Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

Posture assessment support

Want to summarize with AI?

Log in

Details posture assessment support, covering key concepts, applicable restrictions, and procedures for configuring posture assessment via templates to maintain network compliance and device integrity.



Posture assessment support

Cisco AnyConnect Posture Assessment is a posture assessment solution that

  • installs on endpoints to enforce security policies downloaded from an ISE server,

  • checks endpoint conditions such as anti-malware, anti-spyware, anti-virus, application, and USB compliance, and

  • reports compliance status to the ISE server to control network access based on posture evaluation.

Network endpoint validation and posture assessment workflow

Endpoint validation plays a critical role in network security by ensuring that devices connecting to a company's network comply with established security policies. The posture module enforces these policies on endpoints that are connected to the network. When Cisco 1100 Integrated Services Routers communicate with Cisco Identity Services Engine (ISE), they require authentication interaction. Use IEEE 802.1X as the recommended standard for posture assessment authentication. If required, MAC Authentication Bypass (MAB) can also be used.

After successful authentication and authorization using redirect Access Control Lists (ACLs), the posture assessment process begins. Once the system completes posture assessment and authentication, the ISE policy set triggers the RADIUS Change of Authorization (CoA) process to re-authenticate or re-authorize endpoints and enforce new or updated policies.

Following successful posture assessment and CoA re-authentication, endpoints and the Cisco ISR 1100 router receive full access to the network, ensuring that only compliant devices interact with network resources.


Restrictions for Posture Assessment

  • Only 8 port Cisco 1100 Integrated Services Routers support ACL functions such as dACL and redirect ACL.

  • ACL and Access Control Entry (ACE) rules do not support compare operations, such as >, <, >=, <=

  • Up to 120 dACL ACEs are supported, and 64 Redirect ACL ACEs are supported.

  • Port ACL and IPv6 ACL are not supported.

  • IP option and IP fragment ACL are not supported.

  • Per-VLAN device-tracking is not supported.

  • Only limited per-port device tracking policy options such as glean and address tracking are allowed.


Configure posture assessment using CLI commands

Use the CLI Add-on template to configure AAA, IEEE 802.1x, posture assessment and redirect ACL and device-tracking.

Before you begin

Ensure these requirements are met before proceeding to configure posture assessment support:

  • Basic IEEE 802.1x authentication process should be functional.

  • Change of Authorization (CoA) should be supported.

  • Redirect ACL, downloadable ACL (dACL) and critical ACL should be available.

  • Device tracking policy (for identity) should be supported.

  • URL redirect should be supported.

Refer instructions to create a CLI Add-on template and then add the configuration explained next.

Procedure

1.

Configure AAA.

Example:

aaa new-model
radius server ISE1

address ipv4 198.51.100.255 auth-port 1812 acct-port 1813
key cisco

aaa group server radius ISE
 server name ISE1
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE

interface vlan 15
 ip address 198.51.100.1 198.51.100.254

interface GigabitEthernet0/1/0 
 switchport mode access
 switchport access vlan 15

ip radius source-interface vlan 15
Note

aaa new-model is enabled by default on Cisco Catalyst SD-WAN and you cannot configure it. However, you can configure it on a non SD-WAN image.

2.

Configure IEEE 802.1x authentication and authorization.

Example:

policy-map type control subscriber simple_dot1x
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x
!
interface GigabitEthernet0/1/7
 switchport access vlan 22
 switchport mode access
 access-session closed
 access-session port-control auto
 dot1x pae authenticaton
 service-policy type control subscriber simple_dot1x
!
interface Vlan22
 ip address 198.51.100.1 198.51.100.254
Note

The IEEE 802.1x endpoint is connected to GigabitEthernet0/1/7.

3.

Configure posture assessment and redirect ACL.

Example:

ip http server
ip http secure-server

ip access-list extended ACL-POSTAUTH-REDIRECT
10 deny tcp any host 192.0.2.255
20 deny tcp any any eq domain
30 deny udp any any eq domain
40 deny udp any any eq bootpc
50 deny udp any any eq bootps
60 permit tcp any any eq www
70 permit tcp any any eq 443
4.

Configure device tracking.

Example:

!
device-tracking policy tracking_test
 security-level glean
 no protocol ndp
 no protocol dhcp6
 tracking enable
!
interface GigabitEthernet0/1/7
 device-tracking attach-policy tracking_test
Note

The IP address mentioned belongs to ISE.

5.

Configure CoA reauthentication and dACL on ISE.

  1. Create a downloadable ACL and define the ACEs in it.

    ACL name: TEST_IP_PERMIT_ALL

    ACEs: permit ip any any

  2. Create an authorization result and choose the downloadable ACL as dACL.

  3. Navigate to Administration > System > Settings > Policy Settings, and in Policy Sets configuration, select the authorization result as authorization policy.

6.

After creating the CLI Add-On template, attach it to a device template.

SD-WAN Manager pushes all the configuration in the device template onto your device.