Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Cisco ISE NAC Security Technical Implementation Guide
SRG-NET-000512-NAC-002310
SRG-NET-000512-NAC-002310
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000512-NAC-002310
1 Rule
<GroupDescription></GroupDescription>
The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.
High Severity
<VulnDiscussion>Posture assessments can reduce the risk that clients impose on networks by restricting or preventing access of noncompliant clients. If the posture assessment is not enforced, then access of clients not complying is not restricted allowing the risk of vulnerabilities being exposed. Though the configuration is out of scope, one of the ways to allow posturing with Cisco AnyConnect Secure Mobility Client is to enable http redirect on the network switch so that AnyConnect can connect to ISE's Client Provisioning Portal (call home). Every effort must be taken to configure this function without the need to require the command 'ip http server' on the switch (see V-220534 in the Network Infrastructure STIG). If deemed operationally necessary, the site must obtain AO approval and document the variation from V-220534, risk mitigations, and the mission need that makes the service necessary. If the service is operationally necessary to meet C2C compliance for posture assessment and a vendor-provided alternative is not available, then it is, by definition, a necessary service. Thus, V-220534 is not a finding as it states that "If a particular capability is used, then it must be documented and approved."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>