The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.

An XCCDF Rule

Description

<VulnDiscussion>Posture assessments can reduce the risk that clients impose on networks by restricting or preventing access of noncompliant clients. If the posture assessment is not enforced, then access of clients not complying is not restricted allowing the risk of vulnerabilities being exposed. Though the configuration is out of scope, one of the ways to allow posturing with Cisco AnyConnect Secure Mobility Client is to enable http redirect on the network switch so that AnyConnect can connect to ISE's Client Provisioning Portal (call home). Every effort must be taken to configure this function without the need to require the command 'ip http server' on the switch (see V-220534 in the Network Infrastructure STIG). If deemed operationally necessary, the site must obtain AO approval and document the variation from V-220534, risk mitigations, and the mission need that makes the service necessary. If the service is operationally necessary to meet C2C compliance for posture assessment and a vendor-provided alternative is not available, then it is, by definition, a necessary service. Thus, V-220534 is not a finding as it states that "If a particular capability is used, then it must be documented and approved."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242605r944370_rule
Severity: High
References: CCI-000366
Updated: 17 days ago

If required by the NAC SSP, configure the authorization policy to enforce posture assessment status for posture required clients.

1. Edit the Policy Set to enforce the posture assessment.
2. Navigate to Work Centers >> Network Access >> Policy Sets.
3. Choose ">" on the applicable policy set.
4. Expand the Authorization Policy.5. Click on Actions Gear below to location where the new Authorization Policy will be inserted.
6. Choose "Insert new role above", or if there is an Authorization Policy made for the device type that posture will be applied to, choose "Duplicate above".
7. Click on the name of the policy and define a desirable name.
8 Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio.
9. Choose "New" under the editor.
10. Choose "Click to add an attribute".
11. Under Dictionary, select "Session" in the drop-down menu.
12. Under Attribute, select "PostureStatus".
13. Ensure "Equals" is selected as the operator. 
14. Select "Compliant" in the drop-down menu.
15. Choose "New".
16. Add a condition to flag the device type that should be postured.
17. Choose "Use".
18. Name the rule accordingly.
19. Select the desired result.
20. Click on Actions Gear on the Authorization Policy just created.
21. Select Duplicate below in the drop-down.
22. Click on the conditions of the copy.
23. Change the PostureStatus variable form "Compliant" to "NonCompliant".
24. Choose "Use".
25. Name the rule accordingly.
26. Select a result that is used for remediation access, which should be a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.
27. Choose "Save".

The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.

Description

Remediation - Manual Procedure