ISE Configuration – Anyconnect and AMP Posture
1. Download the AMP Connector from the AMP cloud for Windows
2. Go to the WLC and navigate to Security > Access Control Lists and add a new ACL
a. Name – ACL_WEBAUTH_REDIRECT
b. Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DNS – Destport = Any – Direc = Any
c. Permit – Source = Any – Destination = ISE – Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Any
d. Permit – Source = ISE – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
e. Permit – Source = Any – Destination = ISE– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any
3. On ISE Policy > Policy Elements > Results > Authorization > Downloadable ACLS create a new dACL
a. Name – ACL_WEBAUTH_REDIRECT
deny tcp any host 192.168.32.228 eq 443
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny tcp any any eq 8443
deny tcp any any eq 8905
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any
4. Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and click ADD - Network Admission Control (NAC) Agent or AnyConnect Posture Profile
a. Select Anyconnect for the category
b. Name it AC POSTURE PROFILE
c. From the Posture Protocol section Server Name Rules add * in order to allow the Agent to connect to all servers
d. Save
5. Click ADD – AMP Enabler Profile
a. Name it AMP PROFILE
b. For Windows Installer https:// - enter a location on the network where the AMP connector is located for download. Example – webserver.company.com/Protect_FireAMPSetup.exe
c. For MAC Installer, enter the location to the MAC AMP connector file location
d. NOTE: the HTTPS certificate must be trusted my the client in order to download the AMP Connector install file
6. Download the Anyconnect installer file manually from Cisco. Example - anyconnect-win-4.2.02075-k9.pkg
7. Click ADD - Agent Resources From Local Disk
a. Choose Cisco Provided Packages
b. Click Browse and choose the anyconnect pkg file downloaded in step 6
8. Create an XML file and name it VPNDisable_ServiceProfile.xml to be used to disable the VPN title for Anyconnect since the VPN Module will not be used for this configuration
a.
<AnyConnectProfile
xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd">
<ClientInitialization>
<ServiceDisable>true</ServiceDisable>
</ClientInitialization>
</AnyConnectProfile>
9. Click ADD - Agent Resources From Local Disk
a. Choose Customer Created Packages
b. Package type Anyconnect Profile
c. Name VPNDisable_ServiceProfile
d. Browse to and choose the VPNDisable_ServiceProfile.xml file created on step 8
10. Click ADD - Agent Resources from Cisco site
a. Choose AnyConnect Windows Compliance Module 4.2.488.0 and click on Save
11. Click ADD - AnyConnect Configuration
a. Name – ANYCONNECT CONFIGURATION AMP
b. For Select Anyconnect Package – choose AnyconnectDesktopWindows 4.2.6014.0
c. Compliance Module - AnyConnectComplianceModuleWindows 4.2.488.0
d. In the AnyConnect Module Selection choose AMP Enabler and Diagnostic and Reporting Tool and VPN
e. In the Profile Selection add
i. AC POSTURE PROFILE for *ISE Posture
ii. VPNDisable_ServiceProfile for VPN
iii. AMP PROFILE for AMP Enabler
12. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and Add new
a. Name – AMP PROFILE
b. Check – Web Redirection and choose
i. Client Provisioning
ii. ACL – type ACL_WEBAUTH_REDIRECT
iii. Value – Client Provisioning Portal
13. Navigate to Policy > Policy Sets click on the existing Wired Dot1x
a. Under the Authorization Policy edit the Employee Access rule
b. Click on the Condition and choose to Add Condition from Library
c. Add the Compound Condition Network_Access_Authentication_Passed
d. Add another Condition from Library / Compound Condition Compliant_Devices
e. Click DONE
14. Click to Insert new rule below directly below the Employee Access rule
a. Name it Non Compliant Employee Access
b. Leave if <any>
c. Condition equals Existing Condition from Library
d. Choose WIRED-EMPLOYEE-DOT1X
e. Add Attribute /Value - Session:PostureStatus NOT_EQUALS Compliant
f. Then – AMP PROFILE
15. Navigate to Policy > Policy Sets click on the existing Wireless Dot1x
a. Under the Authorization Policy edit the Employee Access rule
b. Click on the Condition and choose to Add Condition from Library
c. Add the Compound Condition Network_Access_Authentication_Passed
d. Add another Condition from Library / Compound Condition Compliant_Devices
e. Click DONE
16. Click to Insert new rule below directly below the Employee Access rule
a. Name it Non Compliant Employee Access
b. Leave if <any>
c. Condition equals Existing Condition from Library
d. Choose WIRELESS-EMPLOYEE-DOT1X
e. Add Attribute /Value - Session:PostureStatus NOT_EQUALS Compliant
f. Then – AMP PROFILE
17. Navigate to Policy > Client Provisioning
18. Add a new policy at the top
a. Rule name - Windows_Posture_AMP
b. Identity group = any
c. Operating Systems – Windows all
d. Then – ANYCONNECT CONFIGURATION AMP
19. Navigate to Policy > Policy Elements > Conditions > Posture > File Condition and choose to add New. *this is so that ISE will always assume the client is not compliant initially and send the client to the client provisioning portal to verify the Anyconnect and AMP client is installed.
20. Name – File_Condition
a. Operating System = Windows all
b. File type = FileExistence
c. File type = absolute path, value can be anything, example c:\file.txt
d. File operator – exists
21. Navigate to Policy > Policy Elements > Results > Posture > Requirements
a. Add New
b. Name – File Requirements
c. Operating systems – Windows All
d. Compliance module – any
e. Met if – File_Condition
f. Then – Message Text only – insert a message of your choosing that the client will see. It’s a requirement to enter some text
22. Navigate to Policy > Posture
a. Insert a new policy
i. Name – Windows Posture
ii. Identity groups – any
iii. Operating systems – Windows All
iv. Compliance Module – Any
v. Requirements – File_Condition ( drop down the green check box next the requirement and choose Optional or Audit if you don’t want to require the client to be compliant to this policy..for Anyconnect and Amp install scenario)
