Check: CSCO-NC-000140
Cisco ISE NAC STIG:
CSCO-NC-000140
(in versions v1 r5 through v1 r3)
Title
The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4. (Cat II impact)
Discussion
Devices, which do not meet minimum-security configuration requirements, pose a risk to the DoD network and information assets. Endpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DoD policy requirements.
Check Content
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the Policy Set will enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that the Attribute of PostureStatus of NonCompliant is configured in the policy. 5. Make a note of the result/results on the NonCompliant Policy. 6. Navigate to Policy >> Policy >> Elements >> Results >> Authorization. 7. Expand Authorization. 8. Choose Authorization Profiles. 9. View the Standard Authorization Profile/Profiles noted above to ensure that a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these are used to restrict access. If there is not a "NonCompliant" authorization rule or the result is not restrictive, this is a finding.
Fix Text
If required by the NAC SSP, configure the Policy Set to enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Click on Actions Gear below to location the new Authorization Policy will be inserted. 5. Choose "Insert new role above" or if there is an Authorization Policy made for the device type that that posture will be applied to choose "Duplicate above". 6. Click on the name of the policy and define a desirable name. 7. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 8. Choose "New" under the editor. 9. Choose "Click to add an attribute". 10. Under Dictionary select Session in the drop-down. 11. Under Attribute select PostureStatus. 12. Ensure "Equals" is selected as the operator. 13. Select Compliant in the drop-down. 14. Choose "New". 15. Add a condition to flag the device type that should be postured. 16. Choose "Use". 17. Name the rule accordingly. 18. Select the desired result. 19. Click on Actions Gear on the Authorization Policy just created. 20. Select Duplicate below in the drop-down menu. 21. Click on the conditions of the copy. 22. Change the PostureStatus variable form "Compliant" to "NonCompliant". 23. Choose "Use". 24. Name the rule accordingly. 25. Select a result that is used for remediation access, which should be a result that is configured for a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access. 26. Choose "Save". Note: There are several ways this can be configured to meet the requirement. This is just an example. The main thing is to have a "Compliant" and a "NonCompliant" rule using the PostureStatus conditions.
Additional Identifiers
Rule ID: SV-242588r855852_rule
Vulnerability ID: V-242588
Group Title: SRG-NET-000322-NAC-001230
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002179 |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations. |
Controls
Number | Title |
---|---|
AC-3 (8) |
Revocation Of Access Authorizations |