STIGQter STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP).

DISA Rule

SV-242576r714038_rule

Vulnerability Number

V-242576

Group Title

SRG-NET-000015-NAC-000020

Rule Version

CSCO-NC-000020

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

On the default authorization rule select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.

Check Contents

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Vulnerability Number

V-242576

Documentable

False

Rule Version

CSCO-NC-000020

Severity Override Guidance

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Check Content Reference

M

Target Key

5383

Comments