, architecture=9, provider=Device Filter, state=, ops=1, avpid=, avvname=Microsoft Corp.:!::!::!:, avpname=Windows Defender:!::!::!:, avpversion=6.1.7600.16385:!::!::!:, avpfeature=AS:!::!::!:, userAgent=Mozilla/4.0 (compatible; WINDOWS; 220.127.116.11.1.1; AnyConnect Posture Agent v.4.2.00096), session_id=c0a801010001700056473ebe 2015-11-14 14:59:01,963 DEBUG [portal-http-service28] cisco.cpm.posture.runtime.PostureHandlerImpl -:cisco:c0a801010001700056473ebe:::- Creating a new session info for mac 08-00-27-81-50-86 2015-11-14 14:59:01,963 DEBUG [portal-http-service28] cisco.cpm.posture.runtime.PostureHandlerImpl -:cisco:c0a801010001700056473ebe:::- Turning on enryption for endpoint with mac 08-00-27-81-50-86 and os WINDOWS, osVersion=18.104.22.168.1.1 2015-11-14 14:59:01,974 DEBUG [portal-http-service28] cpm.posture.runtime.agent.AgentXmlGenerator -:cisco:c0a801010001700056473ebe:::- Agent criteria for rule [Name=bitlocker, Description=, Operating Systems=[Windows All], Vendor=com.cisco.cpm.posture.edf.AVASVendor@96b084e, Check Type=Installation, Allow older def date=0, Days Allowed=Undefined, Product Name=[com.cisco.cpm.posture.edf.AVASProduct@44870fea]] - ( ( (hd_inst_BitLockerDriveEncryption_6_x) ) & (hd_loc_bitlocker_specific_1) )
The response with the posture requirement (condition + remediation) is in XML format:
2015-11-14 14:59:02,052 DEBUG [portal-http-service28] cisco.cpm.posture.runtime.PostureHandlerImpl -:cisco:c0a801010001700056473ebe:::- NAC agent xml <?xml version="1.0" encoding="UTF-8"?><cleanmachines> <version>2</version> <encryption>0</encryption> <package> <id>10</id> <name>Bitlocker</name> <version/> <description>Bitlocker encryption not enabled on the endpoint. Station not compliant.</description> <type>3</type> <optional>0</optional> <action>3</action> <check> <id>hd_loc_bitlocker_specific_1</id> <category>10</category> <type>1002</type> <param>180</param> <path>E:</path> <value>full</value> <value_type>2</value_type> </check> <check> <id>hd_inst_BitLockerDriveEncryption_6_x</id> <category>10</category> <type>1001</type> <param>180</param> <operation>regex match</operation> <value>^6\..+$|^6$</value> <value_type>3</value_type> </check> <criteria>( ( ( (hd_inst_BitLockerDriveEncryption_6_x) ) & (hd_loc_bitlocker_specific_1) ) )</criteria> </package> </cleanmachines>
Station is marked as compliant and ISE is sending CoA:
2015-11-14 14:59:04,823 INFO [portal-http-service28] cisco.cpm.posture.runtime.PostureManager -:cisco:c0a801010001700056473ebe:::- Posture state is compliant for endpoint with mac 08-00-27-81-50-86 2015-11-14 14:59:06,825 DEBUG [pool-5399-thread-1] cisco.cpm.posture.runtime.PostureCoA -:cisco:c0a801010000f0005647358b:::- Posture CoA is triggered for endpoint [08-00-27-81-50-86] with session [c0a801010001700056473ebe
For successful session AnyConnect UI System Scan / Message History reports:
14:41:59 Searching for policy server. 14:42:03 Checking for product updates... 14:42:03 The AnyConnect Downloader is performing update checks... 14:42:04 Checking for profile updates... 14:42:04 Checking for product updates... 14:42:04 Checking for customization updates... 14:42:04 Performing any required updates... 14:42:04 The AnyConnect Downloader updates have been completed. 14:42:03 Update complete. 14:42:03 Scanning system ... 14:42:05 Checking requirement 1 of 1. 14:42:05 Updating network settings. 14:42:10 Compliant.
CSCux15941 - ISE 2.0 and AC4.2 posture bitlocker encryption with location failing (char \ / not supported)
If the endpoint is non compliant that is reported by AnyConnect UI (also configured remediation is executed):
ISE is able to provide the details on the failing conditions:
The same can be checked from CLI logs (examples of the logs in section Verify)