UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242588 CSCO-NC-000140 SV-242588r812758_rule Medium
Description
Devices, which do not meet minimum-security configuration requirements, pose a risk to the DoD network and information assets. Endpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DoD policy requirements.
STIG Date
Cisco ISE NAC Security Technical Implementation Guide 2021-12-21

Details

Check Text ( C-45863r812757_chk )
If DoD is not at C2C Step 4 or higher, this is not a finding.
If not required by the NAC SSP, this is not a finding.

Verify that the Policy Set will enforce the posture assessment.

1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Verify that the Attribute of PostureStatus of NonCompliant is configured in the policy.
5. Make a note of the result/results on the NonCompliant Policy.
6. Navigate to Policy >> Policy >> Elements >> Results >> Authorization.
7. Expand Authorization.
8. Choose Authorization Profiles.
9. View the Standard Authorization Profile/Profiles noted above to ensure that a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these are used to restrict access.

If there is not a "NonCompliant" authorization rule or the result is not restrictive, this is a finding.
Fix Text (F-45820r803550_fix)
If required by the NAC SSP, configure the Policy Set to enforce the posture assessment.

1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Click on Actions Gear below to location the new Authorization Policy will be inserted.
5. Choose "Insert new role above" or if there is an Authorization Policy made for the device type that that posture will be applied to choose "Duplicate above".
6. Click on the name of the policy and define a desirable name.
7. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio.
8. Choose "New" under the editor.
9. Choose "Click to add an attribute".
10. Under Dictionary select Session in the drop-down.
11. Under Attribute select PostureStatus.
12. Ensure "Equals" is selected as the operator.
13. Select Compliant in the drop-down.
14. Choose "New".
15. Add a condition to flag the device type that should be postured.
16. Choose "Use".
17. Name the rule accordingly.
18. Select the desired result.
19. Click on Actions Gear on the Authorization Policy just created.
20. Select Duplicate below in the drop-down menu.
21. Click on the conditions of the copy.
22. Change the PostureStatus variable form "Compliant" to "NonCompliant".
23. Choose "Use".
24. Name the rule accordingly.
25. Select a result that is used for remediation access, which should be a result that is configured for a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access.
26. Choose "Save".

Note: There are several ways this can be configured to meet the requirement. This is just an example. The main thing is to have a "Compliant" and a "NonCompliant" rule using the PostureStatus conditions.