Details posture assessment support, covering key concepts, applicable restrictions, and procedures for configuring posture assessment via templates to maintain network compliance and device integrity.
Posture assessment support
Cisco AnyConnect Posture Assessment is a posture assessment solution that
-
installs on endpoints to enforce security policies downloaded from an ISE server,
-
checks endpoint conditions such as anti-malware, anti-spyware, anti-virus, application, and USB compliance, and
-
reports compliance status to the ISE server to control network access based on posture evaluation.
Network endpoint validation and posture assessment workflow
Endpoint validation plays a critical role in network security by ensuring that devices connecting to a company's network comply with established security policies. The posture module enforces these policies on endpoints that are connected to the network. When Cisco 1100 Integrated Services Routers communicate with Cisco Identity Services Engine (ISE), they require authentication interaction. Use IEEE 802.1X as the recommended standard for posture assessment authentication. If required, MAC Authentication Bypass (MAB) can also be used.
After successful authentication and authorization using redirect Access Control Lists (ACLs), the posture assessment process begins. Once the system completes posture assessment and authentication, the ISE policy set triggers the RADIUS Change of Authorization (CoA) process to re-authenticate or re-authorize endpoints and enforce new or updated policies.
Following successful posture assessment and CoA re-authentication, endpoints and the Cisco ISR 1100 router receive full access to the network, ensuring that only compliant devices interact with network resources.
Restrictions for Posture Assessment
-
Only 8 port Cisco 1100 Integrated Services Routers support ACL functions such as dACL and redirect ACL.
-
ACL and Access Control Entry (ACE) rules do not support compare operations, such as >, <, >=, <=
-
Up to 120 dACL ACEs are supported, and 64 Redirect ACL ACEs are supported.
-
Port ACL and IPv6 ACL are not supported.
-
IP option and IP fragment ACL are not supported.
-
Per-VLAN device-tracking is not supported.
-
Only limited per-port device tracking policy options such as glean and address tracking are allowed.
Configure posture assessment using CLI commands
Use the CLI Add-on template to configure AAA, IEEE 802.1x, posture assessment and redirect ACL and device-tracking.
Before you begin
Ensure these requirements are met before proceeding to configure posture assessment support:
-
Basic IEEE 802.1x authentication process should be functional.
-
Change of Authorization (CoA) should be supported.
-
Redirect ACL, downloadable ACL (dACL) and critical ACL should be available.
-
Device tracking policy (for identity) should be supported.
-
URL redirect should be supported.
Refer instructions to create a CLI Add-on template and then add the configuration explained next.
Procedure
| 1. | Configure AAA. Example:
|
|
| 2. | Configure IEEE 802.1x authentication and authorization. Example:
|
|
| 3. | Configure posture assessment and redirect ACL. Example:
|
|
| 4. | Configure device tracking. Example:
|
|
| 5. | Configure CoA reauthentication and dACL on ISE. |
|
| 6. | After creating the CLI Add-On template, attach it to a device template. SD-WAN Manager pushes all the configuration in the device template onto your device. |