Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-242576 | CSCO-NC-000020 | SV-242576r714038_rule | High |
Description |
---|
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the unauthorized network access. Configuration policy sets with specific authorization policies. Policies consist of rules, where each rule consists of conditions to be met that allow differential access based on grouping of device types by common attributes. ISE requires each authorization policy to have at a minimum one condition. The default authorization policy is the only policy in which there is not a requirement for a condition, nor is it possible to assign a condition to the default authorization policy. |
STIG | Date |
---|---|
Cisco ISE NAC Security Technical Implementation Guide | 2021-04-14 |
Check Text ( C-45851r714036_chk ) |
---|
Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding. |
Fix Text (F-45808r714037_fix) |
---|
Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access. |