Check: CSCO-NC-000320
Cisco ISE NAC STIG:
CSCO-NC-000320
(in versions v1 r4 through v1 r3)
Title
The Cisco ISE must have a posture policy for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 1. (Cat I impact)
Discussion
Posture assessments can reduce the risk that clients impose on networks. The posture policy is the function that can link requirements to applicable clients. Multiple requirements can be associated with a single policy. However, multiple polices can also be applicable to the same client. The posture policy operates in such a way that all applicable policies are applied, versus the top-down first match approach.
Check Content
If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Review the enabled posture policies to ensure posture required endpoints will process requirements. If there is not an enabled policy that will be applied to posture required endpoints, this is a finding.
Fix Text
If required by the NAC SSP, configure the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the applicable Requirement or Requirements, ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: The user can apply multiple requirements to a single policy, or have multiple policies with a single policy with a single requirement as the posture policy operates in a "match-all" fashion.
Additional Identifiers
Rule ID: SV-242606r812794_rule
Vulnerability ID: V-242606
Group Title: SRG-NET-000512-NAC-002310
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |