Check: CSCO-NC-000260
Cisco ISE NAC STIG:
CSCO-NC-000260
(in versions v1 r2 through v1 r1)
Title
The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. (Cat II impact)
Discussion
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery.
Check Content
Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.
Fix Text
Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination of these used to restrict the access.
Additional Identifiers
Rule ID: SV-242600r714110_rule
Vulnerability ID: V-242600
Group Title: SRG-NET-000148-NAC-000620
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000778 |
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
Controls
Number | Title |
---|---|
IA-3 |
Device Identification And Authentication |