Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that only TLS 1.2 is enabled. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.
Configure ISE so that only TLS 1.2 is enabled: From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.
If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.
Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.
If DoD is not at C2C Step 4 or higher, this is not a finding. Verify the profiling service is configured and enabled. 1. Choose Administration >> System >> Deployment. 2. View the Deployment Nodes. Verify the following services are enabled via the check box: Policy Service Enable Session Services Enable Profiling Services If the Cisco ISE profiling service is not configured and enabled, this is a finding.
Configure the profiling service to provide a contextual inventory of all the endpoints that are using your network resources in any Cisco ISE-enabled network. 1. Choose Administration >> System >> Deployment. 2. Choose a Cisco ISE node that assumes the Policy Service persona. 3. Click "Edit" in the Deployment Nodes page. 4. On the "General Settings" tab, check the "Policy Service" check box. 5. Perform the following tasks: - Check the "Enable Session Services" check box. - Check the "Enable Profiling Services" check box to run the profiling service. 6. Click "Save" to save the node configuration.
If DoD is not at C2C Step 4 or higher, this is not a finding. If host-based firewall is not required by the NAC SSP, this is not a finding. Verify that the posture policy will verify that a host-based firewall is running. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Review the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Center >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there is one with a firewall condition applied. 6. Review the firewall condition ensuring it is configured to verify that the client firewall is enabled. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.
If required by the sites' NAC SSP, configure the posture policy to verify that a host-based firewall is running. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Firewall Condition. a. Expand "Conditions" on the left of the page. b. Choose "Firewall Condition". c. Choose "Add". d. Define a Name. e. Select the applicable Compliance Module. f. Select the Operating System. g. Select the vendor of firewall. h. Check "enable". i. Select the desired product/products. j. Choose "Save". 3. Create Firewall Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Firewall". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Remediation Type. h. Define the interval between retries. i. Define Retry Count. j. Select the desired Vendor Name. k. Check "Remediation Option is to enable the Firewall". l. Select the Product Name. m. Choose "Submit". 4. Create Requirements. a. Choose "Requirements" on the left of the page. b. Choose the drop-down located next to "Edit" on the right side of the page where the requirement is to be inserted. c. Choose "Insert new Requirement". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Posture Type. h. Select the Condition previously configured. i. Select the Remediation Action previously configured and type in a message to display. j. Choose "Done". k. Choose "Save". 5. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".
If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the posture policy will verify that anti-malware software is installed and up to date. If not required by the NAC SSP, this is not a finding. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Look over the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Center >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there are with anti-malware conditions applied. 6. Review the anti-malware conditions ensuring one is configured to verify that the software is installed, and one is configured to make sure the software is up to date. If this requirement is meet by another system or application, this is not applicable. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.
If required by the NAC SSP, configure the posture policy to verify that an anti-malware software is up to date. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Anti-Malware Condition. a. Expand "Conditions" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the vendor. g. Check "Definition". h. Check "Check against latest AV definition file version if available. Otherwise check against latest definition file date." or "Allow virus definition file to be (<1) days older than the current system date." i. Select the desired product/products. j. Choose "Submit". 3. Create Anti-Malware Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the Remediation Type. g. Define the interval between retries. h. Define Retry Count. i. Select the desired Vendor Name. j. Check "Remediation Option is to enable the Firewall". k. Select the Product Name. l. Choose "Submit". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save". Note: If any other Definition option is used, the Posture Updates must be updated (Navigate to Work Centers >> Posture >> Settings >> Software Updates >> Posture Updates). Configure the posture policy to verify that an anti-malware software is installed. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Anti-Malware Condition. a. Expand "Conditions" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the vendor. g. Check "Installation". h. Select the desired product/products. i. Choose "Submit". 3. Create Anti-Malware Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the Remediation Type. g. Define the interval between retries. h. Define Retry Count. i. Select the desired Vendor Name. j. Check "Remediation Option is to enable the Firewall". k. Select the Product Name. l. Choose "Submit". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the posture policy will verify that a host-based IPS is running. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Look over the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Centers >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there is one with a firewall condition applied. 6. Review the firewall condition ensuring it is configured to verify that the client firewall is enabled. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.
If required by the NAC SSP, configure the posture policy to verify that a host-based IPS is running. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Host Intrusion Prevention Condition. a. Expand "Conditions" on the left of the page. b. Choose "Firewall Condition". c. Choose "Add". d. Define a Name. e. Select the applicable Compliance Module. f. Select the Operating System. g. Select "McAfee" for the vendor of firewall. h. Check "enable". i. Select "McAfee Host Intrusion Prevention" in the product list. j. Choose "Save". 3. Create Requirements. a. Choose "Requirements" on the left of the page. b. Choose the drop-down located next to "Edit" on the right side of the page where the requirement is to be inserted. c. Choose "Insert new Requirement". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Posture Type. h. Select the Condition previously configured. i. Select the Remediation Action of "Message Text Only" and type in a message to display. j. Choose "Done". k. Choose "Save". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies for "Posture NonCompliant" have a result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Scan for Authorization policies with "Posture NonCompliant" condition. 5. Verify the result assigned to the authorization policy will assign the remediation VLAN. If the result is the remediation VLAN, this is not a finding. If posture is not mandated by the Information System Security Manager (ISSM), this is not a finding.
If required by the NAC SSP, configure the "Posture NonCompliant" authorization policy so that the result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Create an authorization policy for "Posture NonCompliant". 5. Assign the remediation VLAN result.
If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that each requirement used has a message to display. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Make a note of each "Requirement" tied to an enabled Posture Policy. 3. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 4. Verify that each requirement noted has a message in the "Message Shown to Agent User" box. If a requirement that is used does not have a message, this is a finding.
If required by the NAC SSP, configure a message prior to remediation: 1. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 2. On the requirements under "Remediation Actions", define a message in the "Message Shown to Agent User". 3. Choose "Done". 4. Choose "Save".
If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Review the posture policy to ensure mandated endpoints are being assed and if there are exceptions to the policy that they are documented and approved by the ISSM. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Examine the enabled Posture Policies to determine if the endpoints that are mandated to be assessed will use the required policies. 3. If there is an endpoint type that should be assessed and there is a condition or conditions exempting a sub group of that endpoint type, verify that the sub group is documented and approved by the ISSM. If the policy will not be applied to required endpoints or if exempted endpoints are not approved and documented, this is a finding.
If required by the NAC SSP, configure the posture policy to assess mandated endpoints. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: For exceptions, a condition can be made to "Not Equal" or "Not Contains" a pattern to exempt devices from the policy.
If DoD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that an alarm will be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the "AAA Audit", "Failed Attempts", and "Posture and Client Provisioning Audit" have LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.
If required by the NAC SSP, configure an alarm to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "AAA Audit", "Failed Attempts", and "Posture and Client Provisioning Audit" categories to have the Targets field to have LogCollector selected at a minimum. If the environment has an additional SYSLOG server, it can be selected here as well.
If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that each requirement used has a message to display. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Make a note of each "Requirement" tied to an enabled Posture Policy. 3. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 4. Verify that each requirement noted has a message in the "Message Shown to Agent User" box. If a requirement that is used does not have a message, this is a finding.
If required by the NAC SSP, configure a message prior to remediation. 1. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 2. On the requirements under "Remediation Actions" define a message in the "Message Shown to Agent User". 3. Choose "Done". 4. Choose "Save".
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that blacklisted devices will be denied access or quarantined. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the "Authorization Policy – Global Exceptions". 4. Verify that a rule with the condition "Session-ANCPolicy EQUALS <Configured ANC Policy>", or "IdentityGroup-Name EQUALS Endpoint Identity Group:Blacklist" is present with a result that will deny access or quarantine the endpoint. If the enforcement is completed in the Authorization Policy versus the Global Exceptions, then each policy set must contain a policy for blacklisted endpoints. If there is not an authorization policy for Blacklist endpoints, this is a finding. If the authorization policy does not restrict or deny the access of blacklisted endpoints, this is a finding.
If required by the NAC SSP, configure an Adaptive Network Control (ANC) policy to deny blacklisted devices access or make an authorization policy for the blacklist endpoint identity group. 1. Navigate to Operations >> Adaptive Network Control >> Policy List. 2. Choose "Add". 3. Give the policy a name. 4. Select the desired ANC Action (QUARANTINE or RE_AUTHENTICATE are the recommended actions for this). 5. Choose "Submit". 6. Configure the authorization policy to enforce the ANC policy. Note: If the blacklist Identity group is use vs and ANC policy, then a Change of Authorization (CoA) will need to be triggered. 7. Navigate to Work Centers >> Network Access >> Policy Sets. 8. Choose ">" on any policy set. 9. Expand "Authorization Policy – Global Exceptions". 10. Click on Actions Gear below to location the new Authorization Policy will be inserted (If there is not an existing policy, click on the "+" icon and skip the next step.) 11. Choose "Insert new role above". 12. Click on the name of the policy and define a desirable name. 13. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 14. Choose "New" under the editor. 15. Choose "Click to add an attribute". 16. Under Dictionary select Session in the drop-down. 17. Under Attribute select "ANCPolicy". 18. Ensure "Equals" is selected as the operator. 19. Select the desired ANC Policy in the drop-down menu. 20. Choose "Use". 21. Name the rule accordingly. 22. Select the desired result. 23. Choose "Save". If the Blacklist Endpoint Identity Group will be used, follow these: 1. Configure the authorization policy to enforce the ANC policy. 2. Navigate to Work Centers >> Network Access >> Policy Sets. 3. Choose ">" on any policy set. 4. Expand "Authorization Policy – Global Exceptions". 5. Click on Actions Gear below to location the new Authorization Policy will be inserted (If there is not an existing policy, click on the "+" icon and skip the next step.) 6. Choose "Insert new role above". 7. Click on the name of the policy and define a desirable name. 8. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 9. Choose "New" under the editor. 10. Choose "Click to add an attribute". 11. Under Dictionary select "IdentityGroup" in the drop-down menu. 12. Under Attribute select "Name". 13. Ensure "Equals" is selected as the operator. 14. Select "Endpoint Identity Groups:Blacklist" in the drop-down menu. 15. Choose "Use". 16. Name the rule accordingly. 17. Select the desired result. 18. Choose "Save". Note: If the blacklist identity group is used versus an ANC policy, then a Change of Authorization (CoA) will need to be triggered.
If DoD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the authorization policy will prevent intra-remediation VLAN communication. 1. Navigate to Policy >> Policy Elements >> Results. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" or an authorization policy for remediation is present making a note of the authorization profile. 5. Navigate to Policy >> Policy Elements >> Results >> Authorization >> Authorization Profiles >> Authorization profile noted above. 6. Ensure the result that is used will result in lateral traffic for that VLAN will be restricted by a private VLAN, dACL, ACL, SGT, or any combination. 7. If a private VLAN is used, review the switch configuration to confirm it is a private VLAN. If there is not an authorization policy for NonCompliant clients or remediation, this is a finding. If the authorization policy does not prevent intra-remediation VLAN communication, this is a finding.
If required by the NAC SSP, configure the remediation authorization policy to prevent intra-remediation VLAN communication. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Locate the authorization policy with the "Session-PostureStatus EQUALS NonCompliant" or authorization policy for remediation access. 5. Configure the result to block intra-VLAN communication (Private VLAN, dACL, ACL, or SGT). 6. Choose "Save".
If DOD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the Policy Set will enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that the Attribute of PostureStatus of NonCompliant is configured in the policy. 5. Make a note of the result/results on the NonCompliant Policy. 6. Navigate to Policy >> Policy >> Elements >> Results >> Authorization. 7. Expand Authorization. 8. Choose Authorization Profiles. 9. View the Standard Authorization Profile/Profiles noted above to ensure that a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these are used to restrict access. If there is not a "NonCompliant" authorization rule or the result is not restrictive, this is a finding.
If required by the NAC SSP, configure the Policy Set to enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Click on Actions Gear below to location the new Authorization Policy will be inserted. 5. Choose "Insert new role above" or if there is an Authorization Policy made for the device type that that posture will be applied to choose "Duplicate above". 6. Click on the name of the policy and define a desirable name. 7. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 8. Choose "New" under the editor. 9. Choose "Click to add an attribute". 10. Under Dictionary select Session in the drop-down. 11. Under Attribute select PostureStatus. 12. Ensure "Equals" is selected as the operator. 13. Select Compliant in the drop-down. 14. Choose "New". 15. Add a condition to flag the device type that should be postured. 16. Choose "Use". 17. Name the rule accordingly. 18. Select the desired result. 19. Click on Actions Gear on the Authorization Policy just created. 20. Select Duplicate below in the drop-down menu. 21. Click on the conditions of the copy. 22. Change the PostureStatus variable form "Compliant" to "NonCompliant". 23. Choose "Use". 24. Name the rule accordingly. 25. Select a result that is used for remediation access, which should be a result that is configured for a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access. 26. Choose "Save". Note: There are several ways this can be configured to meet the requirement. This is just an example. The main thing is to have a "Compliant" and a "NonCompliant" rule using the PostureStatus conditions.
If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that a log will be generated and sent when an Endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Failed Attempts has LogCollector set as a target at a minimum. If the Failed Attempts logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.
If required by the NAC SSP, configure a log to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Failed Attempts" category and the Targets field to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.
If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that a log will be generated and sent when an Endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Posture and Client Provisioning Audit has LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.
If required by the NAC SSP, configure a log to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Posture and Client Provisioning Audit" category and the Targets field to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.
If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that an alarm will be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Posture and Client Provisioning Audit has LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.
If required by the NAC SSP, configure an alarm to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Posture and Client Provisioning Audit" category and the Targets field needs to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.
If DoD is not at C2C Step 1 or higher, this is not a finding. Navigate to Administration >> System >> Backup and Restore. Ensure that operational data backups are scheduled. If operational backups are not scheduled, this is a finding.
From the Web Admin portal: 1. Navigate to Administration >> System >> Backup and Restore. 2. Select the "Schedule" option next to Operational Data Backup. 3. Configure operational data backup at a desired frequency.
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify the Cisco ISE will notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.
Configure Cisco ISE to notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals and organizational accounts to be notified. 6. Click "Submit".
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify the Cisco ISE will notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.
Configure Cisco ISE to notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals and organizational accounts to be notified. 6. Click "Submit".
If DoD is not at C2C Step 1 or higher, this is not a finding. Review the configured Remote Logging Targets to ensure there are, at a minimum, two configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Targets. 2. Verify that "LogCollector" and "LogCollector2" or an additional target is defined along with being enabled. If there are not two separate logging targets defined, this is a finding. Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.
Configure Remote Logging Targets. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Targets. 2. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down. 3. Configure a desired name. 4. Configure the Host/IP address. 5. Check the box for "Buffer Messages When Server Down". 6. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection. 7. Choose "Submit". Note: "LogCollector" and "LogCollector2" represent the monitoring (MnT) nodes defined in the deployment. If there is a primary and a secondary MnT node, then nothing more is needed. Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that a log will be generated and sent when a Logging Target becomes unavailable. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify that Internal Operations Diagnostics has "LogCollector" and "LogCollector2" set. If there are a minimum of two logging targets selected for Internal Operations Diagnostics, this is not a finding.
Configure a log to be generated and sent when a Logging Target becomes unavailable. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Internal Operations Diagnostics" category Targets field to have "LogCollector" and "LogCollector2". If the environment has an additional SYSLOG server, it can be selected here as well. Note: "LogCollector" and "LogCollector2" are not configured for this category by default. These logs will be viewable at Operations >> Reports >> Reports >> Diagnostics >> System Diagnostic.
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that logging targets are configured to buffer syslog messages when the server is down. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Select remote targets and verify that "Buffer Messages When Server Down" box is checked. Note: If "LogCollector" and "LogCollector2" are configured for UDP and ISE Messaging service is configured, this is not a finding. Verify that ISE Messaging Service is enabled. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Log Settings. 2. Verify that "Use ISE Messaging Service for UDP Syslogs delivery to MnT" box is checked. If messages are not buffered for remote syslog servers, this is a finding.
Configure the logging targets to buffer syslog messages when the server is down. Navigate to Administration >> System >> Logging >> Remote Logging Targets. 1. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down menu. 2. Configure a desired name. 3. Configure the Host/IP address. 4. Check the box for "Buffer Messages When Server Down". 5. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection. 6. Choose "Submit". And/or: Enable ISE Messaging Service. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Log Settings. 2. Check "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT". 3. Choose "Save". Note: ISE Messaging Service will encrypt and buffer messages destined to the Monitoring (MnT) nodes. The logging targets of "LogCollector" and "LogCollector2" are the primary and secondary MnT nodes respectively.
If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Review the posture settings to ensure Continuous Monitoring Interval is enabled and a value configured. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Verify that "Continuous Monitoring Interval" is enabled and an interval configured. If "Continuous Monitoring Interval" is not enabled with an interval defined, this is a finding.
If required by the NAC SSP, configure the posture settings to enable Continuous Monitoring Interval. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Check "Continuous Monitoring Interval" and define an interval to enable continuous monitoring. 3. Choose "Save".
If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.
Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination of these used to restrict the access.
If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.
If required by the NAC SSP, configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these used to restrict access.
If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies for devices granted access via MAB will have restricted access. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Make a note of the result/results on each authorization policy for MAB. 5. Navigate to Policy >> Policy Elements >> Results >> Authorization. 6. Expand "Authorization". 7. Choose "Authorization Profiles". 8. View the Standard Authorization Profile/Profiles noted above to ensure that a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these is used to restrict access. If a VLAN is the only thing being applied to the session and the VLAN has an ACL on the layer 3 interface, this is not a finding. If there is not a restriction on an MAB authorization policy, this is a finding.
Configure the authorization policies for devices granted access via MAB to have restricted access. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the "Authorization Policy". 4. Add a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access under results. 5. Repeat this for each authorization policy that devices connecting via MAB will use. 6. Choose "Save".
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify NTP setting to ensure NTP will be authenticated. From the CLI: 1. Type "show running-config | in ntp". 2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number. 3. Verify that each NTP Key number used is created. If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys. If there are any other NTP sources that do not use a defined key, this is a finding. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.
Configure the NTP server to be authenticated. From the CLI: 1. Type "configure terminal". 2. Define an NTP authentication key "ntp authentication-key <KEY Number> md5 plain <NTP KEY>. 3. Define an NTP server and associate it with the configured NTP key "ntp server <IP> key <KEY Number>". 4. Type "exit" and press enter. 5. Type "write memory" and press "Enter". If a domain controller is used for NTP, then a key cannot be used as Windows servers do not support NTP keys. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.
If DoD is not at C2C Step 1 or higher, this is not a finding. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.
From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.
If DOD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the authorization policy will enforce posture assessment status for posture required clients. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" is present and will apply to posture required devices by analyzing other conditions used on the same policy. 5. Ensure the result that is used for remediation access is a restricted VLAN, ACL, SGT, or any combination used to restrict the access. If there is not an authorization policy for NonCompliant clients that are posture required, this is a finding. If the authorization policy does not restrict the access of NonCompliant clients that are posture required, this is a finding.
If required by the NAC SSP, configure the authorization policy to enforce posture assessment status for posture required clients. 1. Edit the Policy Set to enforce the posture assessment. 2. Navigate to Work Centers >> Network Access >> Policy Sets. 3. Choose ">" on the applicable policy set. 4. Expand the Authorization Policy. 5. Click on Actions Gear below to location where the new Authorization Policy will be inserted. 6. Choose "Insert new role above", or if there is an Authorization Policy made for the device type that posture will be applied to, choose "Duplicate above". 7. Click on the name of the policy and define a desirable name. 8 Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 9. Choose "New" under the editor. 10. Choose "Click to add an attribute". 11. Under Dictionary, select "Session" in the drop-down menu. 12. Under Attribute, select "PostureStatus". 13. Ensure "Equals" is selected as the operator. 14. Select "Compliant" in the drop-down menu. 15. Choose "New". 16. Add a condition to flag the device type that should be postured. 17. Choose "Use". 18. Name the rule accordingly. 19. Select the desired result. 20. Click on Actions Gear on the Authorization Policy just created. 21. Select Duplicate below in the drop-down. 22. Click on the conditions of the copy. 23. Change the PostureStatus variable form "Compliant" to "NonCompliant". 24. Choose "Use". 25. Name the rule accordingly. 26. Select a result that is used for remediation access, which should be a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access. 27. Choose "Save".
If DOD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Review the enabled posture policies to ensure posture required endpoints will process requirements. If there is not an enabled policy that will be applied to posture required endpoints, this is a finding.
If required by the NAC SSP, configure the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the applicable Requirement or Requirements, ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: The user can apply multiple requirements to a single policy, or have multiple policies with a single policy with a single requirement as the posture policy operates in a "match-all" fashion.