The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.

An XCCDF Rule

Description

<VulnDiscussion>Devices, which do not meet minimum-security configuration requirements, pose a risk to the DOD network and information assets. Endpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DOD policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242588r1001248_rule
Severity: Medium
References: CCI-000213
Updated: 17 days ago

If required by the NAC SSP, configure the Policy Set to enforce the posture assessment.

1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Click on Actions Gear below to location the new Authorization Policy will be inserted.5. Choose "Insert new role above" or if there is an Authorization Policy made for the device type that that posture will be applied to choose "Duplicate above".
6. Click on the name of the policy and define a desirable name.
7. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio.
8. Choose "New" under the editor.
9. Choose "Click to add an attribute".
10. Under Dictionary select Session in the drop-down.
11. Under Attribute select PostureStatus.
12. Ensure "Equals" is selected as the operator. 
13. Select Compliant in the drop-down.
14. Choose "New".
15. Add a condition to flag the device type that should be postured.
16. Choose "Use".
17. Name the rule accordingly.
18. Select the desired result.
19. Click on Actions Gear on the Authorization Policy just created.
20. Select Duplicate below in the drop-down menu.
21. Click on the conditions of the copy.
22. Change the PostureStatus variable form "Compliant" to "NonCompliant".
23. Choose "Use".
24. Name the rule accordingly.
25. Select a result that is used for remediation access, which should be a result that is configured for a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access.
26. Choose "Save".

Note: There are several ways this can be configured to meet the requirement. This is just an example. The main thing is to have a "Compliant" and a "NonCompliant" rule using the PostureStatus conditions.

The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.

Description

Remediation - Manual Procedure