STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment.

DISA Rule

SV-242601r714113_rule

Vulnerability Number

V-242601

Group Title

SRG-NET-000343-NAC-001460

Rule Version

CSCO-NC-000270

Severity

CAT II

CCI(s)

CCI-001958 - The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

Fix Recommendation

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these used to restrict access.

Check Contents

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set.

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments