Table of Contents
Configuring Client Provisioning
Client Provisioning Resource Types
Enabling and Disabling Client Provisioning
Adding Client Provisioning Resources from Remote Sources
Adding Client Provisioning Resources from a Local Machine
Downloading Client Provisioning Resources Automatically
Cisco NAC Agent for Windows Clients
Uninstalling Cisco NAC Agent for Windows Clients
Windows 8 Metro and Metro App Support —Toast Notifications
Cisco NAC Agent for Macintosh Clients
Uninstalling Cisco NAC Agent for Macintosh Clients
Custom nac_login.xml File Template
Using a Custom Corporate/Company Logo
Custom nacStrings_xx.xml File Template
UpdateFeed.xml Descriptor File Template
Creating an Agent Customization File
Agent XML File Installation Directories
Agent Profile Configuration Guidelines
Agent Profile Parameters and Applicable Values
Example XML File Generated Using the Create Profile Function
Creating Windows Agent Profiles
Creating Mac OS X Agent Profiles
Performing Data Encryption Checks for Windows OS
Performing Data Encryption Checks for Mac OS X
Creating Native Supplicant Profiles
Configuring Personal Device Registration Behavior
Provisioning Client Machines with the Cisco NAC Agent MSI Installer
Configuring Client Provisioning Resource Policies
Viewing Client Provisioning Reports
Viewing Client Provisioning Requests
Viewing Client Provisioning Event Logs
Collecting Cisco NAC Agent Logs
Configuring Client Provisioning
This chapter describes client-provisioning functions in Cisco ISE that allows you to download client-provisioning resources and configure agent profiles for Windows and MAC OS X clients, and native supplicant profiles for your own personal devices.
- Client Provisioning Resource Types
- Enabling and Disabling Client Provisioning
- Adding Client Provisioning Resources from Remote Sources
- Adding Client Provisioning Resources from a Local Machine
- Downloading Client Provisioning Resources Automatically
- Client Login Session Criteria
- Cisco ISE Agents
- Creating an Agent Customization File
- Agent Profile Configuration Guidelines
- Agent Profile Parameters and Applicable Values
- Creating Windows Agent Profiles
- Creating Mac OS X Agent Profiles
- Performing Data Encryption Checks for Windows OS
- Performing Data Encryption Checks for Mac OS X
- Configuring Personal Device Registration Behavior
- Provisioning Client Machines with the Cisco NAC Agent MSI Installer
- Configuring Client Provisioning Resource Policies
- Viewing Client Provisioning Reports
- Collecting Cisco NAC Agent Logs
Client Provisioning Resource Types
Client-provisioning resource policies enable users to download and install resources on client devices. These resources must be installed on Cisco ISE before users can access them and include:
– Windows and Mac OS X Cisco Network Admission Control (NAC) Agents
Enabling and Disabling Client Provisioning
To ensure that you are able to access the appropriate remote location from which you can download client-provisioning resources to Cisco ISE, you may be required to verify that you have the correct proxy settings configured for your network.
Step 1 Choose Administration > System > Settings > Client Provisioning .
Step 2 From the Enable Provisioning drop-down list, choose Enable or Disable .
When you choose to disable this function of Cisco ISE, users who attempt to access the network will receive a warning message indicating that they are not able to download client-provisioning resources.
Set up system-wide client-provisioning functions according to the guidelines in the following topics:
Adding Client Provisioning Resources from Remote Sources
You can add client-provisioning resources from a remote source like Cisco.com. Depending on the resources that you select and available network bandwidth, Cisco ISE can take a few seconds or even a few minutes to download the new items and display them in the list of available client-provisioning resources.
Ensure that you are able to access the appropriate remote location to download client-provisioning resources to Cisco ISE, by verifying that the proxy settings for your network are correctly configured.
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources .
Step 2 Choose Add > Agent resources from Cisco site .
Step 3 Select one or more required resources from the list available in the Downloaded Remote Resources dialog box.
After you have successfully added client-provisioning resources to Cisco ISE, you can begin to configure client-provisioning resource policies.
- Specifying Proxy Settings in Cisco ISE
- Client Provisioning Resource Types
- Adding Client Provisioning Resources from a Local Machine
- Downloading Client Provisioning Resources Automatically
- Creating an Agent Customization File
- Configuring Client Provisioning Resource Policies
- Cannot Download Remote Client Provisioning Resources
Adding Client Provisioning Resources from a Local Machine
You can add existing client-provisioning resources from a local machine (for example, files that you may have already downloaded from Cisco.com to your laptop).
Be sure to upload only current, supported resources to Cisco ISE. Older, unsupported resources (older versions of the Cisco NAC Agent, for example) will likely cause serious issues for client access. For details, see Cisco Identity Services Engine Network Component Compatibility, Release 1.2 .
If you are downloading the resource files manually from the Cisco.com, refer to “Cisco ISE Offline Updates” section in the Release Notes for the Cisco Identity Services Engine, Release 1.2 .
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources .
Step 2 Choose Add > Add resource from local disk .
Step 3 Click Browse and navigate to the directory on your local machine where the resource file that you want to download to Cisco ISE resides.
Step 4 Highlight the resource file in the search window and click Save .
After you have successfully added client-provisioning resources to Cisco ISE, you can begin to configure client-provisioning resource policies.
- Specifying Proxy Settings in Cisco ISE
- Client Provisioning Resource Types
- Adding Client Provisioning Resources from Remote Sources
- Downloading Client Provisioning Resources Automatically
- Creating an Agent Customization File
- Agent Profile Configuration Guidelines
- Configuring Client Provisioning Resource Policies
Downloading Client Provisioning Resources Automatically
This function automatically uploads all available software from Cisco, many items of which may not be pertinent to your deployment.
To ensure that you are able to access the appropriate remote location from which you can download client-provisioning resources to Cisco ISE, you may be required to verify that you have the correct proxy settings configured for your network. If your network restricts URL-redirection functions (via a proxy server, for example) and you are experiencing difficulty accessing the default URL, try also pointing your Cisco ISE to https://www.perfigo.com/ise/provisioning-update.xml .
The default URL for downloading client-provisioning resources is https://www.cisco.com/web/secure/pmbu/provisioning-update.xml .
Cisco recommends manually uploading resources whenever possible rather than opting to upload them automatically.
Step 1 Choose Administration > System > Settings > Client Provisioning .
Step 2 From the Enable Automatic Download drop-down list, choose Enable .
Step 3 Specify the URL where Cisco ISE searches for system updates in the Update Feed URL text box.
Set up system-wide client-provisioning functions according to the guidelines in the following topics:
Client Login Session Criteria
Cisco Identity Services Engine (ISE) looks at various elements when classifying the type of login session through which users access the internal network, including:
- Client machine operating system and version
- Client machine browser type and version
- Group to which the user belongs
- Condition evaluation results (based on applied dictionary attributes)
After Cisco ISE classifies a client machine, it uses client-provisioning resource policies to ensure that the client machine is set up with an appropriate agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles, if necessary.
Cisco ISE Agents
Agents are applications that reside on client machines logging into the Cisco ISE network. Agents can be persistent (like the Cisco NAC Agent or Mac OS X Agent) and remain on the client machine after installation, even when the client is not logged into the network, or Agents can be temporal (like the Cisco NAC Web Agent), removing themselves from the client machine after the login session has terminated. In either case, the Agent helps the user log in to the network, receive the appropriate access profile, and even perform posture assessment on the client machine to ensure it complies with network security guidelines before accessing the core of the network.
Note Currently Cisco NAC Agent and Cisco NAC Web Agent support Client Provisioning Portal and Native Supplicant Provisioning. Cisco NAC Web Agent supports Central Web Authentication flow (CWA), but Cisco NAC Agent does not support CWA.
Cisco NAC Agent for Windows Clients
The Cisco NAC Agent provides the posture assessment and remediation for client machines.
Users can download and install the Cisco NAC Agent (read-only client software), which can check the host registry, processes, applications, and services. The Cisco NAC Agent can be used to perform Windows updates or antivirus and antispyware definition updates, launch qualified remediation programs, distribute files uploaded to the Cisco ISE server, distribute website links to websites for users to download files to fix their system, or simply distribute information and instructions.
Cisco strongly recommends that you ensure that the latest Windows hotfixes and patches are installed on Windows XP clients so that the Cisco NAC Agent can establish a secure and encrypted communication with Cisco ISE (via SSL over TCP).
Uninstalling Cisco NAC Agent for Windows Clients
The NAC Agent installs to C:\Program Files\Cisco\Cisco NAC Agent\ on the Windows client. You can uninstall the Agent in the following ways:
- By double-clicking the Uninstall Cisco NAC Agent desktop icon
- By going to Start Menu > Programs > Cisco Systems > Cisco Clean Access > Uninstall Cisco NAC Agent
- By going to Start Menu > Control Panel > Add or Remove Programs > Cisco NAC Agent
To uninstall Cisco NAC Agent in a Windows 8 client, execute the following:
Step 2 Right-Click Cisco NAC Agent tile.
Step 3 Select Un-Install from the options available at the bottom of the screen.
Step 4 The system automatically switches to Desktop mode and opens Add/Remove control panel.
Step 5 In the Add/Remove control panel, perform one of the following:
- Double Click Cisco NAC Agent .
- Select Cisco NAC Agent and click Uninstall .
- Right Click Cisco NAC Agent and select Uninstall .
Windows 8 Metro and Metro App Support —Toast Notifications
The Enable Toast Notification option is available on the Cisco NAC Agent Tray Icon, only for clients using Windows 8 as Operating System. You can enable this option to send relevant notifications to the user.
In Cisco NAC Agent scenarios where the user does not get network access, like “Remediation Failed” or “Network Access expired”, the Agent displays the following toast notification:
Network not available, Click “OK” to continue
To get more details, you can select the toast and you will be redirected to Desktop mode and the NAC agent dialog is displayed.
Toast Notification is displayed for all positive recommended actions that the user needs to perform to gain network access. The following are some examples:
- For Network Acceptance policy, toast will be displayed as: “Click Accept to gain network access”
- For Agent/Compliance Module Upgrade, toast will be displayed as: “Click OK to Upgrade/Update”
- In the “user logged out” event, when “Auto Close” option for Logoff is not enabled in CAM, toast notification is provided. This toast enables the users to know that they have been logged out and that they need to login again to get network access.
Cisco NAC Agent for Macintosh Clients
The Mac OS X Agent provides the posture assessment and remediation for Macintosh client machines.
Users can download and install the Mac OS X Agent (read-only client software), which can check antivirus and antispyware definition updates.
After users log in to the Mac OS X Agent, the agent gets the requirements that are configured for the user role and the operating system from the Cisco ISE server, checks for required packages and sends a report back to the Cisco ISE server. If requirements are met on the client, the user is allowed network access. If requirements are not met, the agent presents a dialog to the user for each requirement that is not satisfied. The dialog provides the user with instructions and the action to take for the client machine to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to accept restricted network access while the user tries to remediate the client system.
Uninstalling Cisco NAC Agent for Macintosh Clients
You can uninstall the NAC Agent for Mac OS X clients by running the uninstall script as follows:
Step 1 Open the navigator pane and navigate to <local drive ID> > Applications .
Step 2 Highlight and right-click the CCAAgent icon to bring up the selection menu.
Step 3 Choose Show Package Contents and double-click NacUninstall.
Step 4 This will uninstall the Agent on Mac OS X.
Cisco NAC Web Agent
The Cisco NAC Web Agent provides temporal posture assessment for client machines.
Users can launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. The Web Agent is available only for Windows clients and not for Mac OSX clients.
After users log in to the Cisco NAC Web Agent, the Web Agent gets the requirements that are configured for the user role and the operating system from the Cisco ISE server, checks the host registry, processes, applications, and services for required packages and sends a report back to the Cisco ISE server. If requirements are met on the client machine, the user is allowed network access. If requirements are not met, the Web Agent presents a dialog to the user for each requirement that is not satisfied. The dialog provides the user with instructions and the action to take for the client machine to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to accept the restricted network access while they try to remediate the client system so that it meets requirements for the user login role.
Note ActiveX is supported only on the 32-bit versions of Internet Explorer. You cannot install ActiveX on a Firefox web browser or on a 64-bit version of Internet Explorer.
Custom nac_login.xml File Template
This is one of the files that is required in your Agent customization package, which allows you to customize the logo, fields, and message text contained in a Cisco NAC Agent dialog, like the Properties screen, to suit your specific Windows client network access requirements.
Use the following template to construct an appropriate “nac_login.xml” file.
Using a Custom Corporate/Company Logo
You can replace the Cisco logo that appears in all the Cisco NAC Agent screens with your corporate/company logo.
This is one of the files that is required in your Agent screen customization package, which allows you to customize the logo, fields, and message text contained in a Cisco NAC Agent dialog, like the Properties screen, to suit your specific Windows client network access requirements.
Be sure the image is a .gif file, not exceeding 67 x 40 pixels. Be sure to name the image “nac_logo.gif.”
Custom nacStrings_ xx .xml File Template
This is one of the files that is required in your Agent screen customization package, allows you to customize the logo, fields, and message text contained in a Cisco NAC Agent dialog, like the Properties screen, to suit your specific Windows client network access requirements.
Use the following template to construct a one or more nacStrings_xx.xml files, where the xx is a two-character identifier for the specific language.
The following example shows a customized nacStrings_xx.xml file.
<cueslookup:name key="updateagent.rqst">NAC Agent %1 is available.%br% Do you want to install this update now?</cueslookup:name><cueslookup:name key="updateagent.rqst.retry">Unable to update NAC Agent. Please try again.</cueslookup:name><cueslookup:name key="updateopswat.rqst">NAC Agent Posture component version %1 is available.%br% Do you want to install this update now?</cueslookup:name><cueslookup:name key="updateopswat.rqst.retry">Unable to update NAC Agent Posture component. Please try again.</cueslookup:name><cueslookup:name key="downloadopswat.report">Downloading the update of NAC Agnet Posture component.</cueslookup:name><cueslookup:name key="login.customalert">Custom EF package version 2.1.1.1 with EF Logo</cueslookup:name><cueslookup:name key="login.Too many users using this account">This account is already active on another device</cueslookup:name><cueslookup:name key="c.sso.macauth">Performing device filter automatic login for NAC</cueslookup:name><cueslookup:name key="c.sso.vpn">Performing automatic login into NAC environment for remote user</cueslookup:name><cueslookup:name key="c.title.status.properties">Agent Properties & Information</cueslookup:name><cueslookup:name key="c.title.status.update.opswat.available">Update Posture Component</cueslookup:name><cueslookup:name key="c.title.status.update.opswat.downloading">Downloading Posture Component</cueslookup:name><cueslookup:name key="announcePleaseBePatient">Please be patient while your system is checked against the network security policy<cueslookup:name key="bttn.restrictedNet">Get Restricted NET access This one comes down from the network</cueslookup:name>Please update the virus definition file of the specified antivirus software before accessing the network (optional)Please update the virus definition file of the specified antivirus software before accessing the network (required)Please update the spyware definition file of the specified anti-spyware software before accessing the network (optional)Please update the spyware definition file of the specified anti-spyware software before accessing the network (required)Downloaded at %1. %br% Please open this folder & double-click executable file to install the required software.The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator.The remediation you are attempting has failed with an internal error. Please contact your system administrator.The remediation you are attempting had a failure. If the problem persists contact your system administrator.The remediation you are attempting has reported an internal error. If this problem persists please contact your system administrator.The remediation you are attempting is not implemented for this product. Please contact your system administrator.The remediation you are attempting is not supported for this product. Please contact your system administrator.The AV/AS update has failed. Please try again and if this message continues to display contact your system administrator.The AV/AS update failed due to a networking issue. Please try again and if this message continues to display contact your system administrator.The remediation you are attempting has timed out waiting for the operation to finish. If this continues please contact your system administrator.The size of the downloaded file does not match the package! Please discard downloaded file and check with your administrator.The file that has been requested was not digitally signed. Please try again and if this message continues to display contact your system administrator.The requested file is not found. Please try again and if this problem persists, contact your system administrator.The file that has been requested could not be launched either because it could not be found or there was a problem launching it. Please contact your system administrator.The file that is trying to be downloaded has an incorrect URL. Please contact your system administrator.There has been a network error, please try the remediation again. If this message continues to be seen contact your system administrator.The remediation you are trying to do can not be accomplished at your user level. Please contact your system administrator.The WSUS search failed. This is probably due to a network issue. Please try again and if this message continues to display contact your system administrator.This client version is old and not compatible. Please login from web browser to see the download link for the new version.A security enhancement is required for your Agent. Please upgrade your Agent or contact your network administrator.Clicking Cancel may change your network connectivity and interrupt download or required updates.<p> Do you want to continue?</p>
Note There is no limit to the number of characters you can use for the customized text. However, Cisco recommends restricting the length so that these fields do not take up too much space in the resulting customized login screen as it appears on the client.
UpdateFeed.xml Descriptor File Template
This is one of the files that is required in your Agent screen customization package, allows you to customize the logo, fields, and message text contained in a Cisco NAC Agent dialog, like the Properties screen, to suit your specific Windows client network access requirements.
Before you can complete your Agent screen customization package, you must construct a suitable updateFeed.xml XML descriptor file. Use the following example as a template to set up the updateFeed.xml file required for your customization package.
Note the following points while creating the updateFeed.xml descriptor file:
- <update:os>—You must always set this attribute to “WINDOWS_ALL” to include all the Windows OS versions that are supported by Cisco NAC Agent. See Support Information for Cisco NAC Appliance Agents for the list of Windows OS versions that are supported by Cisco NAC Agent.
- <update:version>—This refers to the Agent Customization Package version that you want to upgrade to. This value should be four digit <n.n.n.n> and should be greater than the package version that is currently installed.
- <id>—This id can be anything, but should be unique for each Agent Customization Package.
Creating an Agent Customization File
An agent customization file allows you to customize the logo, fields, and message text contained in a Cisco NAC Agent screen dialog to suit your specific Windows client network access requirements.
You can create a customization package as a .zip file that contains an XML descriptor file and another .zip file with the contents comprising the customized options.
Step 1 Assemble the files required to comprise your Agent screen customization package:
- Customized nac_login.xml file
- Customized corporate/company logo as a .gif file
- One or more customized nacStrings_ xx .xml files
- Customized updateFeed.xml descriptor file
Step 2 Create a zip file called “brand-win.zip” that contains the assembled files. For example, in a Linux or Unix environment, execute the following:
zip -r brand-win.zip nac_login.xml nac_logo.gif nacStrings_en.xml nacStrings_cy.xml nacStrings_el.xml
Step 3 Create a “custom.zip” file that contains an appropriate updateFeed.xml descriptor file and the .zip file created above. For example, in a Linux or Unix environment, execute the following:
zip -r custom.zip updateFeed.xml brand-win.zip
Step 4 Save the resulting “custom.zip” file to a location on a local machine that you can access when uploading the file to Cisco ISE.
- Custom nac_login.xml File Template
- Using a Custom Corporate/Company Logo
- Custom nacStrings_xx.xml File Template
- UpdateFeed.xml Descriptor File Template
- Agent XML File Installation Directories
Agent XML File Installation Directories
In a system where the Cisco NAC Agent installed at the default location, you can find these .xml files in the following directories:
- The nac_login.xml file is available in the “C:\Program Files\Cisco\Cisco NAC Agent\UI\nac_divs\login” directory.
- In the nacStrings_xx.xml file, the “xx” indicates the locale. You can find a complete list of the files in the “C:\Program Files\Cisco\Cisco NAC Agent\UI\cues_utility” directory.
If the agent is installed at a different location, then the files would be available at “ <Agent Installed path> \Cisco\Cisco NAC Agent\UI\nac_divs\login” and “ <Agent Installed path> \Cisco\Cisco NAC Agent\cues_utility”.
Agent Profile Configuration Guidelines
Cisco recommends configuring agent profiles to control remediation timers, network transition delay timers, and the timer that is used to control the login success screen on client machines so that these settings are policy based. However, when there are no agent profiles configured to match client-provisioning policies, you can use the settings in the Administration > System > Settings > Posture > General Settings configuration page to accomplish the same goal.
Once you configure and upload an agent profile to a client device via policy enforcement or another method, that agent profile remains on the client and affects login and operation behavior until you change it to something else. Therefore, deleting an agent profile from Cisco ISE does not remove that behavior from previously affected clients. To alter the login and operational behavior, you must define a new agent profile that overwrites the values of existing agent profile parameters on the client and upload it via policy enforcement.
If Cisco ISE has a different agent profile than what is present on the client (which is determined using MD5 checksum), then Cisco ISE downloads the new agent profile to the client. If the agent customization file originating from Cisco ISE is different, Cisco ISE also downloads the new agent customization file to the client. See for more details.
Agent Profile Parameters and Applicable Values
Agent configuration parameters are grouped by function.
This section provides descriptions, default values, and allowable ranges for the Agent profile parameters used to customize login, operational, and logout behavior for Agents that are installed on a client machine.
no —Turns off certificate revocation list (CRL) checking during discovery and negotiation
- 1—Agent is compatible with the Job Access with Speech (JAWS) screen reader
- 0—Agent does not interact with the JAWS screen reader
Users may experience a slight impact on performance when this feature is enabled. The Agent still functions normally if this feature is enabled on a client machine that does not have the JAWS screen reader installed.
The Check signature setting looks for a digital signature that the Agent uses to determine whether Windows can trust the executable before launching. For more information, see Adding a Launch Program Remediation.
If you are employing autoremediation for Agent requirements, this setting enables you to make the Agent session dialog more automated by skipping the Agent posture assessment summary screen and proceeding directly to the first autoremediation function. Avoiding this step reduces or eliminates user interaction during the Agent login and remediation session.
Note This setting does not apply to Mac OS X clients.
- default —Agent uses the locale settings from the client operating system
- If this setting is either the ID, abbreviated name, or full name of a supported language, the Agent automatically displays the appropriate localized text in Agent dialogs on the client machine. See Table 23-5 . “Supported Languages” .
Note This setting does not apply to Mac OS X clients.
This parameter controls the level and type of results that appear to the user when the client machine undergoes posture assessment.
This setting specifies the file size (in megabytes) for Agent log files on the client machine.
- 0—Agent does not record any login or operation information for the user session on the client machine
- any other integer—Agent records login and session information up to the number of megabytes that is specified3
Example XML File Generated Using the Create Profile Function
Note This file also contains two static (that is, uneditable by the user or Cisco ISE administrator) “AgentCfgVersion” and “AgentBrandVersion” parameters used to identify the current version of the agent profile and agent customization file, respectively, on the client.
Creating Windows Agent Profiles
You can configure Agent profiles in Cisco ISE that specify how Windows clients behave when logging into your protected network. When you set one or more of the parameters to merge with any existing agent profile, new (previously undefined) parameters are set according to the merged value, but existing parameter settings in an agent profile are maintained.
Before you create a Windows agent profile, Cisco recommends uploading agent software to Cisco ISE:
- Adding Client Provisioning Resources from Remote Sources
- Adding Client Provisioning Resources from a Local Machine
- Downloading Client Provisioning Resources Automatically
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources .
Step 2 Choose Add > ISE Posture Agent Profile .
Step 3 Specify a name for the Windows agent profile.
Step 4 Specify values for parameters, and specify whether these settings should merge with or overwrite existing profile settings as necessary to appropriately configure Windows client machine agent behavior.
After you have successfully added client-provisioning resources to Cisco ISE and configured one or more optional agent profiles, you can begin to configure resource policies.
Creating Mac OS X Agent Profiles
You can configure Agent profiles in Cisco ISE that specify how Mac OS X clients behave when logging into your protected network. When you set one or more of the parameters to merge with any existing agent profile, new (previously undefined) parameters are set according to the merged value, but existing parameter settings in an agent profile are maintained.
The parameters available to configure for Mac OS X client machines are only a subset of those available for Windows client machines. Cisco recommends that you avoid specifying settings for any parameters that feature a note reading “Mac platform: N/A,” as these settings have no effect on agent behavior on Mac OS X clients.
Before you create a Mac OS X agent profile, Cisco recommends uploading agent software to Cisco ISE:
- Adding Client Provisioning Resources from Remote Sources
- Adding Client Provisioning Resources from a Local Machine
- Downloading Client Provisioning Resources Automatically
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources .
Step 2 Choose Add > ISE Posture Agent Profile .
Step 3 Specify a name for the agent profile.
Step 4 Specify values for parameters, and specify whether these settings should merge with or overwrite existing profile settings as necessary to appropriately configure Mac OS X client machine agent behavior.
After you have successfully added client-provisioning resources to Cisco ISE and configured one or more optional agent profiles, you can begin to configure resource policies.
Performing Data Encryption Checks for Windows OS
Cisco ISE performs a series of steps to check data encryption using OPSWAT Gears.
Create the Registry conditions.
Note You can apply Steps 1 through 15 to create the Registry conditions.
Step 1 Choose Policy > Conditions > Posture > Registry Condition .
The Registry Condition page appears. You can create the first posture registry condition.
Step 3 Enter the Name, Description, Registry Type, Registry Root Key, Value Name, Value Data Type, Value Operator, Value Data, and Operating System.
Step 4 Enter the following Sub Key: Software\Wow6432Node\OPSWAT\Gears Client\Status in the Sub Key text box.
The OPSWAT Persistent Agent performs a posture compliance check. If the disk is encrypted, the OPSWAT Persistent Agent sets the Registry Value Data to 1. Or, the Registry Value Data is set to zero.
Step 6 In the Registry Condition page, click Add , to create the second posture registry condition.
Step 7 Enter the Name, Description, Registry Type, Registry Root Key, Value Name, Value Data Type, Value Operator, Value Data, and Operating System text boxes.
Step 8 In the Sub Key text box, enter the following Sub Key: Software\Wow6432Node\OPSWAT\Gears Client\Config .
The registry check for OPSWAT key ensures that it matches the Corporate Account key. If the Corporate Account key is not included, it may result in unauthorized users gaining access to the OPSWAT account.
Step 9 In the Registry Condition page, click Add , to create the third posture registry condition.
Step 10 Enter the Name, Description, Registry Type, Registry Root Key, Value Name, Value Data Type, Value Operator, Value Data, and Operating System .
Step 11 In the Sub Key text box, enter the following Sub Key: Software\OPSWAT\Gears OnDemand\Config .
Step 12 The OPSWAT Dissolvable or On-Demand Agent performs a compliance check. If the disk is encrypted, the OPSWAT Persistent Agent sets the Registry Value Data to 1. Or, the Registry Value Data is set to zero.
Step 13 In the Registry Condition page, click Add , to create the last posture registry condition.
Step 14 Enter the Name, Description, Registry Type, Registry Root Key, Value Name, Value Data Type, Value Operator, Value Data , and Operating System.
Step 15 In the Sub Key text box, enter the following Sub Key: Software\OPSWAT\Gears OnDemand\Config .
The Registry check for OPSWAT Key ensures that it matches the Corporate Account key. If the Corporate Account key is not included in the posture check, it may result in unauthorized users gaining access to the OPSWAT account.
Create a compound condition to combine the Registry conditions that you created earlier.
Step 1 Choose Policy > Conditions > Posture > Compound Condition and click Add .
Step 2 Enter the Name , Description , and Operating System . In the Select a condition to insert below drop-down list, choose the Registry condition names that you have created in the previous steps, to create the compound condition.
Step 3 Click Validate Expression to receive the following message: Server Response: Valid expression.
Step 4 Click Submit to create the compound condition.
Create a posture requirement to use the conditions.
Step 1 Choose Policy > Results > Posture > Requirements , click the Edit drop-down list and choose the Insert New Requirement option.
Step 2 In the newly inserted row, enter the Requirements . This ensures posture requirement check for Windows registry compliance and key check for OPSWAT Persistent or OPSWAT On-Demand.
Step 1 Choose Policy > Posture .
Step 2 Click the Edit drop-down list and choose the Insert new policy to display a new row.
Step 3 Enter policy name, Identity Groups, Operating Systems , and Requirements .
Note In case of an error with compound condition, you can create simple conditions such as, GEARS.
Create the Authorization profile.
Step 1 Choose Policy > Results > Authorization > Authorization Profile .
Step 2 Click Add to set the new authorization profile.
Step 3 Enter Name and Access Type in the Authorization Profile section.
Step 4 Enter DACL Name and VLAN in the Common Tasks section.
Step 6 View the Attributes Details .
Create a new Authorization Profile for employee access.
Step 1 Choose P olicy > Results > Authorization > Authorization Profiles .
Step 2 Click Add to set the new authorization profile.
Step 3 Enter Name and Access Type in the Authorization Profile section.
Step 4 Enter DACL Name, VLAN, and Airespace ACL Name in the Common Tasks section.
Step 6 View the Attributes Details .
Create the Authorization Policy.
Step 1 Choose Policy > Authorization .
Step 2 Set the Pre-Compliant Authorization and C ompliant Authorization policies.
Step 3 View the posture complaint details.
Performing Data Encryption Checks for Mac OS X
Cisco ISE performs a series of steps to check data encryption using OPSWAT Gears.
Create a compound condition to combine the AV conditions.
Step 1 Choose Policy > Conditions > Posture > AV Compound Condition .
Step 3 Enter Name, Description, Operating System, Vendor , and Check Type .
Step 4 Select the desired product in the Products for Selected Vendor section.
Step 5 Click Submit to perform a definition check.
Create a posture requirement to use the conditions.
Step 1 Choose Policy > Results > Posture > Requirements .
Step 2 Click the Edit drop-down list.
Step 3 Choose the Insert New Requirement option.
Step 4 Enter the Requirements in the newly inserted row. This ensures requirement check for Mac OS X leveraging the AV compound condition created in the previous step for OPSWAT definition check.
Step 1 Choose Policy > Posture .
Step 2 Click the Edit drop-down list.
Step 3 Choose the Insert new policy to display a new row.
Step 4 Enter policy name, Identity Groups, Operating Systems , and Requirements .
Create the Authorization profile.
Step 1 Choose Policy -> Results -> Authorization -> Authorization Profile .
Step 2 Click Add to set the new authorization profile.
Step 3 Enter Name and Access Type in the Authorization Profile section.
Step 4 Enter DACL Name and VLAN in the Common Tasks section.
Step 6 View the Attributes Details .
Create a new Authorization Profile for employee access.
Step 1 Choose P olicy -> Results -> Authorization -> Authorization Profile .
Step 2 Click Add to set the new authorization profile.
Step 3 Enter Name and Access Type in the Authorization Profile section.
Step 4 Enter DACL Name, VLAN, and Airespace ACL Name in the Common Tasks section.
Step 6 View the Attributes Details .
Create the Authorization Policy.
Step 1 Choose Policy > Authorization .
Step 2 Set the Pre-Compliant Authorization and C ompliant Authorization policies.
Step 3 View the posture complaint details.
Creating Native Supplicant Profiles
You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.
- If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles.
- Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 .
Step 1 Choose Policy > Policy Elements > Results > Client Provisioning > Resources .
Step 2 Choose Add > Native Supplicant Profile .
Step 3 Specify a Name for the agent profile.
Step 4 Enter an optional Description for the Native Supplicant Profile.
Step 5 Select an Operating System for this profile.
Step 6 Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
Step 7 Choose the Allowed Protocol for the device profile.
Step 8 Enable or disable other Optional Settings as appropriate for this profile.
Enable self-provisioning capabilities that allow employees to directly connect their personal devices to the network, as described in the Support for multiple Guest Portals section.
Allowed Protocol Settings
Use the TLS protocol to provide the highest level of device registration security. When you specify the TLS method, Cisco ISE generates a Certificate Signing Request for the device certificate and forwards an SCEP request to the applicable certificate registration authority. For more information on configuring a connection to an SCEP certificate authority, see Simple Certificate Enrollment Protocol Profiles.
In general, PEAP allows users to enter their access credentials when logging into the network, and accepts standard registration certificates in return.
Use EAP-FAST to connect Apple iOS and Mac OS X devices. Connection typically takes place independent of certificate type and presence.
Note Due to Apple iOS default behavior on iPhones and iPads, Cisco ISE does not support using the EAP-FAST protocol in the native supplicant profile when connecting via a single Service Set Identifier (SSID). When logging into the Cisco ISE network, iOS-based devices automatically negotiate using the PEAP-MSCHAPv2 protocol by default, even if the supplicant provisioning profile that is installed on the device specifies the EAP-FAST protocol. In a dual SSID environment, iOS-based devices should not face this restriction.
Configuring Personal Device Registration Behavior
Use this function to specify how Cisco ISE should handle user login sessions via personal devices on which Cisco ISE cannot install a native supplicant provisioning wizard (like Research In Motion Blackberry devices).
Step 1 Choose Administration > System > Settings > Client Provisioning .
Step 2 From the Native Supplicant Provisioning Policy Unavailable drop-down list, choose one of the following two options:
- Allow Network Access —Users are allowed to register their device on the network without having to install and launch the native supplicant wizard.
- Apply Defined Authorization Policy —Users must try to access the Cisco ISE network via standard authentication and authorization policy application (outside of the native supplicant provisioning process). If you enable this option, the user device goes through standard registration according to any client-provisioning policy applied to the user’s ID. If the user’s device requires a certificate to access the Cisco ISE network, you must also provide detailed instructions to the user describing how to obtain and apply a valid certificate using the customizable user-facing text fields, as described in the “Adding a Custom Language Template” section in the Chapter 15, Setting up and Customizing End_User Web Portals.
Enable self-provisioning capabilities that allow employees to directly connect their personal devices to the network, as described in the Support for multiple Guest Portals section.
Provisioning Client Machines with the Cisco NAC Agent MSI Installer
You can place the MSI installer in a directory or a zip version of the same installer on the client machine along with an Agent configuration XML file (named NACAgentCFG.xml ) containing the appropriate Agent profile information required to coincide with your network.
Step 1 Download the nacagentsetup-win.msi or nacagentsetup-win.zip installer file from the Cisco Software Download site at http://software.cisco.com/download/navigator.html .
Step 2 Place the nacagentsetup-win.msi file in a specific directory on the client machine (for example, C:\temp\nacagentsetup-win.msi):
- If you are copying the MSI installer directly over to the client, place the nacagentsetup-win.msi file into a directory on the client machine from which you plan to install the Cisco NAC Agent.
- If you are using the nacagentsetup-win.zip installer, extract the contents of the zip file into the directory on the client machine from which you plan to install the Cisco NAC Agent.
Step 3 Place an Agent configuration XML file in the same directory as the Cisco NAC Agent MSI package.
If you are not connected to Cisco ISE, you can copy the NACAgentCFG.xml file from a client that has already been successfully provisioned. The file is located at C:\Program Files\Cisco\Cisco NAC Agent\NACAgentCFG.xml.
As long as the Agent configuration XML file exists in the same directory as the MSI installer package, the installation process automatically places the Agent configuration XML file in the appropriate Cisco NAC Agent application directory so that the agent can point to the correct Layer 3 network location when it is first launched.
Step 4 Open a Command prompt on the client machine and enter the following to execute the installation:
(The
/qn
qualifier installs the Cisco NAC Agent completely silently. The/l*v
logs the installation session in verbose mode.)To uninstall the NAC Agent, you can execute the following command:
Note Installing a new version of the Agent using MSI will uninstall the old version and install the new version using the above commands.
Step 5 If you are using Altiris/SMS to distribute the MSI installer, place the Agent customization files in a sub-directory named “brand” in the directory “%TEMP%/CCAA”. When the Cisco NAC Agent is installed in the client, the customization is applied to the Agent. To remove the customization, send a plain MSI without the customization files.
Configuring Client Provisioning Resource Policies
Client-provisioning resource policies determine which users receive which version (or versions) of resources (agents, agent compliance modules, and/or agent customization packages/profiles) from Cisco ISE upon login and user session initiation.
When you download the agent compliance module, it always overwrites the existing one, if any, available in the system.
Before you can create effective client-provisioning resource policies, ensure that you have set up system-wide client-provisioning functions according to the following topics:
- Specifying Proxy Settings in Cisco ISE.
- Adding Client Provisioning Resources from Remote Sources
- Adding Client Provisioning Resources from a Local Machine
- Downloading Client Provisioning Resources Automatically
Step 1 Choose Policy > Client Provisioning .
Step 2 Choose Enable , Disable , or Monitor from the behavior drop-down list:
- Enable —Ensures Cisco ISE uses this policy to help fulfill client-provisioning functions when users log in to the network and conform to the client-provisioning policy guidelines.
- Disable —Cisco ISE does not use the specified resource policy to fulfill client-provisioning functions.
- Monitor —Disables the policy and “watches” the client-provisioning session requests to see how many times Cisco ISE tries to invoke based on the “Monitored” policy.
Step 3 Enter a name for the new resource policy in the Rule Name text box.
Step 4 Specify one or more Identity Groups to which a user who logs into Cisco ISE might belong.
You can choose to specify the Any identity group type, or choose one or more groups from a list of existing Identity Groups that you have configured.
Step 5 Use the Operating Systems field to specify one or more operating systems that might be running on the client machine or device through which the user is logging into Cisco ISE.
You can choose to specify a single operating system like “Android,” “Mac iOS,” and “Mac OS X,” or an umbrella operating system designation that addresses a number of client machine operating systems like “Windows XP (All)” or “Windows 7 (All).”
Step 6 In the Other Conditions field, specify a new expression that you want to create for this particular resource policy.
Step 7 For client machines, specify which agent type, compliance module, agent customization package, and/or profile to make available and provision on the client machine based on the categorization defined in the preceding topic.
a. Choose an available agent from the Agent drop-down list and specify whether the agent upgrade (download) defined here is mandatory for the client machine by enabling or disabling the Is Upgrade Mandatory option, as appropriate.
Note The Is Upgrade Mandatory setting only applies to agent downloads. Agent profile, compliance module, and Agent customization package updates are always mandatory.
b. Choose an existing agent profile from the Profile drop-down list.
c. Choose an available compliance module to download to the client machine using the Compliance Module drop-down list.
Note You can also use the policy configuration process to download agent resources “on the fly” for these three resource types by clicking the Action icon and choosing Download Resource or Upload Resource from the drop-down list. This opens the Downloaded Remote Resources or Manual Resource Upload dialog box, where you can download one or more resources to Cisco ISE, as described in the “Adding Client_Provisioning Resources from Remote Sources” and “Adding Client_Provisioning Resources from a Local Machine” sections.
d. Choose an available agent customization package for the client machine from the Agent Customization Package drop-down list.
Starting from Cisco ISE Release 1.2, it is mandatory to include the client provisioning URL in authorization policy, to enable the NAC Agent to popup in the client machines. This prevents request from any random clients and ensures that only clients with proper redirect URL can request for posture assessment.
Step 8 For personal devices, specify which N ative Supplicant Configuration to make available and provision on the registered personal device based on the categorization defined above:
a. Choose the specific Configuration Wizard to distribute to these personal devices.
b. Specify the applicable Wizard Profile for the given personal device type.
Once you have successfully configured one or more client-provisioning resource policies, you can start to configure Cisco ISE to perform posture assessment on client machines during login.
Viewing Client Provisioning Reports
You can access the Cisco ISE monitoring and troubleshooting functions to check on overall trends for successful or unsuccessful user login sessions, gather statistics about the number and types of client machines logging into the network during a specified time period, or check on any recent configuration changes in client-provisioning resources.
Viewing Client Provisioning Requests
The Operations > Reports > ISE Reports > Endpoints and Users > Client Provisioning page displays statistics about successful and unsuccessful client-provisioning requests. When you choose Run and specify one of the preset time periods, Cisco ISE combs the database and displays the resulting client-provisioning data.
Viewing Client Provisioning Event Logs
You can search event log entries to help diagnose a possible problem with client login behavior. For example, you may need to determine the source of an issue where client machines on your network are not able to get client-provisioning resource updates upon login. You can compile and view logging entries for Client Provisioning and Posture audit messages as well as diagnostics.
Collecting Cisco NAC Agent Logs
In Cisco NAC Agent for Windows, right-click the Agent Tray Icon and then click Log Packager to run the support package and collect the logs.
In Cisco NAC Agent for Mac OS X, in the Tools menu, right-click the Agent icon and click the Collect Support Logs option to collect the Agent logs and support information. The collected information is available as a zip file. The user can save the file by choosing the file location and filename. By default the file is saved on the desktop with the filename as CiscoSupportReport.zip .
If the Agent crashes or hangs, you can run the CCAAgentLogPackager.app to collect the logs. This file is available at /Applications/CCAAgent.app . You can right-click CCAAgent.app , select Show Package Contents and double-click CCAAgentLogPackager to collect the support information.“