The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242601	CSCO-NC-000270	SV-242601r812784_rule		Medium

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. However, failure to authenticate an endpoint does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery. Authentication methods for NAC on access switches are MAC Authentication Bypass (MAB), or 802.1x.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. However, failure to authenticate an endpoint does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery. Authentication methods for NAC on access switches are MAC Authentication Bypass (MAB), or 802.1x.

STIG	Date
Cisco ISE NAC Security Technical Implementation Guide	2021-12-21

Details

Check Text ( C-45876r812783_chk )
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Check Text ( C-45876r812783_chk )

If DoD is not at C2C Step 4 or higher, this is not a finding.

If not required by the NAC SSP, this is not a finding.

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix Text (F-45833r803565_fix)
If required by the NAC SSP, configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these used to restrict access.

Fix Text (F-45833r803565_fix)

If required by the NAC SSP, configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these used to restrict access.