STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021: STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:SV-242605r714125_rule
V-242605
SRG-NET-000512-NAC-002310
CSCO-NC-000310
CAT I
10
Configure the authorization policy to enforce posture assessment status for posture required clients.
1. Edit the Policy Set to enforce the posture assessment.
2. Navigate to Work Centers >> Network Access >> Policy Sets.
3. Choose ">" on the applicable policy set.
4. Expand the Authorization Policy.
5. Click on Actions Gear below to location where the new Authorization Policy will be inserted.
6. Choose "Insert new role above", or if there is an Authorization Policy made for the device type that posture will be applied to, choose "Duplicate above".
7. Click on the name of the policy and define a desirable name.
8 Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio.
9. Choose "New" under the editor.
10. Choose "Click to add an attribute".
11. Under Dictionary, select "Session" in the drop-down menu.
12. Under Attribute, select "PostureStatus".
13. Ensure "Equals" is selected as the operator.
14. Select "Compliant" in the drop-down menu.
15. Choose "New".
16. Add a condition to flag the device type that should be postured.
17. Choose "Use".
18. Name the rule accordingly.
19. Select the desired result.
20. Click on Actions Gear on the Authorization Policy just created.
21. Select Duplicate below in the drop-down.
22. Click on the conditions of the copy.
23. Change the PostureStatus variable form "Compliant" to "NonCompliant".
24. Choose "Use".
25. Name the rule accordingly.
26. Select a result that is used for remediation access, which should be a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.
27. Choose "Save".
Verify the authorization policy will enforce posture assessment status for posture required clients.
1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" is present and will apply to posture required devices by analyzing other conditions used on the same policy.
5. Ensure the result that is used for remediation access is a restricted VLAN, ACL, SGT, or any combination used to restrict the access.
If there is not an authorization policy for NonCompliant clients that are posture required, this is a finding.
If the authorization policy does not restrict the access of NonCompliant clients that are posture required, this is a finding.
V-242605
False
CSCO-NC-000310
Verify the authorization policy will enforce posture assessment status for posture required clients.
1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" is present and will apply to posture required devices by analyzing other conditions used on the same policy.
5. Ensure the result that is used for remediation access is a restricted VLAN, ACL, SGT, or any combination used to restrict the access.
If there is not an authorization policy for NonCompliant clients that are posture required, this is a finding.
If the authorization policy does not restrict the access of NonCompliant clients that are posture required, this is a finding.
M
5383