Title

For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4. (Cat II impact)

Discussion

Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. Unauthenticated devices must not be allowed to connect to remediation services.

Check Content

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies for "Posture NonCompliant" have a result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Scan for Authorization policies with "Posture NonCompliant" condition. 5. Verify the result assigned to the authorization policy will assign the remediation VLAN. If the result is the remediation VLAN, this is not a finding. If posture is not mandated by the Information System Security Manager (ISSM), this is not a finding.

Fix Text

If required by the NAC SSP, configure the "Posture NonCompliant" authorization policy so that the result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Create an authorization policy for "Posture NonCompliant". 5. Assign the remediation VLAN result.

Additional Identifiers

Rule ID: SV-242581r812744_rule

Vulnerability ID: V-242581

Group Title: SRG-NET-000015-NAC-000040

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.