ModernCyber Blog

Cisco ISE Agentless Posture

Written by Tina Cline | Oct 22, 2024 9:55:38 PM

Cisco Identity Services Engine (ISE) Posturing is a feature which ensures that endpoints (such as laptops, desktops, mobile devices, etc.) connecting to the network comply with the organization’s security policies prior to being allowed access.

ISE Posture checks for the health and compliance status of the device set forth by the organization’s posture requirements (Firewall status, AV status, etc.) to determine that the device is within company compliance, prior to the device joining the network.

For ISE to perform a posture assessment, some form of Posture Software must exist on the client to gather data on the endpoint's security posture and communicate its status back to ISE.

Posture Software Options can be either:

  • Agent-Based:
    • Cisco Secure Client with Posture Module (Posture agent visible to the end-user)
    • Cisco Secure Client with Posture Module in Stealth-mode (Posture agent not visible to the end-user)
  • Temporal Posture Agent
  • Agentless Posture Software

After a posture scan has been initiated, the posture of the device will either be deemed:

  • Compliant and allowed onto the network
  • Non-compliant should the device fail one or more posture checks
  • Posture unknown, which can happen due to a stale session, PSN misinformation to the ISE posture module, default gateway change, or loss of connectivity between the Posture Software Module/Agent and ISE

If a device is deemed posture non-compliant, posture remediation can be initiated either automatically or manually for agent-based posturing.

Agentless Posture:

ISE Agentless Posture allows for posture assessment without requiring a client to be installed on the endpoint, thus removing end-user intervention from the posture process.

Organizations who may choose to deploy Agentless Posture are typically those featuring a diverse range of devices, such as mobile, large BYOD device population, or the desire to posture devices that may not support agent-based solutions.

Once enabled, Agentless Posture requires no intervention from the end-user or the IT Team as there isn’t an agent to maintain.

From an administrative perspective, the workflow is similar to configuring Agent-Based posture:

  • First, you would set your Posture Conditions – The set of compliance checks you would like the endpoint to undergo to deem it compliant





  • Next, you would determine Posture Requirements – The action that the endpoint will take should it fail the posture assessment 
  • Client Provisioning:
    • Download the Agentless Posture Software so it is available for use in your Client Provisioning policy in ISE
    • Configure the Client Provisioning Policy, which determines how a client is provisioned with the desired posture software.
      • This policy ensures that the client is set up with the correct agent version, compliance modules, agent customization packages and profiles

    • Authorization Profile:
      • Create the authorization profile and check the box next to “Agentless Posture” to activate the feature and allow the profile to utilize the Agentless Posture Client
        • Determine the appropriate VLAN/ACL/DACL should the device be deemed compliant
        • No URL redirect is required here as there isn’t a need for the end-user to go through a guest portal during onboarding

       
      • Configure Access Policy:
        • Create a policy that will utilize the Agentless Posture Authorization Profile
        • Create the auth policy determining the level of access an endpoint will have once it’s been deemed compliant

Based on the compliance result, ISE will enforce the appropriate access policy.

As you may recall, a device that fails one or more compliance checks will fail the posture assessment entirely.

The benefit of Agentless Posture is that it simplifies the onboarding process for users as no agent installation is required. For organizations who may be agent-averse but want to ensure devices meet compliancy requirements prior to being allowed onto the network, Agentless Posture may be a good fit.

Agentless Posture Prerequisites:

  • The client must be reachable by its IP address, and that IP address must be available in RADIUS accounting
  • Client credentials require admin privileges
  • Curl 7.34 or above required
  • Available for Windows and Mac clients
    • Windows Clients: Port 5985 must be open to access PowerShell on endpoints
      • Enable Powershell 5.1 or above
    • Mac Clients:
      • Allow Port 22/ SSH traffic to endpoints from ISE
    • Client credentials for shell login must have local admin privileges

Agentless Posture Workflow:

  • The client connects to the network
  • ISE will then detect that Agentless Posture is enabled
  • ISE will send a job request to the ISE Messaging queue
  • ISE connects to the client using SSH (Mac OS) or PowerShell (Windows)
  • If the client's trust certificate authority store doesn't already have a cert, ISE will push the cert to the client device
  • From there, ISE will run the client provisioning policy. 
  • Next, ISE pushes the agentless plug-in to the client and automatically launches it
  • Posture data is then collected, compared to the posture policy, and sends the results back to ISE
  • Lastly, ISE will determine if the device is compliant or non-compliant based on the posture data received, and will provide the appropriate authorization based on this result

Agentless Posture Limitations:

While ISE Agentless Posture offers many benefits, the solution does come with a few limitations in comparison to its Agent-based counterparts including, but not limited to:

  • Remediation of a non-compliant posture scan to bring the device into compliance
  • Grace period: Allowing a device deemed non-compliant to access the network for a set amount of time
  • Periodic Reassessment: Periodically checking a device that has already been deemed compliant to ensure it does not fall out of compliance
  • Acceptable Use-policy

Does your organization want to deploy Posturing in your environment but don’t have the staff or cycles to implement? ModernCyber can help!

Please check out our recently announced ISE Expert as a Service offering and book a consultation with us!