Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the concurrent sessions to ensure the CLI and GUI have the correct number of sessions defined. From web Admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Verify the "Maximum Concurrent Sessions" under "GUI" Sessions is set to the organization-defined number. 3. Verify the "Maximum Concurrent Sessions" under "CLI" Sessions is set to one. If the CLI is not set to limit the maximum number of sessions to one or the GUI is not set to limit the maximum number of sessions to the organization-defined number, then this is a finding.
Configure the concurrent sessions for the CLI and GUI. From web admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Configure the "Maximum Concurrent Sessions" under "GUI" to be the organization-defined number. 3. Configure the "Maximum Concurrent Sessions" under "CLI" to be one.
Verify by viewing site SSP to view that there is a procedure that requires password change with administrators leave the group. If Cisco ISE does not change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access, this is a finding.
Generate Automatic Password for Users and Administrators (or generate using other encryption method). Navigate to Administrators—Administration >> System >> Admin Access >> Administrators >> Admin Users. Select the CLI and the web Admin users and select the option to generate the password. Document the generated password and secure it for emergency use as an Account of Last Resort. Do not share with other Admins unless necessary.
Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
View the local admin users. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >>View. 2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user. If the Cisco ISE has unauthorized local users defined, this is a finding.
Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add. 2. From the drop-down, choose Create an Admin User. 3. Enter the admin name and other information. 4. Add the Super User group. 5. Click "Submit".
Verify that only administrator accounts are located in administrative groups. From the web Admin portal: 1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions >> Policy. 2. Verify non-administrative users are located in read only or limited access admin groups. If non-adminstrative accounts are in administrative admin groups, this is a finding.
Configure Role Based Access Control to ensure only administrator accounts have admin or super admin rights. From web Admin portal: 1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions > Policy. 2. Take note of admin account groups. 3. Navigate to Administration >> System >> Admin Access >> Administrators >> Admin Users. 4. Ensure only admin accounts are placed within admin groups. Note: If Active Directory is in use for external authentication, verify from AD that only administrative users are in the security group used for ISE admins.
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify ISE will disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Verify the "Take action after [ ] failed attempts" setting is set to a value of 3 or lower. 3. Verify the "Suspend account for [ ] minutes" setting is selected and set to be 15 minutes or higher If the lockout for admin accounts is not configured to lock the account after a maximum of three incorrect passwords are attempted, this is a finding. If the lockout for admin accounts is not configured to lock the account for a minimum of 15 minutes, this is a finding.
Configure ISE to disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Configure the "Take action after [ ] failed attempts" setting to be set to a value of 3 or lower. 3. Check the "Suspend account for [ ] minutes" setting and set to be 15 minutes or higher. 4. Click Save. Note: This setting will propagate to the ADE-OS applying the settings for the CLI accounts as well.
Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060. In the configuration, view the "banner login" configuration. If such a banner is not presented, this is a finding.
Configure the administrative sessions login banner to display when users access the web or CLI interface that appears before and after an administrator logs in. By default, these login banners are disabled. 1. From the web management tool, click on Administration >> System >> Admin Access >> Settings >> Access >> Session. 2. To display the banner message before an administrator logs in, check the Pre-login banner check box and enter the message in the text box. 3. To display the banner message after an administrator logs in, check the Post-login banner check box and enter your message in the text box. 4. Click "Save".
To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If a remote logging target is not configured, this is a finding.
Create a secure syslog remote logging target and direct logging to that site's central syslog or events server. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields: - Name - Enter the name of the new target. - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed: - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".
Verify logging categories have been configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit logs are set to INFO severity category. If the Administrative and Operational Audit are not set to the INFO severity category, this is a finding.
Enable logging categories for Cisco ISE. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".
Examine the local log purge setting. show logging internal or Choose Administration >> System >> Logging >> Local Log Settings >> Local Log Storage Period. If local logs are set to purge after a locally established period, this is not a finding.
Configure syslog purge settings. Use the following process to delete local logs after a certain period of time. This is set based on the local environment and size of the implementation. 1. Choose Administration >> System >> Logging >> Local Log Settings. 2. In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source. 3. Click "Delete Logs Now" to delete the existing log files at any time before the expiration of the storage period. 4. Click "Save". Note: The system is designed to delete logs if the size of the localStore folder reaches 97 GB, regardless of the configured Local Log Storage Period.
To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If a remote logging target is not configured, this is a finding.
Create a Remote Logging Target and direct logging to that target. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields. - Name - Enter the name of the new target - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed. - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.
Verify the Cisco ISE notifies one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.
Configure Cisco ISE to notify one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals to be notified. 6. Click "Submit".
1. View the status of the Network Translation Protocol (NTP) associations. show ntp 2. Verify a primary and secondary ntp server address is configured. If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
1. Choose Administration >> System >> Settings >> System Time. 2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers. 3. Check the "Only allow authenticated NTP servers" check box to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DOD requires NTP authentication where available, so configure the NTP server using private keys. Click the NTP Authentication Keys tab and specify one or more authentication keys if any of the servers specified requires authentication via an authentication key, as follows: 4. Click "Add". 5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535 and the Key Value field supports up to 15 alphanumeric characters. 6. Return to the NTP Server Configuration tab after entering the NTP Server Authentication Keys. 7. Click "Save".
1. View the clock setting. show clock 2. Verify the clock is set to use UTC. If the Cisco ISE does not use UTC, this is a finding.
Change the clock to UTC using the CLI. clock timezone UTC
Determine if groups with access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin (at a minimum) are assigned unauthorized users. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum. If the Cisco ISE does not enforce access restrictions associated with changes to the firmware, OS, and hardware components, this is a finding.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum. 3. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click "Remove". 4. Click "Submit".
Verify an external authentication identity source is configured. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. View the External Group configuration. If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.
Configure external authentication to a central AAA identity source. Configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP. 1. Choose Administration >> System >> Admin Access >> Authentication. 2. On the Authentication Method tab, select Password Based and choose one of the external identity sources that was previously configured (for example, the Active Directory instance that was created). 3. Configure any other specific password policy settings for administrators who authenticate using an external identity store. 4. Click "Save". Create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that was entered upon login. Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. Specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Click "Add". 3. Enter a name and optional description. 4. Choose the "External" radio button. 5. From the External Groups drop-down list box, choose the Active Directory group to map for this external administrator group. Click the "+" sign to map additional Active Directory groups to this external administrator group. 6. Click "Save". Configure menu access and data access permissions that can be assigned to the external administrator group. 1. Choose Administration >> System >> Admin Access >> Permissions. 2. Click one of the following: - Menu Access - All administrators who belong to the external administrator group can be granted permission at the menu or submenu level. The menu access permission determines the menus or submenus that they can access. - Data Access - All administrators who belong to the external administrator group can be granted permission at the data level. The data access permission determines the data that they can access. 3. Specify menu access or data access permissions for the external administrator group. 4. Click "Save". In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization. 1. Choose Administration >> System >> Admin Access >> Authorization >> Policy. 2. Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure the administrator in question is associated with the correct external administrator group. 3. Click "Save".
To display information about the software version, type the following at the CLI: show version View details about the installed version of Cisco ADE-OS software running in the Cisco ISE server and also the Cisco ISE version. If the Cisco ISE is not running an operating system release that is currently supported by the vendor, this is a finding.
Install the latest approved update of the CISCO ADE-OS software. 1. Click the "Upgrade" tab in the Admin portal. 2. Click "Proceed". The Review Checklist window appears. Read the instructions carefully. 3. Check the "I have reviewed the checklist" check box, and click "Continue".
View the SSP syslog requirements. View the logging categories for Cisco ISE to verify the logging categories that pertain to the corresponding locally developed list of auditable events are enabled, configured, and being sent to the remote syslog target. 1. Log in to the Admin portal. 2. Choose Administration >> System >> Logging >> Logging Categories. 3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit". 4. Choose the Log Severity Level drop-down list. 5. In the Targets field, move the secure syslog remote logging target to the Selected box. 6. Click "Save". 7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events. If the Cisco ISE does not generate log records for a locally developed list of auditable events, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the remote syslog target. 1. Log in to the Admin portal. 2. Choose Administration >> System >> Logging >> Logging Categories. 3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit". 4. Choose the Log Severity Level drop-down list. 5. In the Targets field, move the syslog remote logging target to the Selected box. 6. Click "Save". 7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events.
Navigate to Administration >> System >> Backup and Restore. Ensure that configuration data backups are scheduled for weekly intervals or in accordance with the site's SSP. If backups of the confiuration data are not made when when changes occur or in accordance with the site's SSP, this is a finding.
Navigate to Administration >> System >> Backup and Restore. 1. Select the "Schedule" option next to configuration Data Backup. 2. Ensure a weekly scheduled backup is configured (or in accordance with the site's SSP).
1. Review the SSP to see the site's network device backup policy. Check the Cisco ISE backup log to verify regular backups are being performed. show backup history 2. Determine if there is a recent history of backups. Verify if the backup history shows either weekly backups or periodic backups. If the Cisco ISE is not configured to conduct backups of system-level information contained in the information system when changes occur, this is a finding.
Save changes to the Cisco ISE configuration files data and place the backup in a repository by using the backup command in EXEC mode on the CLI. backup [{backup-name} repository {repository-name} ise-config encryption-key hash| plain {encryption-key name}]
Choose Administration >> System >> Certificates >> System Certificates. 1. The System Certificates page appears and provides information for the local certificates. 2. Select a certificate and choose "View" to display the certificate details. If the Cisco ISE does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate: A. Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. 2. Enter the values for generating a CSR. Examples: RSA: Request security pki generate-key-pair certificate-id <cert name>> type rsa size <512 | 1024 | 2048 | 4096>> ECDSA: Request security pki generate-key-pair certificate-id <cert_name>> type ecdsa size <256 | 384>> 3. Click "Generate" to generate the CSR. 4. Click "Export" to open the CSR in a Notepad. 5. Copy all the text from "-----BEGIN CERTIFICATE REQUEST-----" through "-----END CERTIFICATE REQUEST-----." 6. Paste the contents of the CSR into the certificate request. Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet. 7. Download the signed certificate. B. Import the Root Certificates to the Trusted Certificate Store: Administration >> System >> Certificates >> Trusted Certificates C. Bind the CA-Signed Certificate to the CSR. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. Check the check box next to the node for which you are binding the CSR with the CA-signed certificate. 2. Click "Bind". 3. Click "Browse" to choose the CA-signed certificate. 4. Specify a Friendly Name for the certificate. 5. Check the "Validate Certificate Extensions" check box if you want Cisco ISE to validate certificate extensions. 6. Check the service for which this certificate will be used in the Usage area. This information is auto populated if you have enabled the Usage option while generating the CSR. If you do not want to specify the usage at the time of binding the certificate, uncheck the Usage option. You can edit the certificate later and specify the usage. 7. Click "Submit". If you have chosen to use this certificate for Cisco ISE internode communication, the application server on the Cisco ISE node is restarted.
If an SNMP stanza does not exist, this is not a finding. 1. Use the command line interface to view the current SNMP configuration. show startup-config 2. Search for the keyword SNMP. If versions earlier than SNMPv3 are enabled, this is a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding.
If SNMP is used by the organization, then SNMP is configured at the command line interface. To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command. no snmp-server group <community> v1 To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode. 1. snmp-server enable 2. snmp-server user <username> v3 hash <auth-password> <priv-password> 3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash <auth-password> <priv-password>
If wireless setup is not availabe in this version of the product, this is not applicable. Verify Wi-Fi setup has been disabled on a device after initial setup and the device has been placed on the production network. Show application status Wi-Fi setup. If wireless setup is not disabled, this is a finding.
Use the application configure command in EXEC mode to disable wireless setup. application configure disable Wi-Fi setup
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but password authentication is configured to use FIPS 140-2/3 validated replay-resistant authentication mechanism for network access to privileged accounts , this can be lowered to a CAT 3 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure individual protocols.
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured so that SNMP messages are authenticated using a FIPS 140-2/3 validated HMAC, this can be lowered to a CAT 3 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure SNMP messages to authenticate using a FIPS-140-2/3 validated HMAC.
1. View the status of the Network Translation Protocol (NTP) associations. show ntp 2. Verify a primary and secondary ntp server address is configured. If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
1. Choose Administration >> System >> Settings >> System Time. 2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers. 3. Check the "Only allow authenticated NTP servers" check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DoD requires NTP authentication where available, so configure the NTP server using private keys. Click the "NTP Authentication Keys" tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows: 4. Click "Add". 5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535, and the Key Value field supports up to 15 alphanumeric characters. 6. Return to the NTP Server Configuration tab when finished entering the NTP Server Authentication Keys. 7. Click "Save".
Verify the min-password length is set to 15. Show password policy If the Cisco ISE password policy is not configured to require a minimum 15-character password length, this is a finding.
Configure the password policy. password-policy min-password-length 15
Verify that at least one uppercase letter is required. Show password policy If the Cisco ISE password policy is not configured to require at least one uppercase character, this is a finding.
Configure the password policy. password-policy upper-case required 1
Verify that at least one lowercase letter is required. Show password policy If the Cisco ISE password policy is not configured to require at least one lowercase character, this is a finding.
Configure the password policy. password-policy lower-case required 1
Verify that at least one digit is required. Show password policy If the Cisco ISE password policy is not configured to require at least one digit, this is a finding.
Configure the password policy. password-policy digit-required 1
Verify that at least one special character is required. Show password policy If the Cisco ISE password policy is not configured to require at least one special character, this is a finding.
Configure the password policy. password-policy special-required 1
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure the password authentication process to use a FIPS 140-2/140-3 validated SHA-2 (or greater), this can be lowered to a CAT 2 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/140-3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. Note: Configuring FIPS mode is the required DOD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure the password authentication process to use a FIPS 140-2/140-3 validated SHA-2 (or greater).
View the SSP for the required value. Navigate to Administration >> System >> Admin Access >> Authentication >> Password Policy. Verify the SSP required value matches the "Password cached for" field. If the Cisco ISE does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.
Navigate to Administration >> System >> Admin Access >> Authentication >> Password Policy. Set the "Password cached for" field to the organization-defined value available in the SSP.
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure SHA-2 (or greater) to protect the integrity of HMAC, KDFs, Random Bit Generation, and hash-only applications, this can be lowered to a CAT 2 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure SHA-2 or higher hash function to protect the integrity of HMAC, KDFs, Random Bit Generation, and hash-only applications.
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communication, this can be lowered to a CAT 3 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
Verify the SSP requires a process for verifying the checksum for software download and install ISO files. If a local documented process does not require that the checksum value of any software download be verified, this is a finding.
Go to the DoD repository or Cisco download page. Hover over the download link and a small window will pop up. This window will contain information about that particular download. The information includes the MD5 and SHA512 checksum value of that file. From the Cisco ISE command line interface (CLI), enter application upgrade prepare command. This command copies the upgrade bundle to the local repository "upgrade" that you created in the previous step and lists the MD5 and SHA256 checksum. If the checksum matches the value found from the source repository, proceed with the update.
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure to configure configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this can be lowered to a CAT 2 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
From the CLI EXEC mode, type show terminal. From the GUI, navigate to Administration >> System >> Admin Access >> Settings >> Session. View the session timeout setting. If the terminal and administration setting is not set to six minutes or less, this is a finding.
Configure Session Timeout for Administrators. 1. Choose Administration >> System >> Admin Access >> Settings >> Session >> Session Timeout. 2. Type "6". 3. Click "Save".
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure the system to use a FIPS 140-2 approved Random Number Generator (RNG) using DRGB to generate unique session identifiers, this can be lowered to a CAT 3 finding.
Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.
View the local admin users. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >>View. 2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user. If the Cisco ISE has unauthorized local users defined, this is a finding.
Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add. 2. From the drop-down, choose "Create an Admin User". 3. Enter the admin name and other information. 4. Add the Super User group. 5. Click "Submit".
Verify the system and system-options are configured to protect against DoS attacks. If the system and system-options that limit the effects of common types of DoS attacks are not configured in compliance with DoD requirements, this is a finding.
Configure the system and system-options to protect against DoS attacks. These are examples of setting that should be adjusted to limit DoS attacks. The exact values will vary based on site traffic. Use the synflood-limit to configure a TCP SYN packet rate limit. To configure the limit of TCP/UDP/ICMP packets from a source IP address, use the rate-limit command in configuration mode.
To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If at least two remote logging targets are not configured, this is a finding.
Create at least two Remote Logging Targets and direct logging to those targets. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields: - Name - Enter the name of the new target - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed. - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.
Verify logging is initiated upon system startup. Since the production may not be able to be manually started to observe this, review the logging categories setup. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify that logging categories have been configured and have been set to the syslog target. If logging categories are not configured to send to the central syslog server, this is a finding.
Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category and other logging categorized desired. However, note that for some logging categories, the default log severity level and cannot be changed. 5. Click "Save".
Verify the logging categories as required by the SSP based on mission requirements for Cisco ISE are configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button for each logging category and verify it is set. Verify all categories required by the SSP are set. Verify the appropriate severity level (usually WARNING is set). If the logging category required by the SSP is not configured and sent to the central syslog server target, this is a finding.
Enable the logging categories as required by the SSP based on mission requirements for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat steps 2 and 3 with the selection of other category levels required based on organizational mission and SSP. 6. Click "Save".