configure ise 2.2 threat-centric nac (tc-nac) with rapid7...components used the information in this...

Configure ISE 2.2 Threat-Centric NAC (TC-NAC) with Rapid7 Contents

IntroductionPrerequisitesRequirementsComponents UsedConfigureHigh Level Flow DiagramDeploy and Configure Nexpose ScannerStep 1. Deploy Nexpose Scanner.Step 2. Configure Nexpose Scanner.Configure ISEStep 1. Enable TC-NAC Services.Step 2. Import Nexpose Scanner Certificate.Step 3. Configure Nexpose Scanner TC-NAC instance.Step 4. Configure Authorization Profile to trigger VA Scan.Step 5. Configure Authorization Policies.VerifyIdentity Services EngineNexpose ScannerTroubleshootDebugs on ISERelated Information

Introduction

This document describes how to configure and troubleshoot Threat-Centric NAC with Rapid7 onIdentity Service Engine (ISE) 2.2. Threat Centric Network Access Control (TC-NAC) featureenables you to create authorization policies based on the threat and vulnerability attributesreceived from the threat and vulnerability adapters.

Prerequisites

Requirements

Cisco recommends that you have basic knowledge of these topics:

Cisco Identity Service Engine●

Nexpose Vulnerability Scanner●

Components Used

The information in this document is based on these software and hardware versions:

Cisco Identity Service Engine version 2.2●

Cisco Catalyst 2960S switch 15.2(2a)E1●

Rapid7 Nexpose Vulnerability Scanner Enterprise Edition●

Windows 7 Service Pack 1●

Windows Server 2012 R2●

The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, make sure that you understand the potential impact of any command.

Configure

High Level Flow Diagram

This is the flow:

The client connects to the network, limited access is given and profile with AssessVulnerabilities checkbox enabled is assigned.

1.

PSN node sends Syslog message to MNT node confirming authentication took place and VAScan was the result of Authorization Policy.

2.

MNT node submits SCAN to TC-NAC node (using Admin WebApp) using this data:3.

- MAC Address- IP Address- Scan Interval- Periodic Scan Enabled- Originating PSN

Nexpose TC-NAC (encapsulated in Docker Container) communicates with Nexpose Scannerto trigger scan if needed.

4.

Nexpose Scanner scans the endpoint requested by ISE.5.

Nexpose Scanner sends the results of the scan to ISE.6.

Results of the scan are sent back to TC-NAC:- MAC Address- All CVSS Scores- All Vulnerabilities (title, CVEIDs)

7.

TC-NAC updates PAN with all the data from the step 7.8.

CoA is triggered if needed according to Authorization Policy configured.9.

Deploy and Configure Nexpose Scanner

Caution: Nexpose configuration in this document is done for the lab purposes, pleaseconsult with Rapid7 engineers for design considerations

Step 1. Deploy Nexpose Scanner.

Nexpose scanner can be deployed from OVA file, installed on top of Linux and Windows OS. Inthis document, installation is done on Windows Server 2012 R2. Download the image from Rapid7website and start the installation. When you configure Type and destination select NexposeSecurity Console with local Scan Engine

Once the installation is complete, server reboots. After launching, Nexpose scanner should beaccessible via 3780 port, as shown in the image:

As shown in the image, scanner goes through the Security Console Startup Process:

Afterward to get access to GUI the license key should be provided. Please note Enterprise Editionof Nexpose Scanner is required, scans are not triggered if Community Edition is installed.

Step 2. Configure Nexpose Scanner.

The first step is to the install certificate on Nexpose Scanner. Certificate in this document is issued

by the same CA as admin certificate for ISE (LAB CA). Navigate to Administration > Global andConsole Settings. Select Administer under Console, as shown in the image.

Click Manage Certificate, as shown in the image:

As shown in the image, click in Create New Certificate. Enter Common Name and any otherdata you would like to have in the identity certificate of Nexpose Scanner. Ensure that ISE is ableto resolve Nexpose Scanner FQDN with DNS.

Export Certificate Signing Request (CSR) to the terminal.

At this point, you need to sign the CSR with Certificate Authority (CA).

Import the certificate issued by CA by clicking on Import Certificate.

Configure a Site. The site contains Assets you should be able to Scan and the account which isused to integrate ISE with Nexpose Scanner should have privileges to Manage Sites and CreateReports. Navigate to Create > Site, as shown in the image.

As shown in the image, enter the Name of the Site on Info & Security tab. Assets tab shouldcontain ip addresses of the valid assets, endpoints which are eligible for the vulnerability scanning.

Import CA certificate which signed ISE certificate into the trusted store. Navigate toAdministration > Root Certificates > Manage > Import Certificates.

Configure ISE

Step 1. Enable TC-NAC Services.

Enable TC-NAC Services on ISE node. Note these:

The Threat Centric NAC service requires an Apex license.●

You need a separate Policy Service Node (PSN) for Threat Centric NAC service.●

Threat Centric NAC service can be enabled on only one node in a deployment.●

You can add only one instance of an adapter per vendor for Vulnerability Assessment service.●

Step 2. Import Nexpose Scanner Certificate.

Import the Nexpose Scanner CA certificate into the Trusted Certificates store in Cisco ISE(Administration > Certificates > Certificate Management > Trusted Certificates > Import).Ensure that the appropriate root and intermediate certificates are imported (or present) in theCisco ISE Trusted Certificates store

Step 3. Configure Nexpose Scanner TC-NAC instance.

Add Rapid7 Instance at Administration > Threat Centric NAC > Third Party Vendors.

Once added, instance transitions to Ready to Configure state. Click on this link. ConfigureNexpose Host (Scanner) and Port, by default it is 3780. Specify Username and Password withaccess to right Site.

Advanced settings are well documented in ISE 2.2 Admin Guide, the link can be found in theReferences section of this document. Click in Next and Finish. Nexpose Instance transitions toActive state and knowledge base download starts.

Step 4. Configure Authorization Profile to trigger VA Scan.

Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Addnew profile. Under Common Tasks select Vulnerability Assessment checkbox. On-Demandscan interval should be selected according to your network design.

Authorization Profile contains those av-pairs:

cisco-av-pair = on-demand-scan-interval=48

cisco-av-pair = periodic-scan-enabled=0

cisco-av-pair = va-adapter-instance=c2175761-0e2b-4753-b2d6-9a9526d85c0c

They are sent to network devices within Access-Accept packet, although the real purpose of themis to tell Monitoring (MNT) Node that Scan should be triggered. MNT instructs TC-NAC node tocommunicate with Nexpose Scanner.

Step 5. Configure Authorization Policies.

Configure Authorization Policy to use the new Authorization Profile configured in step 4.Navigate to Policy > Authorization > Authorization Policy, locateBasic_Authenticated_Access rule and click on Edit. Change the Permissions fromPermitAccess to the newly created Standard Rapid7. This causes a Vulnerability Scan forall users. Click in Save.

●

Create Authorization Policy for Quarantined machines. Navigate to Policy > Authorization >Authorization Policy > Exceptions and create an Exception Rule. Now navigate toConditions > Create New Condition (Advanced Option) > Select Attribute, scroll downand select Threat. Expand the Threat attribute and select Nexpose-CVSS_Base_Score.Change the operator to Greater Than and enter a value according to your Security Policy.Quarantine authorization profile should give limited access to the vulnerable machine.

●

Verify

Identity Services Engine

The first connection triggers VA Scan. When the scan is finished, CoA Reauthentication istriggered to apply new policy if it is matched.

In order to verify which vulnerabilities were detected, navigate to Context Visibility > Endpoints.Check per endpoints Vulnerabilities with the Scores given to it by Nexpose Scanner.

In Operations > TC-NAC Live Logs, you can see authorization policies applied and details onCVSS_Base_Score.

Nexpose Scanner

When the VA Scan is triggered by TC-NAC Nexpose Scan transitions to In-Progress state, andscanner starts probing the endpoint, if you run the wireshark capture on the endpoint, you will seepacket exchange between the endstation and Scanner at this point. Once Scanner is finished,results are available under Home page.

Under Assets page, you can see that there is new endpoint available with the results of the Scan,Operating System is identified and 10 Vulnerabilities are detected.

When you click in the endpoint's IP address Nexpose Scanner takes you to the new menu,where you can see more information including hostname, Risc Score and detailed list ofVulnerabilities

When you click in the Vulnerability itself, full description is shown in the image.

Troubleshoot

Debugs on ISE

In order to enable debugs on ISE, navigate to Administration > System > Logging > DebugLog Configuration, select TC-NAC Node and change the Log Level va-runtime and va-servicecomponent to DEBUG.

Logs to be checked - varuntime.log. You can tail it directly from ISE CLI:

ISE21-3ek/admin# show logging application varuntime.log tail

TC-NAC Docker received instruction to perform Scan for a particular endpoint.

2016-11-24 13:32:04,436 DEBUG [Thread-94][] va.runtime.admin.mnt.EndpointFileReader -:::::- VA:

Read va runtime.

[{"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","ondemandScanInt

erval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"c217

5761-0e2b-4753-b2d6-9a9526d85c0c","psnHostName":"ISE22-1ek","heartBeatTime":0,"lastScanTime":0},

{"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","isPeriodicScanEn

abled":false,"heartBeatTime":0,"lastScanTime":0}]

2016-11-24 13:32:04,437 DEBUG [Thread-94][] va.runtime.admin.vaservice.VaServiceRemotingHandler

-:::::- VA: received data from Mnt:

{"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","ondemandScanInte

rval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"c2175

761-0e2b-4753-b2d6-9a9526d85c0c","psnHostName":"ISE22-1ek","heartBeatTime":0,"lastScanTime":0}



{"operationType":1,"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","isPeriodicScanEn

abled":false,"heartBeatTime":0,"lastScanTime":0}

Once the result is received it stores all Vulnerability data in the Context Directory.



{"operationType":2,"isPeriodicScanEnabled":false,"heartBeatTime":1479991526437,"lastScanTime":0}

2016-11-24 13:45:33,642 DEBUG [pool-115-thread-19][]

va.runtime.admin.vaservice.VaServiceMessageListener -:::::- Got message from VaService:

[{"macAddress":"3C:97:0E:52:3F:D9","ipAddress":"10.229.20.32","lastScanTime":1479962572758,"vuln

erabilities":["{\"vulnerabilityId\":\"ssl-cve-2016-2183-sweet32\",\"cveIds\":\"CVE-2016-

2183\",\"cvssBaseScore\":\"5\",\"vulnerabilityTitle\":\"TLS/SSL Birthday attacks on 64-bit block

ciphers (SWEET32)\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"ssl-

static-key-

ciphers\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"TLS/SSL

Server Supports The Use of Static Key Ciphers\",\"vulnerabilityVendor\":\"Rapid7

Nexpose\"}","{\"vulnerabilityId\":\"rc4-cve-2013-2566\",\"cveIds\":\"CVE-2013-

2566\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS/SSL Server Supports RC4

Cipher Algorithms (CVE-2013-2566)\",\"vulnerabilityVendor\":\"Rapid7

Nexpose\"}","{\"vulnerabilityId\":\"tls-dh-prime-under-2048-

bits\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"Diffie-Hellman

group smaller than 2048 bits\",\"vulnerabilityVendor\":\"Rapid7

Nexpose\"}","{\"vulnerabilityId\":\"tls-dh-

primes\",\"cveIds\":\"\",\"cvssBaseScore\":\"2.5999999\",\"vulnerabilityTitle\":\"TLS/SSL Server

Is Using Commonly Used Prime Numbers\",\"vulnerabilityVendor\":\"Rapid7

Nexpose\"}","{\"vulnerabilityId\":\"ssl-cve-2011-3389-beast\",\"cveIds\":\"CVE-2011-

3389\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS/SSL Server is enabling the

BEAST attack\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}","{\"vulnerabilityId\":\"tlsv1_0-

enabled\",\"cveIds\":\"\",\"cvssBaseScore\":\"4.30000019\",\"vulnerabilityTitle\":\"TLS Server

Supports TLS version 1.0\",\"vulnerabilityVendor\":\"Rapid7 Nexpose\"}"]}]


va.runtime.admin.vaservice.VaServiceMessageListener -:::::- VA: Save to context db,

lastscantime: 1479962572758, mac: 3C:97:0E:52:3F:D9


va.runtime.admin.vaservice.VaPanRemotingHandler -:::::- VA: Saved to elastic search:

{3C:97:0E:52:3F:D9=[{"vulnerabilityId":"ssl-cve-2016-2183-sweet32","cveIds":"CVE-2016-

2183","cvssBaseScore":"5","vulnerabilityTitle":"TLS/SSL Birthday attacks on 64-bit block ciphers

(SWEET32)","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"ssl-static-key-

ciphers","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Supports

The Use of Static Key Ciphers","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"rc4-

cve-2013-2566","cveIds":"CVE-2013-

2566","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server Supports RC4 Cipher

Algorithms (CVE-2013-2566)","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"tls-dh-

prime-under-2048-bits","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"Diffie-

Hellman group smaller than 2048 bits","vulnerabilityVendor":"Rapid7 Nexpose"},

{"vulnerabilityId":"tls-dh-

primes","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Is Using

Commonly Used Prime Numbers","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"ssl-

cve-2011-3389-beast","cveIds":"CVE-2011-

3389","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server is enabling the BEAST

attack","vulnerabilityVendor":"Rapid7 Nexpose"}, {"vulnerabilityId":"tlsv1_0-

enabled","cveIds":"","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS Server Supports TLS

version 1.0","vulnerabilityVendor":"Rapid7 Nexpose"}]}

Logs to be checked - vaservice.log. You can tail it directly from ISE CLI:

ISE21-3ek/admin# show logging application vaservice.log tail

Vulnerability Assessment Request Submitted to Adapter.

2016-11-24 12:32:05,783 DEBUG [endpointPollerScheduler-7][] cpm.va.service.util.VaServiceUtil -

:::::- VA SendSyslog systemMsg :

[{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-

NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA request submitted to

adapter","TC-NAC.Details","VA request submitted to adapter for processing","TC-

NAC.MACAddress","3C:97:0E:52:3F:D9","TC-NAC.IpAddress","10.229.20.32","TC-

NAC.AdapterInstanceUuid","c2175761-0e2b-4753-b2d6-9a9526d85c0c","TC-NAC.VendorName","Rapid7

Nexpose","TC-NAC.AdapterInstanceName","Rapid7"]}]


:::::- VA SendSyslog systemMsg res: {"status":"SUCCESS","statusMessages":["SUCCESS"]}

AdapterMessageListener checks each 5 minutes the status of the scan until it is finished.

2016-11-24 12:36:28,143 DEBUG [SimpleAsyncTaskExecutor-2][]

cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter :

{"AdapterInstanceName":"Rapid7","AdapterInstanceUid":"7a2415e7-980d-4c0c-b5ed-

fe4e9fadadbd","VendorName":"Rapid7 Nexpose","OperationMessageText":"Number of endpoints queued

for checking scan results: 0, Number of endpoints queued for scan: 0, Number of endpoints for

which the scan is in progress: 1"}




NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","Adapter Statistics","TC-

NAC.Details","Number of endpoints queued for checking scan results: 0, Number of endpoints

queued for scan: 0, Number of endpoints for which the scan is in progress: 1","TC-

NAC.AdapterInstanceUuid","7a2415e7-980d-4c0c-b5ed-fe4e9fadadbd","TC-NAC.VendorName","Rapid7


Adapter gets CVE's along with the CVSS Scores.

2016-11-24 12:45:33,132 DEBUG [SimpleAsyncTaskExecutor-2][]

cpm.va.service.processor.AdapterMessageListener -:::::- Message from adapter :

{"returnedMacAddress":"","requestedMacAddress":"3C:97:0E:52:3F:D9","scanStatus":"ASSESSMENT_SUCC

ESS","lastScanTimeLong":1479962572758,"ipAddress":"10.229.20.32","vulnerabilities":[{"vulnerabil

ityId":"tlsv1_0-enabled","cveIds":"","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS

Server Supports TLS version 1.0","vulnerabilityVendor":"Rapid7

Nexpose"},{"vulnerabilityId":"rc4-cve-2013-2566","cveIds":"CVE-2013-

2566","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server Supports RC4 Cipher

Algorithms (CVE-2013-2566)","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"ssl-cve-

2016-2183-sweet32","cveIds":"CVE-2016-2183","cvssBaseScore":"5","vulnerabilityTitle":"TLS/SSL

Birthday attacks on 64-bit block ciphers (SWEET32)","vulnerabilityVendor":"Rapid7

Nexpose"},{"vulnerabilityId":"ssl-static-key-

ciphers","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Supports

The Use of Static Key Ciphers","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"tls-

dh-primes","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"TLS/SSL Server Is Using

Commonly Used Prime Numbers","vulnerabilityVendor":"Rapid7 Nexpose"},{"vulnerabilityId":"tls-dh-

prime-under-2048-bits","cveIds":"","cvssBaseScore":"2.5999999","vulnerabilityTitle":"Diffie-

Hellman group smaller than 2048 bits","vulnerabilityVendor":"Rapid7

Nexpose"},{"vulnerabilityId":"ssl-cve-2011-3389-beast","cveIds":"CVE-2011-

3389","cvssBaseScore":"4.30000019","vulnerabilityTitle":"TLS/SSL Server is enabling the BEAST

attack","vulnerabilityVendor":"Rapid7 Nexpose"}]}

2016-11-24 12:45:33,137 INFO [SimpleAsyncTaskExecutor-2][]

cpm.va.service.processor.AdapterMessageListener -:::::- Endpoint Details sent to IRF is

{"3C:97:0E:52:3F:D9":[{"vulnerability":{"CVSS_Base_Score":5.0,"CVSS_Temporal_Score":0.0},"time-

stamp":1479962572758,"title":"Vulnerability","vendor":"Rapid7 Nexpose"}]}




NAC.ServiceName","Vulnerability Assessment Service","TC-NAC.Status","VA successfully

completed","TC-NAC.Details","VA completed; number of vulnerabilities found: 7","TC-

NAC.MACAddress","3C:97:0E:52:3F:D9","TC-NAC.IpAddress","10.229.20.32","TC-

NAC.AdapterInstanceUuid","c2175761-0e2b-4753-b2d6-9a9526d85c0c","TC-NAC.VendorName","Rapid7



:::::- VA SendSyslog systemMsg res: {"status":"SUCCESS","statusMessages":["SUCCESS"]}

Related Information

Technical Support & Documentation - Cisco Systems●ISE 2.2 Release Notes●ISE 2.2 Hardware Installation Guide●ISE 2.2 Upgrade Guide●ISE 2.2 Engine Administrator Guide●

http://www.cisco.com/cisco/web/support/index.html?referring_site=bodynavhttp://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.htmlhttp://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20.htmlhttp://www.cisco.com/c/en/us/td/docs/security/ise/2-0/upgrade_guide/b_ise_upgrade_guide_20.htmlhttp://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.html

Configure ISE 2.2 Threat-Centric NAC (TC-NAC) with Rapid7ContentsIntroductionPrerequisitesRequirements

Components Used

ConfigureHigh Level Flow DiagramDeploy and Configure Nexpose ScannerStep 1. Deploy Nexpose Scanner.Step 2. Configure Nexpose Scanner.

Configure ISEStep 1. Enable TC-NAC Services.Step 2. Import Nexpose Scanner Certificate.Step 3. Configure Nexpose Scanner TC-NAC instance.Step 4. Configure Authorization Profile to trigger VA Scan.Step 5. Configure Authorization Policies.

VerifyIdentity Services EngineNexpose Scanner

TroubleshootDebugs on ISE

Related Information

configure ise 2.2 threat-centric nac (tc-nac) with rapid7...components used the information in this...

Documents