使用Rapid7配置ISE 2.2以威胁为中心的NAC (TC-NAC)

简介

本文档介绍如何在身份服务引擎(ISE) 2.2上使用Rapid7配置和排除以威胁为中心的NAC故障。 利用以威胁为中心的网络访问控制(TC-NAC)功能，您可以根据从威胁和漏洞适配器接收的威胁和漏洞属性创建授权策略。 

先决条件

要求

Cisco 建议您具有以下主题的基础知识：

• 思科身份服务引擎

• Nexpose漏洞扫描程序

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科身份服务引擎版本2.2
• Cisco Catalyst 2960S交换机15.2(2a)E1
• Rapid7 Nexpose漏洞扫描程序企业版
• Windows 7 Service Pack 1
• Windows Server 2012 R2

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

配置

高级流程图

流程如下：

1. 客户端连接到网络，授予有限访问权限，并且分配已启用Assess Vulnerabilities复选框的配置文件。
   
   
2. PSN节点向MNT节点发送系统日志消息，确认身份验证已发生，并且VA扫描是授权策略的结果。
   
   
3. MNT节点使用以下数据向TC-NAC节点（使用管理WebApp）提交扫描：
   -Mac 地址
   -IP Address
   - 扫描间隔
   - 定期扫描已启用
   - 始发PSN
   
   
4. Nexpose TC-NAC（封装在Docker容器中）与Nexpose Scanner通信以在需要时触发扫描。
   
   
5. Nexpose扫描程序扫描ISE请求的终端。
   
   
6. Nexpose扫描程序将扫描结果发送到ISE。
   
   
7. 扫描结果发送回TC-NAC：
   -Mac 地址
   - 所有CVSS评分
   - 所有漏洞（标题、CVEID）
   
   
8. TC-NAC使用步骤7中的所有数据更新PAN。
   
   
9. 如果需要，将根据配置的授权策略触发CoA。

部署和配置Nexpose Scanner

注意：本文档中的附件配置用于实验目的，请咨询Rapid7工程师以了解设计注意事项

步骤1:部署Nexpose扫描程序。

Nexpose扫描程序可从OVA文件部署，安装在Linux和Windows操作系统之上。在本文档中，安装是在Windows Server 2012 R2上完成的。从Rapid7网站下载映像并开始安装。配置类型和目标时，选择Nexpose Security Console with local Scan Engine

安装完成后，服务器将重新启动。启动后，Nexpose扫描仪应可通过3780端口访问，如图所示：

如图所示，扫描程序经历安全控制台启动过程：

之后要访问GUI，应提供许可证密钥。请注意，需要Enterprise Edition of Nexpose Scanner，如果安装了Community Edition，则不会触发扫描。

第二步：配置Nexpose扫描程序。

第一步是在Nexpose扫描仪上安装证书。本文档中的证书由与ISE的管理员证书（实验室CA）相同的CA颁发。导航到管理>全局和控制台设置。在控制台下选择管理，如图所示。

单击Manage Certificate，如图所示：

如图所示，在Create New Certificate中单击。输入公用名以及您要包含在Nexpose扫描程序的身份证书中的任何其他数据。确保ISE能够使用DNS解析Nexpose扫描程序FQDN。

将证书签名请求(CSR)导出到终端。

此时，您需要使用证书颁发机构(CA)签署CSR。

通过单击Import Certificate导入由CA颁发的证书。

配置站点。站点包含您应该能够扫描的资产，并且用于将ISE与Nexpose Scanner集成的帐户应具有管理站点和创建报告的权限。导航到创建>站点，如图所示。

如图所示，在信息和安全选项卡上输入站点的名称。Assets选项卡应包含有效资产的ip地址，即符合漏洞扫描条件的终端。

将签名ISE证书的CA证书导入到受信任的存储中。导航到管理>根证书>管理>导入证书。

配置ISE

步骤1:启用TC-NAC服务。

在ISE节点上启用TC-NAC服务。请注意以下事项：

• 以威胁防护为中心的NAC服务需要Apex许可证。
• 您需要一个单独的策略服务节点(PSN)，用于以威胁防护为中心的NAC服务。
• 在部署中只能在一个节点上启用以威胁防护为中心的NAC服务。
• 对于漏洞评估服务，每个供应商只能添加一个适配器实例。

第二步：导入下一个扫描程序证书。

将Nexpose扫描程序CA证书导入到思科ISE中的受信任证书库中(Administration > Certificates > Certificate Management > Trusted Certificates > Import)。确保在Cisco ISE受信任证书库中导入或存在适当的根证书和中间证书

第三步：配置Nexpose Scanner TC-NAC实例。

在Administration > Threat Centric NAC > Third Party Vendors处添加Rapid7实例。

添加实例后，实例将转换为Ready to Configure状态。单击此链接。配置Nexpose Host (Scanner)和Port，默认值为3780。指定有权访问特定站点的用户名和口令。

高级设置在《ISE 2.2管理员指南》中有详细介绍，该链接可在本文档的“参考”部分找到。单击下一步和完成。Nexpose实例将转换为活动状态，并开始下载知识库。

第四步：配置授权配置文件以触发VA扫描。

导航到策略>Policy元素>结果>授权>授权配置文件。添加新配置文件.在Common Tasks下，选中Vulnerability Assessment复选框。按需扫描间隔应根据您的网络设计选择。

授权配置文件包含这些av对：

cisco-av-pair = on-demand-scan-interval=48
cisco-av-pair = periodic-scan-enabled=0
cisco-av-pair = va-adapter-instance=c2175761-0e2b-4753-b2d6-9a9526d85c0c

它们被发送到Access-Accept数据包中的网络设备，尽管它们的真正目的是告知监控(MNT)节点应触发扫描。MNT指示TC-NAC节点与Nexpose扫描程序通信。

第五步：配置授权策略。

• 配置授权策略以使用步骤4中配置的新授权配置文件。导航到策略>授权>授权策略，找到Basic_Authenticated_Access规则并单击编辑。将权限从PermitAccess更改为新创建的Standard Rapid7。这会导致对所有用户进行漏洞扫描。单击Save。

• 为隔离的计算机创建授权策略。导航到策略>授权>授权策略>例外，并创建例外规则。现在导航到条件>创建新条件（高级选项）>选择属性，向下滚动并选择威胁。展开Threat属性并选择Nexpose-CVSS_Base_Score。将运算符更改为大于，然后根据您的安全策略输入值。隔离授权配置文件应提供对易受攻击计算机的有限访问权限。

验证

身份服务引擎

第一个连接触发VA扫描。扫描完成后，如果匹配，将触发CoA重新身份验证以应用新策略。

要验证检测到哪些漏洞，请导航到Context Visibility > Endpoints。使用Nexpose Scanner向其提供的分数检查每个终端的漏洞。

在操作(Operations) > TC-NAC实时日志(TC-NAC Live Logs)中，您可以查看应用的授权策略和CVSS_Base_Score的详细信息。

Nexpose扫描仪

当VA扫描由TC-NAC Nexpose扫描触发，并转换为In-Progress状态，且扫描程序开始探测终端时，如果您在终端上运行wireshark捕获，此时，您会看到终端站和扫描程序之间的数据包交换。扫描程序完成后，结果显示在Home page下。

在资产页面下，您可以看到有新的可用终端和扫描结果，已识别操作系统，且已检测到10个漏洞。

当您点击终端的IP地址时，Nexpose Scanner会将您引导至新菜单，您可以在其中看到包括主机名、Risc评分和漏洞详细列表的更多信息

单击Vulnerability本身时，图中显示完整的说明。

故障排除

ISE上的调试

要在ISE上启用调试，请导航到Administration > System > Logging > Debug Log Configuration，选择TC-NAC Node，并将Log Level va-runtime和va-service组件更改为DEBUG。

要检查的日志- varuntime.log。您可以直接从ISE CLI对其进行跟踪：

ISE21-3ek/admin# show logging application varuntime.log tail

TC-NAC Docker收到对特定终端执行扫描的指令。

2016-11-24 13:32:04,436 DEBUG [Thread-94][] va.runtime.admin.mnt.EndpointFileReader -:::::- VA: Read va runtime. [{"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"c2175761-0e2b-4753-b2d6-9a9526d85c0c","psnHostName":"ISE22-1ek","heartBeatTime":0,"lastScanTime":0}, {"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","isPeriodicScanEnabled":false,"heartBeatTime":0,"lastScanTime":0}]
2016-11-24 13:32:04,437 DEBUG [Thread-94][] va.runtime.admin.vaservice.VaServiceRemotingHandler -:::::- VA: received data from Mnt: {"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"c2175761-0e2b-4753-b2d6-9a9526d85c0c","psnHostName":"ISE22-1ek","heartBeatTime":0,"lastScanTime":0}
2016-11-24 13:32:04,439 DEBUG [Thread-94][] va.runtime.admin.vaservice.VaServiceRemotingHandler -:::::- VA: received data from Mnt: {"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","isPeriodicScanEnabled":false,"heartBeatTime":0,"lastScanTime":0}

收到结果后，会将所有漏洞数据存储在Context Directory中。

2016-11-24 13:45:28,378 DEBUG [Thread-94][] va.runtime.admin.vaservice.VaServiceRemotingHandler -:::::- VA: received data from Mnt: {"operationType":2,"isPeriodicScanEnabled":false,"heartBeatTime":1479991526437,"lastScanTime":0}
2016-11-24 13:45:33,642 DEBUG [pool-115-thread-19][] va.runtime.admin.vaservice.VaServiceMessageListener -:::::- Got message from VaService: [{"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","lastScanTime":1479962572758,"vulnerabilities":["{\"vulnerabilityId\":\"ssl-cve-2016-2183-sweet32\",\"cveIds\":\"CVE-2016-2183\",\"cvssBaseScore\":\"5\",\"vulnerabilityTitle\":\"TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"ssl-static-key-ciphers\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"TLS/SSL Server Supports The Use of Static Key Ciphers\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"rc4-cve-2013-2566\",\"cveIds\":\"CVE-2013-2566\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"tls-dh-prime-under-2048-bits\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"Diffie-Hellman group smaller than 2048 bits\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"tls-dh-primes\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"TLS/SSL Server Is Using Commonly Used Prime Numbers\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"ssl-cve-2011-3389-beast\",\"cveIds\":\"CVE-2011-3389\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS/SSL Server is enabling the BEAST attack\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"tlsv1_0-enabled\",\"cveIds\":\"\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS Server Supports TLS version 1.0\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}"]}]
2016-11-24 13:45:33,643 DEBUG [pool-115-thread-19][] va.runtime.admin.vaservice.VaServiceMessageListener -:::::- VA: Save to context db, lastscantime: 1479962572758, mac: 3C:97:0E:52:3F:D9
2016-11-24 13:45:33,675 DEBUG [pool-115-thread-19][] va.runtime.admin.vaservice.VaPanRemotingHandler -:::::- VA: Saved to elastic search: {3C:97:0E:52:3F:D9=[{"vulnerabilityId":"ssl-cve-2016-2183-sweet32","cveIds":"CVE-2016-2183","cvssBaseScore":"5","vulnerabilityTitle":"TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"ssl-static-key-ciphers","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Supports The Use of Static Key Ciphers","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"rc4-cve-2013-2566","cveIds":"CVE-2013-2566","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"tls-dh-prime-under-2048-bits","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"Diffie-Hellman group smaller than 2048 bits","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"tls-dh-primes","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Is Using Commonly Used Prime Numbers","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"ssl-cve-2011-3389-beast","cveIds":"CVE-2011-3389","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server is enabling the BEAST attack","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"tlsv1_0-enabled","cveIds":"","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS Server Supports TLS version 1.0","vulnerabilityVendor":"Rapid7 Nexpose"}]}

要检查的日志- vaservice.log。您可以直接从ISE CLI对其进行跟踪：

ISE21-3ek/admin# show logging application vaservice.log tail

漏洞评估请求已提交至适配器。

2016-11-24 12:32:05,783 DEBUG [endpointPollerScheduler-7][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA request submitted to adapter","TC-NAC.Details","VA request submitted to adapter for processing","TC-NAC.MACAddress","3C:97:0E:52:3F:D9","TC-NAC.IpAddress","10.229.20.32","TC-NAC.AdapterInstanceUuid","c2175761-0e2b-4753-b2d6-9a9526d85c0c","TC-NAC.VendorName","Rapid7 Nexpose","TC-NAC.AdapterInstanceName","Rapid7"]}]
2016-11-24 12:32:05,810 DEBUG [endpointPollerScheduler-7][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg res: {"status":"SUCCESS","statusMessages":["SUCCESS"]}

AdapterMessageListener每5分钟检查一次扫描的状态，直到扫描完成。

2016-11-24 12:36:28,143 DEBUG [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"AdapterInstanceName":"Rapid7","AdapterInstanceUid":"7a2415e7-980d-4c0c-b5ed-fe4e9fadadbd","VendorName":"Rapid7 Nexpose","OperationMessageText":"Number of endpoints queued for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 1"}
2016-11-24 12:36:28,880 DEBUG [endpointPollerScheduler-5][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","Adapter Statistics","TC-NAC.Details","Number of endpoints queued for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for which the scan is in progress: 1","TC-NAC.AdapterInstanceUuid","7a2415e7-980d-4c0c-b5ed-fe4e9fadadbd","TC-NAC.VendorName","Rapid7 Nexpose","TC-NAC.AdapterInstanceName","Rapid7"]}]

Adapter获得CVE以及CVSS分数。

2016-11-24 12:45:33,132 DEBUG [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter : {"returnedMacAddress":"","requestedMacAddress":"3C:97:0E:52:3F:D9","scanStatus":"ASSESSMENT_SUCCESS","lastScanTimeLong":1479962572758,"ipAddress":"10.229.20.32","vulnerabilities":[{"vulnerabilityId":"tlsv1_0-enabled","cveIds":"","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS Server Supports TLS version 1.0","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"rc4-cve-2013-2566","cveIds":"CVE-2013-2566","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"ssl-cve-2016-2183-sweet32","cveIds":"CVE-2016-2183","cvssBaseScore":"5","vulnerabilityTitle":"TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"ssl-static-key-ciphers","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Supports The Use of Static Key Ciphers","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"tls-dh-primes","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Is Using Commonly Used Prime Numbers","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"tls-dh-prime-under-2048-bits","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"Diffie-Hellman group smaller than 2048 bits","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"ssl-cve-2011-3389-beast","cveIds":"CVE-2011-3389","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server is enabling the BEAST attack","vulnerabilityVendor":"Rapid7 Nexpose"}]}
2016-11-24 12:45:33,137 INFO [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener -:::::- Endpoint Details sent to IRF is {"3C:97:0E:52:3F:D9":[{"vulnerability":{"CVSS_Base_Score":5.0,"CVSS_Temporal_Score":0.0},"time-stamp":1479962572758,"title":"Vulnerability","vendor":"Rapid7 Nexpose"}]}
2016-11-24 12:45:33,221 DEBUG [endpointPollerScheduler-7][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg : [{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA successfully completed","TC-NAC.Details","VA completed; number of vulnerabilities found: 7","TC-NAC.MACAddress","3C:97:0E:52:3F:D9","TC-NAC.IpAddress","10.229.20.32","TC-NAC.AdapterInstanceUuid","c2175761-0e2b-4753-b2d6-9a9526d85c0c","TC-NAC.VendorName","Rapid7 Nexpose","TC-NAC.AdapterInstanceName","Rapid7"]}]
2016-11-24 12:45:33,299 DEBUG [endpointPollerScheduler-7][] cpm.va.service.util.VaServiceUtil -:::::- VA SendSyslog systemMsg res: {"status":"SUCCESS","statusMessages":["SUCCESS"]}

相关信息

• 技术支持和文档 - Cisco Systems
• ISE 2.2版本说明
• ISE 2.2硬件安装指南
• ISE 2.2升级指南
• 《 ISE 2.2引擎管理员指南》