For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242581	CSCO-NC-000070	SV-242581r812744_rule		Medium

Description
Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. Unauthenticated devices must not be allowed to connect to remediation services.

Description

Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. Unauthenticated devices must not be allowed to connect to remediation services.

STIG	Date
Cisco ISE NAC Security Technical Implementation Guide	2021-12-21

Details

Check Text ( C-45856r812743_chk )
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies for "Posture NonCompliant" have a result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Scan for Authorization policies with "Posture NonCompliant" condition. 5. Verify the result assigned to the authorization policy will assign the remediation VLAN. If the result is the remediation VLAN, this is not a finding. If posture is not mandated by the Information System Security Manager (ISSM), this is not a finding.

Check Text ( C-45856r812743_chk )

If DoD is not at C2C Step 4 or higher, this is not a finding.
If not required by the NAC SSP, this is not a finding.

Verify that the authorization policies for "Posture NonCompliant" have a result that will assign the remediation VLAN.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.
4. Scan for Authorization policies with "Posture NonCompliant" condition.
5. Verify the result assigned to the authorization policy will assign the remediation VLAN.

If the result is the remediation VLAN, this is not a finding.

If posture is not mandated by the Information System Security Manager (ISSM), this is not a finding.

Fix Text (F-45813r803529_fix)
If required by the NAC SSP, configure the "Posture NonCompliant" authorization policy so that the result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Create an authorization policy for "Posture NonCompliant". 5. Assign the remediation VLAN result.