此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍在思科身份服务引擎(ISE)3.1版本中引入的状态同步的配置和使用。
Cisco 建议您了解以下主题:
假设您有状态配置来取代任何类型。
为了更好地了解下文介绍的概念,建议完成以下步骤:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
ISE终端安全评估流程通常不允许从ISE在客户端更新终端安全评估状态。思科安全客户端状态模块用于评估终端的安全状态,并将其保持到网络更改、定期重新评估或其他客户端触发为止。如果ISE上的终端安全评估状态因会话终止或其他原因而更改,安全客户端安全评估模块可能不知道该更改,因此终端将处于安全评估未知状态,网络访问受限,直到发生其中一个客户端触发。
本文档重点介绍一项新功能 — 终端安全评估状态同步,该功能旨在解决此类问题,并允许ISE向安全客户端终端安全评估模块提供有关终端当前终端安全评估状态的反馈。
默认情况下,当终端安全评估状态同步启用时,会在每个ISE PSN节点上引入终端安全评估状态探测端口 — TCP 8449。如果终端状态为未知(Unknown)或待处理(Pending),则从终端应该可访问,如果终端状态为兼容(Compliant),则无法访问。
状态同步功能配置包括两部分:
1.1在Cisco ISE GUI中,导航到Policy > Policy Elements > Results > Client Provisioning > Resources。
1.2选择您已使用的AnyConnect终端安全评估配置文件或新建一个配置文件。
1.3在Agent Behavior区域中,将Posture State Synchronization Interval配置为1到300秒之间的任意值,0 — 禁用状态同步
1.4您可以配置终端安全评估探测备份列表 — 安全客户端使用此列表检查选定PSN上的终端安全评估状态。如果不选择任何PSN,则连接的PSN和任意两个备份服务器将用作状态同步的备份。
2.配置可下载ACL(dACL),在客户端状态为合规或不合规时阻止对思科ISE上的状态同步端口的访问。您需要为每个PSN的访问控制拒绝条目添加安全评估状态同步端口,该PSN位于用于合规终端的ACL顶部,以限制对安全评估状态同步端口的访问(如果终端状态已知),例如:
deny tcp any host PSN1-IP-ADDRESS eq 8449
deny tcp any host PSN2-IP-ADDRESS eq 8449
permit ip any any
permit ip any any不是必需的,您可以根据需要使用任何规则集替换它。
注意:如果未在dACL中配置deny条目,则在Cisco ISE控制面板上触发状态配置检测警报,并且在终端上禁用状态同步,直到重新启动Cisco Secure Client。
状态同步端口(双向端口)可在客户端调配门户配置页面上更改。导航到管理>设备门户管理>客户端调配>选择所需的门户>门户行为和流量设置并打开门户设置。无法更改默认客户端调配门户的状态同步端口。
通过查看DART捆绑包中的思科安全客户端状态模块日志(AnyConnect_ISEPosture.txt),可从客户端验证状态同步:
1.状态评估已完成,状态为合规。
2022/11/09 12:22:47 [Information] aciseagent Function: Authenticator::sendUIStatus Thread Id: 0xC60 File: authenticator.cpp Line: 1905 Level: debug MSG_SU_STEP_STATUS, {Status:4,Compliant:2,RemStatus:2,Phase:0,StepNumber:-1,Progress:-1,Attention:1,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"Compliant.",Description2:"Network access allowed."}.
2.状态同步探测已启动。
2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 143 Level: info Session Sync Periodic Probing start.
2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 335 Level: info Session sync periodic probing thread start.
3.在终端安全评估状态同步端口(8449)上发起到ISE PSN的HTTPS连接。
2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 357 Level: debug Sending http session sync periodic probe to [ISE-PSN-FQDN].
2022/11/09 12:22:47 [Information] aciseagent Function: HttpConnection::MakeRequest Thread Id: 0x296C File: httpconnection.cpp Line: 330 Level: debug Url=https://ISE-PSN-FQDN:8449/auth/StateSynch.
4.状况状态同步探测超时。
2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_winhttp_post Thread Id: 0x296C File: hs_transport_winhttp.c Line: 5815 Level: debug unable to send request: 12002.
2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_post Thread Id: 0x296C File: hs_transport.c Line: 1425 Level: trace posting data failed.
2022/11/09 12:22:54 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 394 Level: debug HTTP Probe failed/timed-out, Retrying...
在客户端上捕获的数据包显示在没有来自ISE PSN的SYN-ACK响应的情况下,在终端安全评估状态同步端口(8449)上向ISE PSN节点发送的SYN数据包:
无法从ISE端验证正确的终端安全评估状态同步配置,因为终端安全评估状态同步端口(8449)上的连接应该失败。
1)当思科安全客户端处于“兼容”状态时,已从ISE收到状态为“未知”的会话状态信息。
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 430 Level: debug --- Http Response Headers ---.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug HTTP-Version: 1.1.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Status-Code: 200.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Connection: keep-alive.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Date: Wed, 09 Nov 2022 11:26:24 GMT.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Keep-Alive: timeout=20.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Content-Length: 0.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Server: server.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug X-Frame-Options: SAMEORIGIN.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Strict-Transport-Security: max-age=31536000; includeSubDomains.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug X-Content-Type-Options: nosniff.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug X-XSS-Protection: 1; mode=block.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug X-ISE-POSTURE_STATUS: Unknown.
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 442 Level: debug --------------------.
2)思科安全客户端确认安全评估状态更改并重新启动安全评估发现:
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 379 Level: debug Different Session state on ISE = [ ISE-PSN-FQDN]. Restarting discovery.
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 387 Level: debug MSG_NS_SWIFT_RESTART_SEARCH, {manualRescan:0,stopPeriodicProbe:1}.
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1431 Level: debug Restarting Discovery.
3)思科安全客户端停止状态同步,直到执行状态评估:
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::processMessage Thread Id: 0xC60 File: swifthttprunner.cpp Line: 383 Level: debug Periodic Probes requested to be stopped.
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1436 Level: debug MSG_PN_STOP_PERIODIC_PROBE sent.
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1437 Level: debug MSG_PN_STOP_PERIODIC_PROBE, .
2022/11/09 12:26:24 [Information] aciseagent Function: hs_transport_free Thread Id: 0xC60 File: hs_transport.c Line: 606 Level: trace de-initialization done.
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug MSG_PN_STOP_PERIODIC_PROBE received..
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug Periodic Probing stopped.
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 411 Level: info Session sync periodic probing thread end.
如果AnyConnect_ISEPosture.txt日志文件中没有指示状态同步启动,并且客户端不会尝试与状态同步端口(8449)上的ISE PSN节点建立连接,请从DART捆绑包或直接在客户端计算机上检查状态配置文件ISEPostureCFG.xml:“%ProgramData%\Cisco\Cisco Secure Client\ISE Posture\”(对于Windows PC)。
负责状态同步的参数是“StateSyncProbeInterval”,它应设置为大于0的值:
缺少“StateSyncProbeInterval”或值为“0”意味着状态同步被禁用。
如果在ISE上的终端安全评估配置文件中设置了Posture State Synchronization Interval,但它未反映在客户端的配置文件中,则需要调查终端安全评估调配。
如果ISE上的安全评估状态同步失败并发出警报,这意味着思科安全客户端能够在安全评估状态同步端口(8449)上到达ISE,并请求会话的状态为“兼容”。
在状态同步端口(8449)上建立TCP连接:
从DART捆绑包检查AnyConnect_ISEPosture.txt:
1)在终端安全评估状态同步端口(8449)上发起到ISE PSN的HTTPS连接。
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 357 Level: debug Sending http session sync periodic probe to [ISE-PSN-FQDN].
2)已从ISE收到状态状态为“兼容”的会话状态信息。
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 430 Level: debug --- Http Response Headers ---.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug HTTP-Version: 1.1.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Status-Code: 200.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Connection: keep-alive.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Date: Wed, 09 Nov 2022 11:26:34 GMT.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Keep-Alive: timeout=20.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Content-Length: 0.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Server: server.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug X-Frame-Options: SAMEORIGIN.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Strict-Transport-Security: max-age=31536000; includeSubDomains.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug X-Content-Type-Options: nosniff.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug X-XSS-Protection: 1; mode=block.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug X-ISE-POSTURE_STATUS: Compliant.
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 442 Level: debug --------------------.
3)Posture State Synchronization由于检测到不正确的配置而停止:
2022/11/09 12:26:34 [Error] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 370 Level: error Incorrect configuration detected by ISE = [ISE-PSN-FQDN], compliant status is not expected.
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 371 Level: debug MSG_PN_STOP_PERIODIC_PROBE, .
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug MSG_PN_STOP_PERIODIC_PROBE received..
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug Periodic Probing stopped.
无法通过重新启动状况评估或网络更改从思科安全客户端GUI重新启动状况状态同步。相反,需要重新启动Cisco安全客户端,才能再次运行状态同步。
1.验证为安全评估“兼容”授权配置文件配置了正确的dACL:
2.验证详细身份验证报告dACL作为“兼容”端点的身份验证结果是否正确发送。
3.验证dACL是否正确应用于网络接入设备:
avakhrus_3560C#sh authe sess int fa0/12 det
Interface: FastEthernet0/12
MAC Address: 0050.56a8.be02
IPv6 Address: Unknown
IPv4 Address: 192.168.255.193
User-Name: TRAINING\bob
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 92111s
Session Uptime: 1515s
Common Session ID: C0A8FF0C00000012679EAF14
Acct Session ID: 0x00000012
Handle: 0x5D000005
Current Policy: POLICY_Fa0/12
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
ACS ACL: xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac
Method status list:
Method State
mab Stopped
dot1x Authc Success
avakhrus_3560C#sh access-lists | s xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac
Extended IP access list xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac (per-user)
1 deny tcp any host PSN1-IP-ADDRESS eq 8449
2 deny tcp any host PSN2-IP-ADDRESS eq 8449
3 permit ip any any
即使在网络访问设备上应用正确的dACL到客户端终端,ISE上的状态同步也可能失败,并发出警报。如果Posture State Synchronization Probe的执行速度比dACL的应用速度更快,或者如果应用dACL时已经进行Posture State Synchronization Probe,则会发生这种情况。在Cisco Bug ID CSCwd中调查了此问题58316 .作为解决方法,您需要在Anyconnect终端安全评估配置文件(ISE终端安全评估代理配置文件设置)中将“网络过渡延迟”设置为10秒。
版本 | 发布日期 | 备注 |
---|---|---|
1.0 |
18-Oct-2024
|
初始版本 |