STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves.

DISA Rule

SV-242587r714071_rule

Vulnerability Number

V-242587

Group Title

SRG-NET-000015-NAC-000130

Rule Version

CSCO-NC-000130

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the remediation authorization policy to prevent intra-remediation VLAN communication.

1. Navigate to Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Locate the authorization policy with the "Session-PostureStatus EQUALS NonCompliant" or authorization policy for remediation access.
5. Configure the result to block intra-VLAN communication (Private VLAN, dACL, ACL, or SGT).
6. Choose "Save".

Check Contents

Verify the authorization policy will prevent intra-remediation VLAN communication.

1. Navigate to Policy >> Policy Elements >> Results.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" or an authorization policy for remediation is present making a note of the authorization profile.
5. Navigate to Policy >> Policy Elements >> Results >> Authorization >> Authorization Profiles >> Authorization profile noted above.
6. Ensure the result that is used will result in lateral traffic for that VLAN will be restricted by a private VLAN, dACL, ACL, SGT, or any combination.
7. If a private VLAN is used, review the switch configuration to confirm it is a private VLAN.

If there is not an authorization policy for NonCompliant clients or remediation, this is a finding.

If the authorization policy does not prevent intra-remediation VLAN communication, this is a finding.

Vulnerability Number

V-242587

Documentable

False

Rule Version

CSCO-NC-000130

Severity Override Guidance

Verify the authorization policy will prevent intra-remediation VLAN communication.

1. Navigate to Policy >> Policy Elements >> Results.
2. Choose ">" on the applicable policy set.
3. Expand the Authorization Policy.
4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" or an authorization policy for remediation is present making a note of the authorization profile.
5. Navigate to Policy >> Policy Elements >> Results >> Authorization >> Authorization Profiles >> Authorization profile noted above.
6. Ensure the result that is used will result in lateral traffic for that VLAN will be restricted by a private VLAN, dACL, ACL, SGT, or any combination.
7. If a private VLAN is used, review the switch configuration to confirm it is a private VLAN.

If there is not an authorization policy for NonCompliant clients or remediation, this is a finding.

If the authorization policy does not prevent intra-remediation VLAN communication, this is a finding.

Check Content Reference

M

Target Key

5383

Comments