Cisco Identity Services Engine User Guide, Release 1.1
Configuring Client Posture Policies
Downloads: This chapterpdf (PDF - 1.39MB) The complete bookPDF (PDF - 24.52MB) | Feedback

Table of Contents

Configuring Client Posture Policies

Posture Service

Understanding the Posture Service

Posture and Client Provisioning Services

Posture and Client Provisioning Policies Flow

Licenses for the Posture Service

Deploying the Posture Service

Configuring the Posture Service in Cisco ISE

Posture Compliance Dashlet

Viewing Posture Reports

Posture Administration Settings in Cisco ISE

Posture General Settings

Posture Reassessments

Initiating and Requesting a PRA

PRA Failure Actions

User Identity Group (Role) Assignment

PRA Report Tracking and Enforcement

PRA Enforcement During Distributed System Failure

Configuring Client Posture Periodic Reassessments

Posture Updates

Dynamic Posture Updates

Offline Posture Updates

Posture Acceptable Use Policy

Configuring Acceptable Use Policies

Client Posture Assessments in Cisco ISE

Client Posture Assessment Policies

Simplified Posture Policy Configuration

Creating, Duplicating, and Deleting Client Posture Policies

Creating a New Posture Policy

Duplicating a Posture Policy

Deleting a Posture Policy

Posture Assessment and Remediation Options in Cisco ISE

Custom Conditions for Posture

File Conditions

Configuring File Conditions

Viewing File Conditions

Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type

Filtering File Conditions

Registry Conditions

Configuring Registry Conditions

Viewing Registry Conditions

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type

Filtering Registry Conditions

Application Conditions

Configuring Application Conditions

Viewing Application Conditions

Creating, Duplicating, Editing, and Deleting an Application Condition

Filtering Application Conditions

Service Conditions

Configuring Service Conditions

Viewing Service Conditions

Creating, Duplicating, Editing, and Deleting a Service Condition

Filtering Service Conditions

Compound Conditions

Configuring Compound Conditions

Viewing Compound Conditions

Creating, Duplicating, Editing, and Deleting a Compound Condition

Filtering Compound Conditions

Antivirus and Antispyware Compound Conditions

Antivirus Compound Conditions

Configuring Antivirus Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition

Filtering Antivirus Compound Conditions

Antispyware Compound Conditions

Configuring Antispyware Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition

Filtering Antispyware Compound Conditions

Dictionary Simple Conditions

Configuring Dictionary Simple Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition

Filtering Dictionary Simple Conditions

Dictionary Compound Conditions

Configuring Dictionary Compound Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition

Filtering Dictionary Compound Conditions

Posture Results

Custom Posture Remediation Actions

Configuring Custom Posture Remediation Actions

File Remediation

Viewing, Adding, and Deleting a File Remediation

Filtering File Remediations

Link Remediation

Adding, Duplicating, Editing, and Deleting a Link Remediation

Filtering Link Remediations

Antivirus Remediation

Adding, Duplicating, Editing, and Deleting an Antivirus Remediation

Filtering Antivirus Remediations

Antispyware Remediation

Adding, Duplicating, Editing, and Deleting an Antispyware Remediation

Filtering Antispyware Remediations

Launch Program Remediation

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

Filtering Launch Program Remediations

Windows Update Remediation

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

Filtering Windows Update Remediations

Windows Server Update Services Remediation

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

Filtering Windows Server Update Services Remediations

Client Posture Assessment Requirements

Creating, Duplicating, and Deleting Client Posture Requirements

Creating a New Posture Requirement

Duplicating a Posture Requirement

Deleting a Posture Requirement

Custom Authorization Policies for Posture

Standard Authorization Policies for a Posture

Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture

Custom Permissions for Posture

Configuring Client Posture Policies

This chapter describes the posture service in the Cisco Identity Services Engine (Cisco ISE) appliance that allows you to check the state (posture) for all the endpoints that are connecting to your Cisco ISE enabled network with your corporate security policies for compliance before clients access protected areas of your network.

This chapter guides you through the features of the Cisco ISE posture service in detail.

Understanding the Posture Service

Posture Compliance Dashlet

Viewing Posture Reports

Posture General Settings

Posture Reassessments

Posture Updates

Posture Acceptable Use Policy

Client Posture Assessment Policies

Simplified Posture Policy Configuration

Custom Posture Remediation Actions

Client Posture Assessment Requirements

Posture Service

The Network Admission Control (NAC) Agents that are installed on the clients interact with the posture service to enforce security policies on all the endpoints that attempt to gain access to your protected network. At the same time, the NAC Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network. They assist you in evaluating clients against posture policies, and as well as enforce clients to meet requirements that are required for compliance with your organization’s security policies.

The posture service checks the state (posture) of the clients for compliance with your corporate security policies before the client gains the privileged network access. The Client Provisioning service ensures that the clients are setup with appropriate Agents that provide posture assessment and remediation for the clients.

The NAC Agent for ISE does not support Windows Fast User Switching when using the Native Supplicant. This is because there is no clear disconnect of the older user. When a new user is sent, the Agent is hung on the old user process and session ID, and hence a new posture cannot take place. As per the Microsoft Security policies, it is recommended to disable Fast User Switching.

For information on the posture service in detail, see the “Understanding the Posture Service” section.

For information on Posture Compliance dashlet, see the “Posture Compliance Dashlet” section.

For information on posture reports, see the “Viewing Posture Reports” section.

SWISS Protocol

The SWISS protocol is a stateless request response protocol that allows NAC Agents which are running on managed clients to discover the Cisco ISE server, and retrieve configuration and operational information. The NAC Agent connects to the Cisco ISE server by sending SWISS unicast discovery packets out on User Datagram Protocol (UDP) port 8905 until a Cisco ISE node that assumes the Policy Service persona sends a response to the client. The SWISS protocol uses TCP transport for all the messages and UDP transport for periodical requests. The NAC Agent tunnels all the SWISS requests over HTTPS and pings the Cisco ISE SWISS UDP server for changes to its authentication and posture state.

The SWISS request message that comes from the client machine includes information pertaining to resource types for the following items:

  • Agent profiles
  • Agent compliance modules
  • Agent customization package

In addition to answering the above request items, the SWISS response from the Cisco ISE server can also contain prompts to update the current Agent and URL or URLs that are required to perform posture assessment and remediation on the client machine.

For descriptions of the various types of agents available in Cisco ISE, see Cisco ISE Agents.

Understanding the Posture Service

Cisco ISE posture service primarily includes the posture administration services and the posture run-time services. If you do not have the advanced license package installed on your Cisco ISE deployment, then the posture administration services user interface will not be available for you to use in Cisco ISE.

Posture Administration Services

The administration services provide the back-end support for posture specific custom conditions, and remediation actions that are associated to the requirements and authorization policies that are configured for posture service on your Cisco ISE deployment.

Posture Run-time Services

The posture run-time services encapsulates the SWISS protocol services, and all the interactions that happen between the NAC Agents and the Cisco ISE server for posture assessment and remediation of clients.

Validating a Posture Requirement Request

Once the client (an endpoint) is authenticated on the network, the client can be granted limited access on the network. For example, the client can access remediation-only resources on the network. The NAC Agent that is installed on the client validates the requirements for an endpoint and the endpoint is moved to a compliant state upon successful validation of the requirements. If the endpoint satisfies the requirement, a compliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a Change of Authorization (CoA) for the posture compliant status. If the endpoint fails to satisfy the requirement, a noncompliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a CoA for the posture noncompliant status.

Now, the Agent gets its session ID from the redirect URL and sends it along with its MAC address and IP address in a SWISS request. The posture run-time services looks up in the session cache using the session ID first, MAC address, and then the IP address, if required. If the posture run-time services finds the same session using the session ID in the session cache, then it queries the posture policies in Cisco ISE and tries to match the posture policies. Once matched, it generates the specified XML format that contains the matched requirements and sends to the NAC Agents. The NAC Agents send the posture report to the posture run-time services.

Generating a Posture Requirement

The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions. Once the posture policy is retrieved for the endpoint, the posture run-time services communicate the requirement to the NAC Agent in a specified XML format.

Processing the Posture Report from the Cisco NAC Agent

The NAC Agent validates the endpoint for compliance based on the requirements that are sent from the Cisco ISE server and determines the posture of the endpoint. If the endpoint is not compliant with the requirement, then the NAC Agent prompts to remediate the endpoint for compliance. Any failures during posture evaluation results in the noncompliance of the endpoint. The NAC Agent sends the appropriate compliance report to the Cisco ISE server once postured compliant or noncompliant.

Issuing a CoA Based on the Posture Report Evaluation

Upon evaluating the posture report received from the NAC Agent, an endpoint may be identified as compliant or noncompliant. If the endpoint is compliant or noncompliant, then the posture run-time services triggers a CoA for that endpoint session. Based on the profile configured for compliant or noncompliant, the end user gets the appropriate level of access privileges to the network.

Logging

Upon processing the posture request and report, the run-time services sends audit log messages to the Cisco ISE node that assumes the Monitoring persona.

For information on how posture and client provisioning session services work in Cisco ISE, see the “Posture and Client Provisioning Services” section.

For information on licenses for the posture service, see the “Licenses for the Posture Service” section.

For information on how to deploy the posture service in detail, see the “Deploying the Posture Service” section.

Posture and Client Provisioning Services

Prerequisites:

Before you begin, you should have an understanding of the available client provisioning resources in Cisco ISE that you can configure for the clients.

For information on how to configure client provisioning resource policies, see the “Configuring Client Provisioning Resource Policies” section.

Before you begin, you should have an understanding of the Client Provisioning session service in Cisco ISE. Cisco ISE manage client provisioning resources for your clients and uses the client provisioning resource policies to ensure that the client systems are set up with an appropriate Agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles.

For information on the Client Provisioning session service, see Chapter19, “Configuring Client Provisioning Policies”

For information on the NAC Agent that is installed on the client and the client operating system compatibility, see Cisco Identity Services Engine Network Component Compatibility, Release 1.1 .

Posture and Client Provisioning Policies Flow

Figure 20-1 shows the flow of posture and client provisioning policies in Cisco ISE posture service.

Figure 20-1 Posture and Client Provisioning Policies Workflow in CIsco ISE

 

Licenses for the Posture Service

Prerequisites:

Before you begin, you should have an understanding on how licenses restrict the usage of Cisco ISE posture service with both the base and advanced license packages.

For more information on Cisco ISE license packages, refer to the Performing Post Installation Tasks chapter in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1 .

Cisco ISE allows you to configure the posture service to run on multiple Cisco ISE nodes in a distributed deployment. You can also configure the posture service on a single node in a standalone Cisco ISE deployment.

Cisco ISE deployment provides you with two main types of licenses, namely the base license and advanced license. You also have an evaluation license which, if further use is desired, needs to be upgraded to the appropriate base or advanced license once the evaluation license period is over.

In addition, if you do not have the advanced license installed on your primary administration node, then the SWISS server does not get initialized during run time. If the SWISS server does not initialize, then the posture requests will not be served in Cisco ISE. If the advanced license is not installed in Cisco ISE, then the posture service menus on the Cisco ISE administration user interface will be removed except the default posture status configuration for unsupported operating system on the Administration > System > Settings > Posture > General Settings configuration page. The posture run-time services takes appropriate action when you add or remove any advanced license file to your Cisco ISE deployment. During run time, the SWISS server initializes when you add the advanced license, and it stops when you remove the advanced license, or when the advanced license expires.

Deploying the Posture Service

Prerequisites:

Before you begin, you should have an understanding of the centralized configuration and management of Cisco ISE nodes in the distributed deployment.

For information on Cisco ISE distributed deployment, Chapter 9, “Setting Up Cisco ISE in a Distributed Environment”

You can deploy Cisco ISE either in a standalone environment (on a single node), or in a distributed environment (on multiple nodes). Depending on the type of your deployment and the license you have installed, the posture service of Cisco ISE can run on a single node or on multiple nodes. You need to install either the base license to take advantage of the basic services or the advanced license to take advantage of all the services of Cisco ISE.

In a standalone Cisco ISE deployment, you can configure a single node for all the administration services, the monitoring and trouble shooting services, and the policy run-time services. You cannot configure a node as an node in a standalone deployment.

In a distributed Cisco ISE deployment, you can configure each node as a Cisco ISE node for administration services, monitoring and troubleshooting services, and policy run-time services, or as an inline posture node as needed. A node that runs the administration services is the primary node in that Cisco ISE deployment. The other nodes that run other services are the secondary nodes which can be configured for backup services for one another.

Configuring the Posture Service in Cisco ISE

From the Administration menu, you can choose Deployment to manage the ISE deployment on a single node or multiple nodes. You can use the Deployment Nodes page to configure the posture service for your Cisco ISE deployment.

To manage the Cisco ISE deployment, complete the following steps:


Step 1 Choose Administration > System > Deployment .

The Deployment menu window appears on the left pane of the user interface. You can use the Table view button or the List view button to display the nodes in your Cisco ISE deployment.

Step 2 Click the Table view button.

Step 3 Click the Quick Picker (right arrow) icon to view the nodes that are registered in your deployment.

The Table view displays all the nodes that are registered in a row format on the right pane of the user interface.


Note To view the nodes in your deployment in a tree, click the List view button. An arrow appears in front of the Deployment menu. Click the arrow in front of the Deployment menu to view the nodes that are registered in your deployment in a tree view. The List view displays all the nodes in the Deployment menu window in a tree.


From the Deployment menu, you can run the posture service on any Cisco ISE node that assumes the Policy Service persona in a distributed deployment.


 

To deploy the posture session service, complete the following steps :


Step 1 Choose Administration > System > Deployment > Deployment (menu window).

The Deployment menu window appears. You can use the Table view or the List view button to display the nodes on your deployment.

Step 2 Click the Table view button.

Step 3 Click the Quick Picker (right arrow) icon to view the nodes that are registered in your deployment.

The Table view displays all the nodes that are registered in a row format on the Deployment Nodes page of the user interface. The Deployment Nodes page displays the Cisco ISE nodes that you have registered, along with their names, personas, roles, and the replication status for the secondary nodes in your deployment.

Step 4 Choose a Cisco ISE node from the Deployment Nodes page.


Note If you have more than one node that are registered in a distributed deployment, all the nodes that you have registered appear in the Deployment Nodes page, apart from the primary node. You have the option to configure each node as a Cisco ISE node (administration, policy service, and monitoring personas) or an Inline Posture node.


Step 5 Click the Edit button.

The Edit Node page appears. This page contains the General settings tab that is used to configure the Cisco ISE deployment. This page also features the Profiling Configuration tab, which is used to configure the probes on each node. If you have the Policy Service persona disabled, or if enabled but the Enable Profiler services option is not selected, then the Cisco ISE administrator user interface does not display the Profiling Configuration tab. If you have the Policy Service disabled on any node, ISE displays only the General settings tab and does not display the Profiling Configuration tab that prevents you from configuring the probes on the node.

Step 6 From the General settings tab, check the Policy Service check box, if it is already active.

If you have the Policy Service check box unchecked, both the session services and the Profiler service check boxes are disabled.

Step 7 For the Policy Service persona to run the Network Access, Posture, Guest, and Client Provisioning session services, check the Enable Session Services check box, if it is not already active. To stop the session services, uncheck the Enable Session Services check box.


Note The posture service only runs on Cisco ISE nodes that assume the Policy Service persona and does not run on Cisco ISE nodes that assume the administration and monitoring personas in a distributed deployment.


Step 8 Click Save to save the node configuration.


 

Posture Compliance Dashlet

The Posture Compliance dashlet summarizes the posture compliance in percentage, and Mean Time To Remediate (MTTR) data for the last 24 hour period, as well as 60 minutes from the current system time. It refreshes data every minute and displays it on the dashlet. You can invoke the Posture Detail Assessment report from the tool tips that are displayed on the 24 hour and 60 minutes spark lines for a specific period. The stack bars display the posture noncompliance distribution of endpoints by operating systems and the reason for failures of the requirements.

The MAC address is used as a key to calculate MTTR.

The dashlet provides you the following distribution details for the last 24 hour period, as well as 60 minutes from the current system time.

Table 20-1 describes the details, which are shown in the Posture Compliance dashlet on Cisco ISE.

 

Table 20-1 Posture Compliance Dashlet

Name
Description

Passed in percentage

Displays the percentage (passed percentage) of posture compliance of endpoints by using posture compliance and noncompliance of endpoints.

Mean Time to Remediate (MTTR)

Displays the mean time difference between endpoints moving from the noncompliant state to the complaint state based on the unique MAC address.

Operating System

Displays the noncompliance distribution by operating system that is running on the client.

Reason

Displays the noncompliance distribution by failures of posture conditions.

Viewing Posture Reports

Cisco ISE provides you with various reports on posture, and troubleshooting tools that you can use to efficiently manage your network. You can generate reports for historical as well as current data. You may be able to drill down on a part of the report to look into more details. You can also schedule reports (specially for large reports) and download it in various formats.

For more information on how to generate reports and work with the interactive viewer, see Chapter24, “Reporting”

For more information on posture reports see the “Standard Reports” section.

Standard Reports

For your convenience, the standard reports present a common set of predefined report definitions. You can click on the Report Name link to run the report for today. You can query the output by using various parameters, which are predefined in the system. You can enter specific values for these parameters.

You can use the Run button to run the report for a specific period, and as well as use the Query and Run option. The Query and Run option allows you to query the output by using various parameters. The Add to Favorite button allows you to add your reports that you use frequently to the Operations > Reports > Favorites location. The Reset Reports button allows you to reset your reports in this catalog to factory defaults.

You can run the reports on posture from the following location:

Operations > Reports > Catalog > Posture .

The following are the standard reports for posture:

  • Posture Detail Assessment—a report to view the posture authentication summary information for a particular user for a selected time period
  • Posture Trend—a report to view the count of passed/failed and status information for a particular policy along with the graphical representation for a selected time period

Posture Administration Settings in Cisco ISE

After you deploy Cisco ISE on your network, you can globally configure Cisco ISE to download updates automatically through web to the Cisco ISE server, or updates that can be done offline later.

For information on posture updates, see the “Posture Updates” section.

In addition, the NAC Agents and Web Agents, which are installed on the clients provide posture assessment, and remediation services to clients. The NAC Agents and Web Agents periodically update the compliance status of clients to Cisco ISE. After login and successful requirement assessment for posture, the NAC Agents and Web Agents on Windows display a dialog with a link that requires end users to comply with terms and conditions of network usage. You can use this link to define network usage information for your enterprise network that end users accept before they can gain access to your network.

For information on posture periodic assessment of clients for compliance that NAC Agents and Web Agents do, see the “Posture Reassessments” section.

For information on accepting network usage policies for your network, see the “Posture Acceptable Use Policy” section.

This section describes the configuration settings that you define for clients to remediate on Cisco ISE, periodic reassessments of clients for compliance that NAC and Web Agents check periodically and report to Cisco ISE. It describes the configuration settings that you define for Cisco ISE updates with Cisco rules, checks, antivirus and antispyware charts, and operating system support. It also provides information on the configuration settings that end users must comply with network usage policies for using your network resources.

This section provides procedures that describe the following topics:

Configuring Client Posture Periodic Reassessments

Filtering Client Posture Periodic Reassessments

Dynamic Posture Updates

Offline Posture Updates

Posture General Settings

The posture general settings for agents on Windows clients and Macintosh clients can be configured in client provisioning resources. Here, you can configure agent profiles in client provisioning by setting the timers used for remediation and transition of clients posture state on your network, and also setting the timer to close the login success screens automatically on agents without end users intervention.

You can configure all these timers for agents on Windows clients and Macintosh clients in client provisioning resources in the following location:

Policy > Policy Elements > Results > Client Provisioning > Resources > Add > New Profile .

For more information on creating agent profiles and setting agent profile parameters, see the “Agent Profile Parameters and Applicable Values” section.

Cisco recommends configuring agent profiles with remediation timers, network transition delay timers and the timer used to control the login success screen on client machines so that these settings are policy based. However, when there are no agent profiles configured match the client provisioning policies, you can use the settings in the Administration > System > Settings > Posture > General Settings configuration page to accomplish the same goal.

Remediation Timer

Here, you can configure the timer for clients to remediate themselves within the time specified in the timer after failing to meet all the requirements defined in the posture policies for compliance. When clients fail to satisfy configured posture policies during an initial assessment, the NAC Agents wait for the clients to remediate within the time configured in the remediation timer. If the client fails to remediate within this specified time, then the NAC Agents and Web Agents send a report to the posture run-time services after which the clients are moved to the noncompliance state. The remediation timer default value is four minutes.

Network Transition Delay Timer

Here, you can configure the timer for clients to transit from one state to the other state within a specified time as specified in the network transition delay timer, which is required for Change of Authorization (CoA) to complete for clients to move from one state to the other state. This timer is used for clients in both successful and failure of posture. It may require a longer delay time when clients need time to get a new VLAN IP address during successful and failure of posture. Upon successfully postured, Cisco ISE allows clients to transit from unknown to compliant mode within the time specified in the network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transit from unknown to noncompliant mode within the time specified in the timer.

Default Posture Status

Here, you can configure the posture status of endpoints to compliant, or noncompliant for endpoints that run on Linux, iDevices like Ipad, Ipod (non-agent devices). The same settings also apply to endpoints that run on Windows and Macintosh operating systems when there is no client provisioning policy matching found during posture run-time.

iDevices and Android Smart Phones

When an Android device and Apple iDevices such as iPod, iPhone, and iPad connect to your Cisco ISE enabled network via WLC (that supports CoA), CoA Session Termination is issued.

If these devices connect to your Cisco ISE enabled network via VPN/iPEP, then CoA Re-Auth is issued and the posture status of those devices will take the Default Posture Status settings in Cisco ISE.

Successful Login Screen

After login and successful posture assessment, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a network usage term and conditions link for end users to accept the network usage policies that you define for your network. If end users reject network usage policies from the temporary network access screen, then they are denied to access your network. If they accept the network usage policies, then the agents display the login success screen and permit network access.

This section describes the following posture general settings that you configure for clients in posture:

  • Remediation Timer—specifies time in minutes required for any type of remediation within which clients need to remediate from the noncompliance state to the compliance state
  • Network Transition Delay—specifies time in seconds for network transition for both successful and failure of posture of clients on your network
  • Default Posture Status—specifies the posture status for clients that do not run supported operating systems in Cisco ISE
  • Successful Login Screen—specifies the timeout in seconds that closes the login success screen without end users intervention.

You can use the posture General Settings page to configure the timers for remediation, network transition, and closing the login success screen on Windows clients.


Step 1 Choose Administration > System > Settings (menu window).

The Settings menu window appears.

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose General Settings .

The Posture General Settings page appears.


Tip The information icon provides you details on the posture General Settings page with the following message: “These settings will be used if there is no profile under client provisioning policy.”


Step 5 Enter a time value in the Remediation Timer field in minutes.

The default value is 4 minutes. You can configure the remediation timer, which the information icon displays the valid range between 1-300 minutes.

Step 6 Enter a time value in the Network Transition Delay field in seconds.

The minimum default value is 3 seconds. You can configure the network transition delay timer, which the information icon displays the valid range between 2-30 seconds.

Step 7 From the Default Posture Status field, choose the option from the drop-down list.

Here, you can configure the posture status of endpoints to compliant, or noncompliant where the information icon displays with the following message: “Provides posture status for non-agent devices (i.e. Linux based operating systems), and endpoints for which no agent installation policy applies.”

The following are the options:

    • Compliant (default)
    • NonCompliant

Step 8 Click to check the Automatically close login success screen after check box.

Step 9 Enter a time value for the Automatically close login success screen after check box.

Once checked the check box, and configured the time in seconds, the NAC Agents and Web Agents display the login success screen till the time out occurs. This setting allows clients to login into your network failing which the login success screen is closed automatically. You can configure the timer to close the login screen automatically between 0-300 seconds. If the time is set to zero seconds, then the NAC Agents and Web Agents do not display the login success screen.


Tip The information icon provides you details on Automatically close login success screen after check box with the following message: “Setting the time to zero seconds will not display the login success screen. Valid range: 0-300 seconds.


Step 10 Click Save to save the current input data.


 

To reset the posture general settings, complete the following steps:


Step 1 Click the Remediation Timer field.

Enter a time value (current input data) in the Remediation Timer field in minutes.

or

Step 2 Click the Network Transition Delay field.

Enter a time value (current input data) in the Network Transition Delay field in seconds.

or

Step 3 From the Default Posture Status field, choose the option from the drop-down list.

The following options appear: Compliant (default), NonCompliant

or

Step 4 Check to enable, or uncheck to disable the Automatically close login success screen after check box.

Step 5 Click Save to save the current input data.


 

Posture Reassessments

This section describes the periodic reassessment (PRA) configurations for clients that are successfully postured already for compliance on your network. PRA cannot occur if clients are not compliant on your network.

For more information on initiating and requesting a PRA, see the Initiating and Requesting a PRA.

For more information on PRA failure action configuration, see the PRA Failure Actions.

For more information on PRA and a user identity group (role) assignment, see the User Identity Group (Role) Assignment.

For more information on PRA report tracking and enforcement, see the PRA Report Tracking and Enforcement

For more information on PRA enforcements when Cisco ISE distributed deployment failures, see the PRA Enforcement During Distributed System Failure

Initiating and Requesting a PRA

The NAC Agent sends a compliance report to the policy service node once the client is postured successfully compliant on your network. A PRA is valid and applicable only if endpoints are in compliant state. Then the policy service node checks the relevant policies, and compiles the requirements depending on the client role that is defined in the configuration to enforce a PRA. If PRA configuration match is found, the policy service node responds to the NAC Agent with the PRA attributes that are defined in the PRA configuration for the client before issuing a change of authorization request. The NAC Agent periodically sends the PRA requests based on the interval specified in the configuration. Here, the client remains in the compliant state, if the PRA succeeds, or the action configured in the PRA configuration is to continue. If the client fails to meet PRA, then the client is moved from the compliant state to the noncompliant state.


Note The PostureStatus attribute shows the current posture status as compliant in a PRA request instead of unknown even though it is a posture reassessment request. The same is updated in the Monitoring reports as well. The PostureStatus attribute of any client before reassessment of new requirements and posture policies retrieved from the server in a PRA request should represent the posture status as unknown in a PRA request assuming that the client is being postured after successful authentication.


PRA Failure Actions

If the client is not compliant, the policy service node activates a PRA failure action. The PRA failure action that will be taken either to continue so that the client continues to access your network, or to log off from your network, or to remediate itself.

If you associate an user to different roles and each associated role is configured with different PRA failure actions (logoff, remediate, and continue) then the logoff action is applied on the endpoint.

The following enforcement types apply to PRA failure actions:

    • Continue
    • Logoff
    • Remediate

PRA Failure Action to Continue

In this scenario, the client is not compliant, and the configured PRA failure action is to continue. This failure action to continue does not allow the user to remediate the client and the NAC Agent does not show the user the need to remediate the client for compliance. Instead, the user continues to have the privileged access without any user intervention to remediate the client irrespective of the posture requirement, which is set to mandatory or optional.

PRA Failure Action to Logoff

In this scenario, the client is not compliant, and the configured PRA failure action is to force the client to log off from your network. The Agent sends a logoff request to the policy service node, and the client logs off. The client logs in again, and its compliance status is unknown for the current session.

PRA Failure Action to Remediate

In this scenario, the client is not compliant, and the configured PRA failure action is to remediate. The agent waits for a specified time for the remediation to occur. After the client has remediated, the agent sends the PRA report to the policy service node. If the remediation is ignored on the client, then the Agent sends a logoff request to the policy service node to force the client to log off from your network and log in again to remediate for compliance.

If the posture requirement is set to mandatory, then the RADIUS session will be cleared as a result of the PRA failure action and a new RADIUS session has to start for the client to be postured again.

If the posture requirement is set to optional, then the NAC Agent allows the user to click the continue option from the Agent. The user can continue to stay in the current network without any restriction.

User Identity Group (Role) Assignment

You can configure each PRA to a user identity group (a role) that is defined in the system. If you configure a PRA with a role Any then only the configuration with the role Any exists, and no other configurations can exist in the system.

The following section summarizes the PRA configuration to a user identity group:

1. Ensure that each PRA configuration has a unique group or a unique combination of user identity groups assigned to the configuration.


Note You can assign a role_test_1 and a role_test_2, the two unique roles to a PRA configuration. You can combine these two roles with a logical operator and assign the PRA configuration as a unique combination of two roles. For example, role_test_1 or role_test_2.


2. Ensure that two PRA configurations cannot have a user identity group in common.

3. If a PRA configuration already exists with a user identity group “ Any” , you cannot create other PRA configurations unless you perform the following:

a. You update the existing PRA configuration with a user identity group “ Any” to reflect a user identity group (or user identity groups) other than Any .

or

b. You delete the existing PRA configuration with a user identity group “ Any” .


Note If you must create a PRA configuration with a user identity group “Any”, ensure that you delete all other PRA configurations from the Reassessment configurations.


PRA Report Tracking and Enforcement

You can keep track of the PRA reports from the NAC Agent and enforce PRA on the clients that are already successfully postured on your network.

Upon successful compliance for posture, the NAC Agent validates the client for compliance and sends the compliance reports to the policy service node. The NAC Agent periodically sends the PRA requests for reassessment based on the interval that is specified in the configuration.

If the policy service node does not receive the PRA report within the maximum wait interval period, then the policy service node assigns the client to the unknown status and the client needs to be checked again for posture compliance. The maximum wait interval is an interval between two consecutive compliance (PRA) reports from the NAC Agent sent to the policy service node before the execution of a PRA failure action for noncompliance and the end of the client session.


Note The maximum wait interval is the sum of the PRA interval and twice the grace time that is configured in the PRA configuration as maximum wait interval = PRA interval + (grace time * 2).


PRA Enforcement During Distributed System Failure

The PRA is not supported in cases where policy service nodes fail in the distributed environment.

You cannot enforce a PRA on your clients, and the clients stay connected on your network regardless of their compliance in case there is a failure in the distributed environment. The Agents stop sending the PRA requests to the policy service nodes.

Configuring Client Posture Periodic Reassessments

Upon successful compliance for posture, the NAC Agents validate the compliance of clients, and periodically send the compliance reports to the Cisco ISE policy service node. The Cisco ISE policy service nodes check the relevant policies and compiles requirements depending on the client roles that are defined in the configuration to enforce a periodic reassessment. The Cisco ISE policy service nodes then respond to the NAC Agents with PRA attributes defined in the PRA configurations. As you associate a user to more than one user identity group (user identity groups), the PRA configurations are applied according to the most restricted attributes on the relevant role’s related configurations.

The following are the most restricted configuration definitions for the PRA attributes:

  • Use reassessment enforcement—requires at least one configuration and has its reassessment required flag on the PRA configuration
  • Interval—the least interval of all the relevant PRA configurations
  • Grace time—the least interval of all the relevant PRA configurations
  • Enforce type—the most restricted enforcement type is logoff; after log off, the client needs to remediate and then continue.

You can use the Reassessment configurations page to display and manage the periodic reassessments for a posture.

This section provides the procedures to configure the periodic reassessment configurations:

Creating, Duplicating, Editing, and Deleting a Client Posture Periodic Reassessment

This section describes the periodic reassessment configuration that you can create in Cisco ISE for your clients after they are successfully postured.

The Reassessment configurations page displays existing configurations that are configured to groups along with their names, description, and the action enforced on the clients in case the clients fail posture assessment. You can create, duplicate, edit, delete, or filter a PRA from the Reassessment configurations page. Once created and saved a PRA, you can see existing PRA configurations, and the groups to which the PRA configurations apply on the configurations list page.

To create a periodic reassessment, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Reassessments .

The Reassessment configurations page appears, which lists all the PRAs that you have already created.

Step 5 Click Add .

Step 6 Modify the values on the New Reassessment Configuration page, as shown in Table 20-2.

Here, you can create to add a new PRA on the Reassessment configurations page.

Step 7 Click Submit to create a PRA configuration.

Click Cancel to return to the Reassessment configurations page from the New Reassessment Configuration page when you do not want to add a new PRA on this page.


 

To duplicate a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture .

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments .

The Reassessment configurations page appears, which lists all the PRAs that you have already created. PRA configurations display the user identity groups to which existing PRAs are configured on the configurations list.

Step 4 Choose a PRA that you want to duplicate.

Step 5 From the Reassessment configurations page, choose Duplicate .

Here, you can create a copy of a PRA.

Step 6 Click Submit to create a copy of a PRA.

Click Cancel to return to the Reassessment configurations page from the edit page when you do not want to create a copy of a PRA on the edit page.


 

To edit a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture .

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments .

The Reassessment configurations page appears, which lists all the PRAs that you have already created.

Step 4 Choose the PRA that you want to edit.

Step 5 From the Reassessment configurations page, choose Edit .

Here, you can edit a PRA.

Step 6 Click Save to save the changes made to the PRA.

The PRA will appear on the Reassessment configurations page after editing on the edit page, as well as appear on the PRA configurations that displays the groups to which existing PRAs are configured on the configurations list.

Step 7 Click the Reassessment Configurations List link from the edit page to return to the Reassessment configurations page.


 

To delete a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture .

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments .

The Reassessment configurations page appears, which lists all the PRAs that you have already created.

Step 4 Choose the PRA that you want to delete.

Step 5 From the Reassessment configurations page, choose Delete .

A confirmation dialog appears with the following message: “Are you sure you want to delete?”.

Step 6 Click OK to delete a PRA.

Here, you can delete a PRA. Click Cancel to return to the Reassessment configurations page without deleting a PRA.


 

Table 20-2 describes the fields on the New Reassessment Configuration page that allow you to create a PRA, duplicate a PRA, and edit a PRA on its edit page:

 

Table 20-2 PRA Configurations

Field Name
Field Description

Configuration Name

From the Configuration Name field, enter the name of the PRA configuration that you want to create.

Configuration Description

From the Configuration Description field, enter the description of the PRA configuration.

Use Reassessment Enforcement?

When the Use Reassessment Enforcement check box is checked, the PRA configurations configured for the user identity groups are applied. If unchecked, the PRA configurations configured for the user identity groups are not applied.

Enforcement Type

If clients fail to meet the posture requirement, then one of the following actions is enforced on the client. Click the drop-down arrow to view the predefined settings:

  • Continue
  • Logoff
  • Remediate

Choose one from the list.

Interval

From the Interval field, enter a time interval specified in minutes to initiate PRA on the clients thereafter first successful log in.

The information icon next to the Interval field provides you the minimum and maximum interval that you can set for PRAs. The minimum interval can be 60 minutes (one hour), and the maximum interval can be 1440 minutes (24 hours) for PRAs. The default interval time is specified as 240 minutes (4 hours).

Grace time

From the Grace Time field, enter a time interval specified in minutes to allow the client to complete remediation. The grace time cannot be zero, and greater than the PRA interval. It can range between the default minimum interval (5 minutes) and the minimum PRA interval.

The information icon next to the Grace time field provides you the minimum and maximum interval that you can set for PRAs. The minimum grace time can be 5 minutes and the maximum grace time can be 60 minutes.

Note The grace time is enabled only when the enforcement type is set to remediate action after the client fails the posture reassessment.

Select User Identity Groups

From the Select User Identity Groups field, choose a unique group, or a unique combination of groups for your PRA configuration.

Note the following while creating a PRA configuration:

  • Each configuration must have a unique user identity group, or a unique combination of user identity groups.
  • No two configurations can have any user identity group in common.
  • If you want to create a PRA configuration with a user identity group “Any”, delete all other PRA configurations first.
  • If you create a PRA configuration with a user identity group “Any”, then you cannot create other PRA configurations with a unique user identity group, or user identity groups. To create a PRA configuration with a user identity group other than “Any”, either delete an existing PRA configuration with an user identity group “Any” first, or update an existing PRA configuration with a user identity group “Any” with a unique user identity group, or user identity groups.

PRA configurations—configurations list

An area that lists existing PRA configurations and user identity groups associated to PRA configurations.

Filtering Client Posture Periodic Reassessments

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Reassessment configurations page. A quick filter is a simple and quick filter that can be used to filter periodic reassessments on the Reassessment configurations page. It filters periodic reassessments based on field description such as the name of the periodic reassessments, description, action enforced on the clients when clients fail posture assessment, user identity groups to which periodic reassessments are configured, and periodic reassessments that are enabled or disabled on the Reassessment configurations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Reassessment configurations page. It filters periodic reassessments based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the filtered results on the Reassessment configurations page. You can also edit preset filters and remove them from the preset filters list.

To filter periodic reassessments, complete the following steps:


Step 1 Choose Administration > System > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Reassessments .

The Reassessment configurations page appears, which lists all the PRAs that you have already created.

Step 5 From the Reassessment configurations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-3 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Reassessment configurations page, choose All from the Show drop-down to display all the periodic reassessments without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters periodic reassessments based on each field description on the Reassessment configurations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Reassessment configurations page. If you clear the field, it displays the list of all the periodic reassessments on the Reassessment configurations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter periodic reassessments by using variables that are more complex. It contains one or more filters, which filter periodic reassessments based on the values that match the field description. A filter on a single row filters periodic reassessments based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter periodic reassessments by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add the filtered lists, or click the Remove Row button (minus [-] sign) to remove the filtered lists.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-3 describes the fields that allow you to filter the PRAs:

Table 20-3 Filtering Reassessment Configurations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter periodic reassessments by the name of the periodic reassessment.

Description

This field enables you to filter periodic reassessments by the description of the periodic reassessment.

Type

This field enables you to filter periodic reassessments by actions enforced on the client.

User Identity Groups

This field enables you to filter periodic reassessments by user identity groups configured for periodic reassessments.

Enable

This field enables you to filter periodic reassessments by those reassessments that are enabled.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type
  • User Identity Groups
  • Enable

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter periodic assessments.

Value

From the Value field, choose the value for the field description that you selected against which to filter periodic assessments.

Posture Updates

Prerequisite

If the default Update Feed URL is not reachable, you must configure the proxy settings in the Administration > System > Settings > Proxy .

For more information on proxy settings, see Specifying Proxy Settings in Cisco ISE.

Updates for posture includes a set of predefined checks, rules, antivirus and antispyware support charts for both Windows and Macintosh operating systems, and operating systems information that are supported by Cisco. You can download posture updates from Cisco to your Cisco ISE deployment through the web dynamically, and as well as configure updates to occur automatically after allowing a time delay within a maximum of 24 hours in hh:mm:ss format. Thereafter, Cisco ISE checks and downloads updates at specified intervals from the initial updates automatically. You can also update Cisco ISE offline from a file on your local system, which contains the latest archives of updates.

When you deploy Cisco ISE on your network for the first time, you can download initially posture updates from the web that usually takes around 20 minutes of time. Thereafter, you can configure to check and download incremental updates to occur automatically on Cisco ISE without your intervention. Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.


Note Cisco ISE creates default posture policies, requirements, and remediations only once during an initial posture updates. If you delete them, Cisco ISE does not create them again during subsequent updates that you perform either manually or using scheduled posture updates.


This section provides procedures that describe dynamic, and offline update configurations for posture:

Related Topics

Custom Conditions for Posture

Dynamic Posture Updates

You can use the Posture Update page to download updates dynamically from the web, and configure updates to occur automatically after allowing a time delay from the initial updates. Thereafter you can check and download updates at regular intervals without your intervention.

To download updates dynamically from the web, complete the following steps:


Step 1 Choose Administration > System > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates .

The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Web option to download updates dynamically.

Step 6 Click the Set to Default button to set the Cisco default value for the Update Feed URL field.

For example, the default Update Feed URL is https://www.cisco.com/web/secure/pmbu/posture-update.xml .


Note If this default Update Feed URL is not reachable, then you can configure the proxy settings alternatively on the Posture Updates page. For more information on proxy settings, see Specifying Proxy Settings in Cisco ISE.


Step 7 Modify the values on the Posture Updates page, as shown in Table 20-4 .

Step 8 Click the Update Now button to download updates from Cisco.

Cisco ISE displays an information dialog with the following message:

“The update might take up to 20 minutes to finish. Navigating to other pages will not stop the updating and you can check the result on this page later.”

Step 9 Click OK to continue with other tasks on Cisco ISE.

Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.


Note Downloading updates dynamically from the web may take a few minutes for the first time to update the Cisco ISE server. When updates is in progress, you can leave the updates page to continue with other tasks on Cisco ISE. If an update is in progress, then you will see a waning dialog displayed on the updates page when you return to the Posture Updates page. When an update is in progress, Cisco ISE displays a warning dialog with the following warning message: “There is already an update running. Please try later.”



 

After an initial update, you can configure to check for updates and download updates to your Cisco ISE deployment automatically on the Posture Updates page. Cisco ISE downloads updates at specified intervals from the web automatically after an allowed initial delay from the first time updates.

To continue to check for updates automatically and download at a specified interval from the initial updates, complete the following steps:


Step 1 Check the Automatically check for updates starting from initial delay check box.

Step 2 Enter the initial delay time in hh:mm:ss format.

Cisco ISE starts checking for updates after the initial delay time is over.

Step 3 Enter the time interval in hours.

Cisco ISE downloads updates to your deployment thereafter at specified intervals from the initial delay time.

Step 4 Click Yes to continue.

Step 5 Click Save to download updates at regular intervals from the initial time delay.


 


Note When you configure Cisco ISE to check for the updates automatically, the latest AV/AS Support charts get populated accordingly. Anyway, you need to download the latest Compliance Module and add it to the Client Provisioning policy manually. If the latest Support charts do not synchronize with the existing Compliance Module, ensure that you are downloading the latest Compliance Module and adding it to the Client Provisioning policy.


Table 20-4 describes the fields that allow you to download updates dynamically from the web, or offline.

 

Table 20-4 Update Configurations

Field
Field Description

Posture Updates options

The following options are available for Posture updates on Cisco ISE: Web, and Offline.

Update Feed URL

A valid URL to update from the web.

For example:

https://www.cisco.com/web/secure/pmbu/posture-update.xml

Set to Default

Click to set the Cisco default URL for Update Feed URL.

Proxy Address

The IP address of the configured proxy server.

Proxy Port

The port of the configured proxy server.

Automatically check for updates starting from initial delay check box

Allows Cisco ISE automatically to check for updates after the delay time is over, and thereafter download updates at regular intervals.

Click to check the check box.

An initial delay time specified in hh:mm:ss format, after which Cisco ISE checks for updates

Cisco ISE starts checking for updates after an initial delay time is over.

Here, click the drop-down arrow to choose the initial delay time in hh:mm:ss format after which Cisco ISE should start to check for updates.

An interval specified in hours, at which Cisco ISE downloads updates automatically from the initial delay time.

Here, enter the interval hours of time at which Cisco ISE should download updates automatically from the initial delay time.

Offline Posture Updates

For details on performing offline posture package updates in Cisco ISE, see the “Cisco ISE Offline Updates” section of the Release Notes for the Cisco Identity Services Engine, Release 1.1 .

Posture Acceptable Use Policy

After login and successful posture assessment of clients, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a link on the temporary network access screen for end users to click on the link. This link redirects end users to a page, where you can define your network usage terms and conditions that end users must read, and accept the network usage policies here.

Each AUP configuration must have a unique user identity group, or a unique combination of user identity groups. Even though a user can be associated to multiple user identity groups in Cisco ISE, and there are different AUP configurations for a unique user identity group, or a unique combination of user identity groups, Cisco ISE looks for the user identity groups and the associated AUP configuration for the user identity groups. Cisco ISE finds the AUP for the first matched user identity group, and then it communicates to the NAC Agent and Web Agent to display the AUP of the first matched user identity group. The user can click the link to accept the network usage policies here after which the user gets access privileges to your network.

Authorization Profile Configuration Guidance for Posture Clients Quarantine State

This section guides you through the configuration details when clients are moved into quarantine state due to end users deny to comply with your network usage policies, or when clients fail to meet the mandatory requirements.

Without accepting the network usage terms and conditions even though clients meet all the mandatory requirements that are defined in the posture assessment policies, they are denied network access to your network, and moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again depending on your configuration, and then agree to the network usage policies of your network.

You can choose an authorization profile and configure it using the Policy > Policy Elements > Results > Authorization > Authorization Profiles page.

For more information on authorization policies and profiles, see Chapter17, “Managing Authorization Policies and Profiles”

Here, you can choose the Access-Accept option from the Access Type field, and configure information for re-authentication under Common Tasks, or under Advanced Attributes Settings for an authorization profile.

For example, you can configure the value of RADIUS: Termination-Action attribute to Default, and the RADIUS: Session-Timeout attribute to a time value under Common Tasks > Re-authentication, or under Advanced Attributes Settings. If the value of RADIUS: Termination-Action attribute is set to RADIUS-Request, the NAS sends a new Access-Request to the RADIUS server, including the state attribute, if any upon termination of the specified service. This configuration allows you to set a timeout value for a quarantine state. After the time out, a new RADIUS session can be started and the client can reauthenticate again and check for posture.

  • RADIUS: Termination-Action—An action, which should be taken by the NAS when the specified service is completed. It is only used in Access-Accept message.
  • RADIUS: Session-Timeout—A timeout value specified in maximum number of seconds of service to be provided to the user before termination of the RADIUS session, where the client remains connected by the NAS. It is an attribute to be sent by the RADIUS server to the client in an Access-Accept, or Access-Challenge messages.

In addition to the above, you have to enter the following additional commands for your network device:

    • authentication periodic—use this interface configuration command to enable, or disable re-authentication on a port. Enter the no form of this command to disable re-authentication.

This CLI command shows how to enable periodic re-authentication on a port.

Switch(config-if)# authentication periodic
    • authentication timer reauthenticate server—use this interface configuration command to configure the time out and re-authentication parameters for an 802.1x-enabled port.

This CLI command shows how to set the re-authentication timer where reauthenticate specifies time in seconds after which an automatic re-authentication attempt should start, and server specifies an interval in seconds after which an attempt can be made to authenticate an unauthorized port.

authentication timer—interface configuration command

reauthenticate—specifies time in seconds after which an automatic re-authentication attempt starts. It is set to one hour.

server—specifies interval in seconds after which an attempt is made to authenticate an unauthorized port

Switch(config-if)# authentication timer reauthenticate server

Configuring Acceptable Use Policies

You can view, create, delete, or filter acceptable use policies (AUPs) on the Acceptable Use Policy Configurations page. It displays all the AUPs with their names, description, type, the name of the zipped file, or the URL that contains the network usage policies depending on the type of the AUPs, and the user identity groups to which they are configured.

This section covers the following procedures:

Viewing, Adding, and Deleting an Acceptable Use Policy

You can use the Acceptable Use Policy Configurations page to view, create, or delete acceptable use policies, which allow network access to your network to clients on acceptance of the network usage policies.

To view an acceptable use policy, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy .

The Acceptable Use Policy Configurations page appears, which lists all the AUPs that you have already created.

Step 5 Choose an acceptable use policy from the list.

Step 6 Click View .

Here, you can view the acceptable use policy.

Step 7 Click the Acceptable Use Policy Configuration list link to return to the Acceptable Use Policy Configuration list page.

Click Cancel to return to the Acceptable use policy configuration list page. A confirmation dialog appears with the following message: “Are you sure you want to cancel?. You will lose all the changes you have made.” Click Yes to return to the Acceptable use policy configuration list page. If you click No , you are retained on the same view page.


 

To create an acceptable use policy, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy .

The Acceptable Use Policy Configurations page appears, which lists all the AUPs that you have already created.

Step 5 Click Add .

Step 6 Modify the values on the New Acceptable Use Policy Configuration page, as shown in Table 20-5 .

Here, you can configure a new AUP for a user identity group on the Acceptable Use Policy Configurations page.

Step 7 Click Submit to create an AUP configuration.

Step 8 Click Cancel to return to the Acceptable Use Policy Configurations page from the Acceptable Use Policy Configuration page when you do not want to add a new AUP from this page.


 

To delete an acceptable use policy, complete the following steps:


Step 1 From the Settings menu window, choose Posture .

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Acceptable Use Policy .

The Acceptable Use Policy Configurations page appears, which lists all the AUPs that you have already created.

Step 4 Choose an acceptable use policy that you want to delete.

Step 5 From the Acceptable Use Policy Configurations page, choose Delete .

A confirmation dialog appears with the following message: “Are you sure you want to delete?”.

Step 6 Click OK to delete an AUP.

Here, you can delete an AUP.

Step 7 Click Cancel to return to the Acceptable Use Policy Configurations page without deleting the AUP that you selected.


 

Table 20-5 describes the fields that allow to create an AUP configuration on the Acceptable use policy configurations page.

 

Table 20-5 AUP Configurations

Field
Field Description

Configuration Name

From the Configuration Name field, enter the name of the AUP configuration that you want to create.

Configuration Description

From the Configuration Description field, enter the description of the AUP configuration that you want to create.

Show AUP to Agent users (for NAC Agent and Web Agent on Windows only)

If checked, the Show AUP to Agent users check box displays end users (for NAC Agents, and Web Agents on Windows only) the link to network usage terms and conditions for your network, and then click it to view the AUP upon successful authentication and posture assessment.

Use URL for AUP message radio button

When selected, you must enter the URL to the AUP message in the AUP URL field, which clients must access upon successful authentication and posture assessment.

Use file for AUP message radio button

When selected, you must browse to the location and upload a file in a zipped format in the AUP File field, which contains the index.html at the top level.

The zip file can include other files and sub directories in addition to the index.html file. These files can reference each other using HTML tags.

AUP URL

From the AUP URL field, enter the URL to the AUP, which clients must access upon successful authentication and posture assessment.

AUP File

From the AUP File field, browse to the file and upload it to the Cisco ISE server. It should be a zipped file and the zipped file should contain the index.html at the top level.

Select User Identity Groups

From the Select User Identity Groups field, choose a unique user identity group, or a unique combination of user identity groups, for your AUP configuration.

Note the following while creating an AUP configuration:

  • Posture AUP is not applicable for a guest flow
  • Each configuration must have a unique user identity group, or a unique combination of user identity groups
  • No two configurations have any user identity group in common
  • If you want to create a AUP configuration with a user identity group “Any”, then delete all other AUP configurations first
  • If you create a AUP configuration with a user identity group “Any”, then you cannot create other AUP configurations with a unique user identity group, or user identity groups. To create an AUP configuration with a user identity group other than Any, either delete an existing AUP configuration with a user identity group “Any” first, or update an existing AUP configuration with a user identity group “Any” with a unique user identity group, or user identity groups.

Acceptable use policy configurations—Configurations list

An area that lists existing AUP configurations and end user identity groups associated to AUP configurations.

Filtering Acceptable Use Policies

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Acceptable Use Policy Configurations page. A quick filter is a simple and quick filter that can be used to filter acceptable use policies on the Acceptable Use Policy Configurations page. It filters acceptable use policies based on the field description such as the name of the acceptable use policies, description, URL of the acceptable use policy, user identity groups to which acceptable use policies are configured, acceptable use policies that are enabled, or disabled on the Acceptable Use Policy Configurations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Acceptable Use Policy Configurations page. It filters acceptable use policies based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the filtered results on the Acceptable Use Policy Configurations page. You can also edit preset filters and remove them from the preset filters list.

To filter acceptable use policies, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture .

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy .

The Acceptable Use Policy Configurations page appears, which lists all the AUPs that you have already created.

Step 5 From the Acceptable Use Policy Configurations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-6 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Acceptable Use Policy Configurations page, choose All from the Show drop-down to display all the acceptable use policies without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters acceptable use policies based on each field description on the Acceptable Use Policy Configurations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Acceptable Use Policy Configurations page. If you clear the field, it displays the list of all the acceptable use policies on the Acceptable Use Policy Configurations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter acceptable use policies by using variables that are more complex. It contains one or more filters, which filter acceptable use policies based on the values that match the field description. A filter on a single row filters acceptable use policies based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter acceptable use policies by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add the filtered lists, or click the Remove Row button (minus [-] sign) to remove the filtered lists.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

Step 8 The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-6 describes the fields that allow you to filter the AVPs:

Table 20-6 Filtering Acceptable Use Policy Configurations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter acceptable use policies by the name of the acceptable use policy.

Description

This field enables you to filter acceptable use policies by the description of the acceptable use policy.

Type

This field enables you to filter acceptable use policies by the type that a file is used, or the remote location of the acceptable use policy.

File Name/URL

This field enables you to filter acceptable use policies by the file name that is used or the remote location of the acceptable use policy.

User Identity Groups

This field enables you to filter acceptable use policies by the user identity groups configured for acceptable use policies.

Enabled

This field enables you to filter acceptable use policies by AUPs that are configured to display, or not to Agent users (for NAC Agent and Web Agent on Windows only).

  • True—display AUP to Agent users
  • False—does not display AUP to Agent users

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type
  • File Name/ URL
  • User Identity Groups
  • Enabled

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter acceptable use policies.

Value

From the Value field, choose the value for the field description that you selected against which to filter acceptable use policies.

Client Posture Assessments in Cisco ISE

The posture service assists in determining the compliance of endpoints that are accessing your Cisco ISE-enabled network by using posture policies based on posture requirements, which are associated to posture policies. It evaluates the configured posture policies for all the endpoints that are connecting to your network, which are associated to one or more identity groups to which the users belong, and the operating systems that are installed on the clients. The NAC Agents that are installed on your clients interact with the Cisco ISE posture service, and evaluate the posture policies which are configured for your clients.

In addition, you should have an understanding on how Cisco ISE provides support for operating systems that are installed on the clients for posture.

Support for Hierarchical Operating Systems

Cisco ISE provides support to all the Windows and Macintosh operating systems, which are structured in a hierarchical group. You can also select an individual operating system from the hierarchy. A parent group includes the operating system versions for the group, and each version of the group includes the underlying operating system versions. When you select a parent group of an operating system from the hierarchy, you implicitly select all the underlying operating systems of the parent group. The posture conditions apply to all the underlying versions of the operating systems when you select the parent group or the group.

For example, when you choose Windows All from the Operating Systems field while creating a posture policy for posture in Cisco ISE, a condition that you define in the posture policy applies to all Microsoft Windows operating systems and their underlying operating systems, which includes Microsoft Windows 7 (All), Microsoft Windows Vista (All), Microsoft Windows XP (All), and their underlying operating systems for Windows All.

Filtering by Operating System

The selection of an operating system within the hierarchy implements the filtering of conditions, compound conditions and requirements that overrides a parent operating system Group associated to a simple condition. This implementation filters conditions, compound conditions and requirements by using the operating system that is associated with the compound condition. If you have a simple condition that is associated with a parent operating system group and a compound condition that is associated with the underlying version from the parent operating system group, then the filtering is based only on the underlying version of the operating system that is associated in the compound condition.

For example, you might have a simple condition that is associated with the Windows Vista parent operating system group. And you might also have a compound condition that is associated with the underlying version of Windows Vista from the operating system group. However, the filtering is done using only the underlying version of the operating system that is associated in the compound condition.

Dynamic Support for Operating System Version

You can configure the posture policies for an endpoint that is associated with the role to which you belong, as well as the operating system on the client. The posture configurations that you save apply only at the group level of an operating system that is not at the operating system level. This level of application allows you to map multiple versions of an operating system that is structured in the hierarchical groups.

For example, when you choose the Windows All option from the operating system group, you are choosing the hierarchical structure of all of the Windows 7, Windows Vista, and Windows XP groups that contain each of their underlying versions.

Cisco ISE dynamically supports new versions of client operating systems and Agents, including both the Windows and Macintosh NAC agents and NAC Web agent. Located on the ISE server, the osgroups.xml file is automatically updated by Cisco to reflect the latest version support information. If an Agent sends the Cisco ISE server an operating system version that is not listed in the osgroups.xml file, then you cannot continue to work with the posture service through the Agents.

Related Topics

Troubleshooting Topics

Client Posture Assessment Policies

A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. The Dictionary Attributes are optional conditions in conjunction with the identity groups, and the operating systems that allow you to define different policies for the clients.

Here, posture requirements are associated to the posture policies and also optional dictionary attributes where you can use dictionary simple and compound conditions from the library or create new dictionary simple and compound conditions.

Prerequisite:

You must have an understanding of acceptable use policy (AUP) and posture reassessments (PRA) as you create posture policies with respect to posture compliance.

For more information on AUP, see Posture Acceptable Use Policy and on PRA, see Posture Reassessments.

In addition, see the following:

You can use the Posture Policies page to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy.

Table 20-7 describes the fields on the Posture Policies page that allow you to insert a new posture policy, or duplicate an existing policy. or delete an existing posture policy.

 

Table 20-7 Posture Policy

Field
Field Description

Status

From the Status field, click the drop-down arrow to choose an option. It can be used to enforce, or not to enforce a posture assessment policy for evaluation.

Rule Name

From the Rule Name field, enter the name of the posture policy that you want to create. Once created and saved, the name of the posture policy in not editable.

Identity Groups

From the Identity Groups field, choose an identity group. The selection of an identity group applies to the role of the user to which the user belongs in conjunction with the operating system that is installed on the client.

Operating Systems

From the Operating Systems field, choose an operating system. It allows you to select specific Windows, or Macintosh operating systems to which the posture requirement is applied.

Other Conditions

From the Other Conditions field, choose a dictionary simple condition, or a dictionary compound condition to which the posture requirement should apply. If more than one condition is selected, then all the conditions must be met to form a compound condition. The system uses "&" (a logical AND) as the AND operator.

Requirements

From the Requirements field, choose a posture requirement. The selection of a posture requirement that is associated to the matching posture policy determines the compliance of an endpoint during a posture policy evaluation.

Actions

It allows you to insert a new posture policy, duplicate an existing policy or delete an existing policy.

For information on how to manage posture policies, see the “Creating, Duplicating, and Deleting Client Posture Policies” section.

For more information on simplified posture policy configuration, see the “Simplified Posture Policy Configuration” section.

Simplified Posture Policy Configuration

This section describes the process to configure a posture policy in three steps on the Posture Policy page itself without navigating away to other configuration pages.

Once a posture policy is created on the Posture Policy page, posture conditions and remediation actions that you create on the Add Requirement widget are associated to the posture requirement, and posture requirements that you create on the Add Requirement widget are associated to the posture policy.

This section describes the process to configure a posture policy in three steps.

Simplified Posture Policy involves the following three steps:

Choose Policy > Posture . The Posture Policy page appears.


Step 1 From the Requirements field on the Posture Policy page, click the plus [+] sign to expand the Requirements anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

Here, you can invoke the Requirements widget and create a new posture requirement from the Add Requirement widget. For more information, see the “Creating a New Posture Policy” section.

Step 2 From the Add Requirement widget, click the plus [+] sign to expand the Conditions anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

Here, you can invoke the Conditions widget that lists user defined conditions and Cisco defined conditions separately.

You can create new conditions such as simple file, registry, application, service conditions, regular compound conditions, antivirus compound conditions, and antispyware compound conditions, and associate them to the requirement. You can also associate existing user defined simple and compound conditions that appear in the Conditions widget.

You can also choose Cisco defined conditions of file, registry, application, service conditions, regular compound conditions, antivirus compound conditions, and antispyware compound conditions, and associate them to the requirement.

For more information, see the “Creating a New Posture Requirement” section.

Step 3 From the Add Requirement widget, click the plus [+] sign to expand the Remediation Actions anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

Here, you can invoke the Remediations widget that lists all the remediations that you have already created.

You can create new remediations such as file remediations, link remediations, launch program remediations, antivirus remediations, antispyware remediations, Windows Server Update Services remediations, and Windows Update remediations, and associate them to the requirement.

You can also choose existing remediations that appear on the Remediations widget.

For more information, see the “Creating a New Posture Requirement” section.

Once the posture conditions and posture remediations configuration is complete on the Add Requirement widget, the requirement is associated to the posture policy.


 

Creating, Duplicating, and Deleting Client Posture Policies

This section describes the following procedures on how to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy on the Posture Policies page.

Creating a New Posture Policy

You can create a new posture policy on the Posture Policies page.

To create a new posture policy, complete the following steps:


Step 1 Choose Policy > Posture .

The Posture Policy page appears.

Step 2 Choose the Status type.

You can enforce a posture policy to be one of the following types:

    • Enabled—this option allows you to enforce a posture policy for evaluation
    • Disabled—this option allows you not to enforce a posture policy for evaluation

Step 3 From the Rule Name field, enter the policy name.

Step 4 From the Identity Groups field, choose Select Role .

The identity group anchored overlay appears.

To choose a role, complete the following steps:

a. From the Select Role field, click the plus [+] sign to expand the identity group anchored overlay.

The identity group anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Role Quick Picker (down arrow) icon.

The Roles widget appears. The Table view button shows the roles that lists Any and the User Identity Groups in a row format in the right pane of the widget. The Tree view button shows Any and the User Identity Groups in a tree format.

c. From the Roles widget, choose the role.

d. Click the Add (plus [+] sign) button to associate more than one role to the policy.

e. Click the Remove (minus [-] sign) button to remove the role from the policy.

Step 5 From the Operating Systems field, choose Select Operating Systems .

The operating system anchored overlay appears.

To choose an operating system, complete the following steps:

a. From the Select Operating System field, click the plus [+] sign to expand the operating system anchored overlay.

The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Operating System Quick Picker (down arrow) icon.

The Operating System Groups widget appears. The Table view button shows MAC OSX and Windows All operating system groups and their underlying versions in a row format in the right pane of the widget. The Tree view button shows MAC OSX and Windows All operating system groups and their underlying versions in a tree format.

Here, you cannot choose both the operating system types.

c. From the Operating System Groups widget, choose either MAC OSX or Windows All .

Here, click the Quick Picker (right arrow) icon to view the operating system groups.

Mac OS X (Macintosh) has three underlying versions.

  • From the Mac OS X (Macintosh) group, choose the underlying Macintosh operating system.

Or

Windows has Windows 7 (All), Windows Vista (All), and Windows XP (All) groups and each group contains underlying versions.

  • From the Windows All group, choose the underlying Windows group and the Windows version. Each Windows group contains its own underlying versions.

d. Click the Add (plus [+] sign) button to associate more than one operating system to the policy.

e. Click the Remove (minus [-] sign) button to remove the operating system from the policy.

Step 6 From the Other Conditions field, choose (Optional) Dictionary Attributes .

The conditions anchored overlay appears, which allows you an option to add new one or more dictionary attributes, and save them as simple, and compound conditions to a dictionary (a library). You can use an AND, or OR operator to form a dictionary compound condition, and then save them to the dictionaries. From the Other Conditions field, you can choose dictionary simple, and compound conditions from the library for validation during posture policies evaluation.


Note Dictionary simple conditions and dictionary compound conditions that you create on the Posture Policy page, Policy > Policy Elements > Conditions > Dictionary Simple Conditions page and Policy > Policy Elements > Conditions > Dictionary Compound Conditions page are not visible while configuring an authorization policy.


To choose a condition, complete the following steps:

a. From the (Optional) Dictionary Attributes field, click the plus [+] sign to expand the conditions anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

A widget displays Select Existing Condition from Library and Create New Condition (Advance Option).

Select Existing Condition from Library—You can define an expression by selecting predefined conditions from the policy elements library. You can add ad-hoc attribute/value pairs to your expression in the subsequent steps.

Create New Condition (Advance Option)—You can define an expression by selecting attributes from various system or user-defined dictionaries. You can add pre-defined conditions from the policy elements library in the subsequent steps.

b. Choose Select Existing Condition from Library .

c. Click the Select Conditions Quick Picker (down arrow) icon.

The Dictionaries widget appears, which lists the dictionary simple conditions and dictionary compound conditions.

d. Choose the condition.

e. Choose an AND operator or an OR operator from the drop-down list.

f. Click the Action Icon button to add a new dictionary attribute and its value, add a condition from the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Delete

g. Click the Save icon to add all the conditions below to the library from the conditions overlay.

To choose a dictionary attribute (optional), complete the following steps:

a. From the (Optional) Dictionary Attributes field, click the plus [+] sign to expand the conditions anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

A widget displays Select Existing Condition from Library and Create New Condition (Advance Option)

b. Choose Create New Condition (Advance Option) .

The conditions anchored overlay appears. It allows you to create a new dictionary simple condition or dictionary compound condition (an expression).

c. From the Expression field, click the Select Attribute Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the following dictionaries:

AD1

DEVICE

Network Access

Radius

Session

d. From the Dictionaries widget, choose an existing dictionary.

e. Click the navigation arrow (right arrow) to view the dictionary attributes.

The dictionary attributes appear for the dictionary.

f. Choose a dictionary attribute.

g. Choose an operator, and a value to create a dictionary simple condition.

h. Click the Action Icon button to add a dictionary simple condition to a library.

Enter a name for that dictionary simple condition to be saved to the library.

i. Click the Action Icon button to add a new dictionary attribute and its value, add a condition from the library, duplicate a condition, add a condition to the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Duplicate

Add Condition to Library

Delete

j. Choose an AND operator or an OR operator from the drop-down list to create a dictionary compound condition.

k. Click the Save icon to add all the conditions from the conditions anchored overlay to the library.

Here, you can define an expression by selecting attributes from various system, or user-defined dictionaries. You can create a new dictionary simple condition (an expression) by adding a new dictionary attribute and associating a value, which can be saved to the policy elements library. You can also add pre-defined conditions from the policy elements library in the subsequent steps.

Session Agent-Request-Type

The Session dictionary that you choose from the Dictionaries widget has the following attributes and values.

Agent-Request-Type—Initial and Periodic Reassessment are the values.

OS-Architecture—32-bit and 64-bit are the values.

URL-Redirected—Specify the value.

By default, all the matching posture requirements are validated upon initial posture assessment and then periodically according to the periodic reassessments that are defined for posture assessment of clients. The Session attribute Agent-Request-Type can be used in the posture policy to selectively apply posture requirements either during initial posture assessment or during periodic reassessments of clients.

To apply a matching posture requirement during initial posture assessment only, set the Session Agent-Request-Type attribute EQUAL to Initial.

To apply a matching posture requirement during periodic reassessment only, set the Session Agent-Request-Type attribute EQUAL to Periodic Reassessment.

To apply a matching posture requirement to both the initial posture assessment and periodic reassessments, then do not set the Session Agent-Request-Type attribute in the posture policy.

Step 7 From the Requirements field, choose Select Requirement .

To choose a requirement, complete the following steps:

a. From the Select Requirement field, click the plus [+] sign to expand the requirements anchored overlay.

The requirements anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

You can enforce a posture requirement to be one of the following items types:

Mandatory—This option enforces the client to meet the posture requirement. The user cannot proceed or have access to the network unless the client meets the posture requirement.

Optional—This option does not enforce the client to meet the posture requirement. The client can bypass the requirement, if required. The client does not require to meet the requirement for the user to proceed or have network access.

Audit—This option checks the client for the posture requirement without notifying the user. It does not affect user network access.

b. Click the Select Requirement Quick Picker (down arrow) icon.

The Requirements widget appears.

c. Choose a requirement.

d. Click the Add (plus [+] sign) button to associate more than one requirement to the posture policy.

e. Click the Remove (minus [-] sign) button to remove the requirement from the posture policy.

To create a requirement, complete the following steps:

a. From the Requirements field, choose Select Requirement .

b. From the Select Requirement field, click the plus [+] sign to expand the requirements anchored overlay.

The requirements anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

You can enforce a posture requirement to be one of the following items types:

Mandatory—This option enforces the client to meet the posture requirement. The user cannot proceed or have access to the network unless the client meets the posture requirement.

Optional—This option does not enforce the client to meet the posture requirement. The client can bypass the requirement, if required. The client does not require to meet the requirement for the user to proceed or have network access.

Audit—This option checks the client for the posture requirement without notifying the user. It does not affect user network access.

c. Click the Select Requirement Quick Picker (down arrow) icon.

The Requirements widget appears.

d. Click the Quick Picker (down arrow) on the Action button.

e. Choose Create Requirement .

The Add Requirement widget appears. Here, you can configure the posture requirement from the Posture Policy page where you can associate posture conditions and posture remediation actions for that requirement.

Step 8 Click Save to save the posture policy. Click Cancel to revert to the Posture Policy page without creating a new policy on the Posture Policy page.


 

Troubleshooting Topics

Duplicating a Posture Policy

You can create a copy of the posture policy that you want to duplicate on the Posture Policies page.

To duplicate a policy, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Duplicate .

Here, you can create a copy of the policy that you want to duplicate on the Posture Policies page.


 

Troubleshooting Topics

Deleting a Posture Policy

You can also delete a posture policy from the Posture Policies page.

To delete a policy, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Delete .

A confirmation dialog appears with the following message: “Are you sure you want to delete Policy(s)?”.

Step 3 Click OK to delete a policy.

Here, you can delete a posture policy from the Posture Policies page.

Step 4 Click Cancel to return to the Posture Policies page without deleting the posture policy.


 

Posture Assessment and Remediation Options in Cisco ISE

The NAC Agent and the Web Agent for Windows provide the posture assessment and remediation for Windows clients, and the NAC Agent for Macintosh provide the posture assessment and remediation for Macintosh clients. Before you begin to configure custom conditions and remediation actions in Cisco ISE, you must understand the posture assessment and remediation types that are supported by the NAC Agents for Windows and Macintosh, and the Web Agent for Windows.

Table 20-8 provides the list of posture assessment (checks) and remediation options that are supported by the NAC Agents for Windows and Macintosh, and the Web Agent for Windows.

 

Table 20-8 Posture Assessment and Remediation Options

NAC Agent for
Windows
Web Agent for
Windows
NAC Agent for
Macintosh OS X
Posture Assessments

Operating System/Service Packs/Hotfixes

*

*

Not Applicable

Process Check

*

*

Not Applicable

Registry Check

*

*

Not Applicable

File Check

*

*

Not Applicable

Application Check

*

*

Not Applicable

Antivirus Installation

*

*

*

Antivirus Version/ Antivirus Definition Date

*

*

*

Antispyware Installation

*

*

*

Antispyware Version/ Antispyware Definition Date

*

*

*

Windows Update Running

*

*

Not Applicable

Windows Update Configuration

*

*

Not Applicable

WSUS Compliance Settings

*

*

Not Applicable

Posture Remediations

Message Text (Local Check)

*

*

*

URL Link (Link Distribution)

*

*

*

File Distribution

*

*

Not Applicable

Launch Program

*

Not Applicable

Not Applicable

Antivirus Definition Update

*

Not Applicable

Antivirus Live Update

Antispyware Definition Update

*

Not Applicable

Antispyware Live Update

Windows Update

*

Not Applicable

Not Applicable

WSUS

*

Not Applicable

Not Applicable

Custom Conditions for Posture

A posture condition can be any one of the following simple conditions: a file, a registry, an application, a service, or a dictionary condition. One or more conditions from these simple conditions form a compound condition, which can be associated to a posture requirement.

User Defined Conditions and Cisco Defined Conditions

Cisco ISE redefines posture conditions into either user defined conditions that you create on their respective conditions list pages or Cisco defined conditions.

After an initial posture update, Cisco ISE creates the following user defined AV compound conditions and AS compound conditions:

  • ANY_av_mac_def—Any AV definition check on MAC
  • ANY_av_mac_inst—Any AV installation check on MAC
  • ANY_av_win_def—Any AV definition check on Windows
  • ANY_av_mac_inst—Any AV installation check on Windows
  • ANY_as_mac_def—Any AS definition check on MAC
  • ANY_as_mac_inst—Any AS installation check on MAC
  • ANY_as_win_def—Any AS definition check on Windows
  • ANY_as_mac_inst—Any AS installation check on Windows

After an initial posture update, Cisco ISE also creates Cisco defined simple and compound conditions. Cisco defined simple file, registry, application, and service conditions have pc_ as their prefixes, and compound conditions have pr_ as their prefixes.


Note The conditions that appear in the Policy > Policy Elements > Conditions > Posture > AV Compound Conditions or AS Compound Conditions page may vary as follows:

  • If you have performed a new installation of Cisco ISE, Release 1.1 and have not performed a compliance module update, this display will be empty.
  • If you have performed a new installation of Cisco ISE, Release 1.1 and perform a compliance module update, Cisco ISE displays the appropriate antivirus or antispyware subset of the list above.
  • If you have updated from an earlier release of Cisco ISE to release 1.1 and perform a compliance module update, Cisco ISE displays the appropriate antivirus or antispyware subset of the list above in addition to many other vendor specific conditions carried over from the earlier release database.


 

A user defined condition or a Cisco defined condition includes both simple conditions such as a file condition, a registry condition, an application condition, and a service condition, as well as compound conditions such as a regular compound condition, an antivirus compound condition, and an antispyware compound condition.

You can use the Posture menu to manage the following posture simple conditions:

  • File Conditions—A simple condition that checks the existence of a file, the date of a file, and the versions of a file on the client
  • Registry Conditions—A simple condition that checks for the existence of a registry key or the value of the registry key on the client
  • Application Conditions—A simple condition that checks if an application (process) is running or not running on the client
  • Service Conditions—A simple condition that checks if a service is running or not running on the client
  • Dictionary Simple Conditions—A simple condition that checks an attribute associated to an operator and the operator to a value

Note A simple condition cannot be deleted due to Referential Integrity errors in Cisco ISE when it is associated to one or more compound conditions. As simple conditions can be associated to a compound condition, you cannot delete the following simple conditions: a file, a registry, an application, a service, and a dictionary simple condition. If you attempt to delete a simple condition, Cisco ISE throws an error message stating that the compound conditions need to be updated, or deleted first to which simple conditions are associated.



Note You cannot delete, or edit Cisco defined posture simple conditions.


You can use the Posture menu to manage the following posture compound conditions:


Note A compound condition cannot be deleted due to Referential Integrity errors in Cisco ISE. As compound conditions can be associated to a posture requirement, you cannot delete the following compound conditions: a compound condition, an antivirus, an antispyware, and a dictionary compound condition. If you attempt to delete a compound condition, Cisco ISE throws an error message stating that the posture requirements need to be updated, or deleted first to which compound conditions are associated.



Note You cannot delete, or edit Cisco defined posture compound conditions.


File Conditions

A file condition is a simple (single) condition that checks for a file by its existence on the client, or its date when created, or modified on the client, or its version that exists on the client. You can create FileExistence, FileDate, and FileVersion types of file conditions to check the compliance of the file on the client. The FileExistence type checks the existence of a file on the client. The FileDate type checks the file based on its file-created date, or file-modified date on the client. The FileVersion type checks for the specific version of the file that you define in the file condition. When you create a file condition on the File condition list page, you can see the fields change to provide details according to your input.

The File Conditions page displays file conditions along with their names and description. It also displays the names of the files to be checked for each of the file condition type.


Note Cisco defined file conditions that are listed on the File Conditions page are not editable.


This section provides the procedures that you can use to configure file conditions.

Configuring File Conditions

You can create any one of the following types of a file condition on the File Conditions page: FileExistence, FileDate, and FileVersion. You can also duplicate, edit, delete, or filter file conditions from the File Conditions page.

This section covers the following procedures:

Viewing File Conditions

You can use the File Conditions page to view file conditions.

To view file conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Choose a file condition from the file conditions list.

Step 6 Click View .

Here, you can choose a file condition to view the details.


 

Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type

You can use the File Conditions page to create, duplicate, edit, or delete a file condition of FileExistence type, which allows you to check that a file exists on the client, or does not exist on the client.

To create a file condition of FileExistence type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page, as shown in Table 20-9 .

Here, you can create to add a file condition of FileExistence type, which appears on the File Conditions page.

Step 7 Click Submit to create a file condition of FileExistence type.


 

To duplicate a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File Conditions page, choose Duplicate .

Here, you can create a copy of the file condition of FileExistence type.

Step 4 Click Submit to create a copy of the file condition of FileExistence type.


 

To edit a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File Conditions page, choose Edit .

Here, you can edit a file condition of FileExistence type.

Step 4 Click Save to save the changes to the file condition of FileExistence type.

The file condition of FileExistence type will be available on the File Conditions page after editing on the edit page.

Step 5 Click the File Conditions List link from the edit page to return to the File Conditions page.


 

To delete a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File Conditions page, choose Delete .

Here, you can delete a file condition of FileExistence type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-9 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileExistence type condition.

 

Table 20-9 File Condition of FileExistence Type

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter a description of the file condition that you want to create.

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

  • ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.
  • SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.
  • SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.
  • SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.
  • SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of a file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

  • FileExistence—checks whether a file exists on the system.
  • FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.
  • FileVersion—checks whether a particular version of a file exists on the system.

File Operator

From the File Operator field, selecting an operator allows you to check the existence of a file in the specified location. Click the drop-down arrow to view the following predefined settings.

  • Exists
  • DoesNotExist

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type

You can use the File Conditions page to create, duplicate, edit, or delete a file condition of FileDate type by using file-created, or file-modified date.

To create a File Condition of FileDate type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page , as shown in Table 20-10 .

Here, you can create a file condition of FileDate type with file-created date or file-modified date.

Step 7 Click Submit to create a file condition of FileDate type.


 

To duplicate a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File Conditions page, choose Duplicate .

Here, you can create a copy of the file condition of FileDate type.

Step 4 Click Submit to create a copy of the file condition of FileDate type.


 

To edit a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File Conditions page, choose Edit .

Here, you can edit a file condition of FileDate type.

Step 4 Click Save to save the changes to the file condition of FileDate type.

The file condition of FileDate type will be available on the File Conditions page after editing on the edit page.

Step 5 Click the File Conditions List link from the edit page to return to the File Conditions page.


 

To delete a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File Conditions page, choose Delete .

Here, you can delete a file condition of FileDate type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-10 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileDate type condition.

 

Table 20-10 File Condition of FileDate Type

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter the description of a file condition that you want to create

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

  • ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.
  • SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.
  • SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.
  • SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.
  • SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of the file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

  • FileExistence—checks whether a file exists on the system.
  • FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.
  • FileVersion—checks whether a particular version of a file exists on the system.

File Date Type

From the File Date Type field, selecting the date type allows you to check the existence of a file with a particular file-created or file-modified date. Click the drop-down arrow to view the following predefined settings:

  • Creation Date
  • Modification Date

Operator

From the Operator field, selecting an operator allows you to check the existence of a file with a particular date or version. Click the drop-down arrow to view the following predefined settings:

  • EarlierThan
  • LaterThan
  • EqualTo

Date and Time

From the Date and Time fields, entering date and time of the client system, which is expressed in mm/dd/yyyy [hh:mm:ss] format allows you to check the existence of a file with date and time of the client system.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type

You can use the File Conditions page to create, duplicate, edit, or delete a file condition of FileVersion type that has more than one version.

To create a file condition of FileVersion type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page , as shown in Table 20-11 .

Here, you can create a file condition of FileVersion type, where the file has more than one version.

Step 7 Click Submit to create a file condition of FileVersion type.


 

To duplicate a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File Conditions page, choose Duplicate .

Here, you can create a copy of the file condition of FileVersion type.

Step 4 Click Submit to create a copy of the file condition of FileVersion type.


 

To edit a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File Conditions page, choose Edit .

Here, you can edit a file condition of FileVersion type.

Step 4 Click Save to save the changes to the file condition of FileVersion type.

A file condition of FileVersion type will be available on the File Conditions page after editing on the edit page.

Step 5 Click the File Conditions List link from the edit page to return to the File Conditions page.


 

To delete a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File Conditions page, choose Delete .

Here, you can delete a file condition of FileVersion type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-11 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileVersion type condition.

 

Table 20-11 File Condition of FileVersion Type

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter the description of a file condition that you want to create

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

  • ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.
  • SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.
  • SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.
  • SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.
  • SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of the file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

  • FileExistence—checks whether a file exists on the system.
  • FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.
  • FileVersion—checks whether a particular version of a file exists on the system.

Operator

From the Operator field, selecting an operator allows you to check the existence of a file with a particular date or version. Click the drop-down arrow to view the following predefined settings:

  • EarlierThan
  • LaterThan
  • EqualTo

File Version

From the File Version field, enter the version of the file that allows you to check the existence of a file with a particular version of the file.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Filtering File Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the File Conditions page. A quick filter is a simple and quick filter that can be used to filter file conditions on the File Conditions page. It filters file conditions based on the field description such as the name of the file conditions, description, and the file to be checked on the File Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File Conditions page. It filters file conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the File Conditions page. You can also edit preset filters and remove them from the preset filters list.

To filter file conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition .

The File Conditions page appears, which lists all the file conditions that you have already created.

Step 5 From the File Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-12 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the File Conditions page, choose All from the Show drop-down to display all the file conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters file conditions based on each field description on the File Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File Conditions page. If you clear the field, it displays the list of all the file conditions on the File Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter file conditions by using variables that are more complex. It contains one or more filters, which filter file conditions based on the values that match the field description. A filter on a single row filters file conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove a filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-12 describes the fields that allow you to filter file conditions on the File Conditions page.

Table 20-12 Filtering File Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter file conditions by the condition name.

Description

This field enables you to filter file conditions by the condition description.

Field Name

This field enables you to filter file conditions by the filename.

Condition Type

This field enables you to filter file conditions by Cisco predefined and not Cisco predefined conditions.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • File Name
  • Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter file conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter file conditions.

Registry Conditions

A registry condition is a simple (single) condition that checks a registry key or the value of the registry on the client. You can create RegistryKey, RegistryKeyValue, and RegistryValueDefault types of registry conditions to check the compliance of the client on a registry. The RegistryKey type checks the existence of a registry on the client, and the RegistryKeyValue type checks the data of the registry key on the client. The RegistryValueDefault is the same as the RegistryKeyValue except that the former checks for the default value. When you create a registry condition on the Registry Conditions page, you can see the fields change to provide details according to your input.

The Registry Conditions page displays registry conditions along with their names, description, and the type of registry conditions.


Note Cisco predefined registry conditions that are listed on the Registry Conditions page are not editable.


This section provides the procedure that you can use to configure registry conditions.

Configuring Registry Conditions

You can create any one of the following types of a registry condition on the Registry Conditions page: RegistryKey, RegistryKeyValue, and RegistryValueDefault types. You can also duplicate, edit, delete, or filter the registry conditions from the Registry Conditions page.

This section covers the following procedures:

Viewing Registry Conditions

You can use the Registry Conditions page to view registry conditions.

To view registry conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.

Step 5 Choose a registry condition from the registry conditions list.

Step 6 Click View .

Here, you can choose a registry condition to view the details.

Step 7 Click the Registry Conditions List link to return to the Registry Conditions page.


 

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type

You can use the Registry Conditions page to create, duplicate, edit, or delete a registry condition of RegistryKey type, which allows you to check the existence of a registry on the client.

To create a registry condition of RegistryKey type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 20-13 .

Here, you can create to add a registry condition of RegistryKey type, which appears on the Registry Conditions page.

Step 7 Click Submit to create a registry condition of RegistryKey type.


 

To duplicate a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry Conditions page, choose Duplicate .

Here, you can create a copy of the registry condition of RegistryKey type.

Step 4 Click Submit to create a copy of the registry condition of RegistryKey type.


 

To edit a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry Conditions page, choose Edit .

Here, you can edit a registry condition of RegistryKey type.

Step 4 Click Save to save the changes to the registry condition of RegistryKey type.

A registry condition of RegistryKey type will appear on the Registry Conditions page after editing on the edit page.

Step 5 Click the Registry Conditions List link from the edit page to return to the Registry Conditions page.


 

To delete a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry Conditions page, choose Delete .

Here, you can delete a registry condition of RegistryKey type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-13 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryKey type condition.

 

Table 20-13 Registry Condition for RegistryKey

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

  • RegistryKey—Checks whether a specific registry key exists in the registry.
  • RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.
  • RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_CONFIG (HKCC)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_USERS (HKU)
  • HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash (“\”) allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of the registry key and the registry key value.

Click the drop-down arrow to view the following settings:

  • Exists
  • DoesNotExist

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type

You can use the Registry Conditions page to create, duplicate, edit, or delete a registry condition of RegistryValue type.

To create a registry condition of RegistryValue type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 20-14 .

Here, you can create to add a Registry Condition of RegistryValue type, which appears on the Registry Conditions page.

Step 7 Click Submit to create a registry condition of RegistryValue type


 

To duplicate a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry Conditions page, choose Duplicate .

Here, you can create a copy of the registry condition of RegistryValue type.

Step 4 Click Submit to create a copy of the registry condition of RegistryValue type.


 

To edit a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry Conditions page, choose Edit .

Here, you can edit a registry condition of RegistryValue type.

Step 4 Click Save to save the changes to the registry condition of RegistryValue type.

A registry condition of RegistryValue type appears on the Registry Conditions page after editing on the edit page.

Step 5 Click the Registry Conditions List link from the edit page to return to the Registry Conditions page.


 

To delete a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry Conditions page, choose Delete .

Here, you can delete a registry condition of RegistryValue type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-14 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryValue type condition.

 

Table 20-14 Registry Condition for RegistryValue

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

  • RegistryKey—Checks whether a specific registry key exists in the registry.
  • RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.
  • RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_CONFIG (HKCC)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_USERS (HKU)
  • HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash (“\”) allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Name

From the Value Name field, enter the name of the registry key value against which you want to check in the client registry.

Value Data Type

From the Value Data Type field, selecting the data type allows you to check the registry key value data type, and its value using an operator. Click the drop-down arrow to view the predefined settings:

  • Unspecified—choose one of the operators in the drop-down list to check the existence of the registry key value
  • Number—choose one of the operators in the drop-down list to check the registry key value using a number in the registry key value
  • String—choose one of the operators in the drop-down list to check the registry key value using a string in the registry key value
  • Version—choose one of the operators in the drop-down list to check the registry key value using its version

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of data type of the registry key value using an operator.

Click the drop-down arrow to view the following settings:

  • Exists
  • DoesNotExist

Value Data

From the Value Data field, enter the value of the registry key for the data type of the registry that you select.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type

You can use the Registry Conditions page to create, duplicate, edit, or delete a registry condition of RegistryValueDefault type.

To create a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 20-15 .

Here, you can create to add a Registry Condition of RegistryValueDefault type, which appears on the Registry Conditions page.

Step 7 Click Submit to create a registry condition of RegistryValueDefault type.


 

To duplicate a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry Conditions page, choose Duplicate .

Here, you can create a copy of the registry condition of RegistryValueDefault type.

Step 4 Click Submit to create a copy of the registry condition of RegistryValueDefault type.


 

To edit a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry Conditions page, choose Edit .

Here, you can edit a registry condition of RegistryValueDefault type.

Step 4 Click Save to save the changes to the registry condition of RegistryValueDefault type.

A registry condition of RegistryValueDefault type appears on the Registry Conditions page after editing on the edit page.

Step 5 Click the Registry Conditions List link from the edit page to return to the Registry Conditions page.


 

To delete a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry Conditions page, choose Delete .

Here, you can delete a registry condition of RegistryValueDefault type.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-15 describes the fields on the New Registry Condition page that allow you to create, or edit a registry condition on its edit page of RegistryValueDefault type condition.

 

Table 20-15 Registry Condition for RegistryValueDefault

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

  • RegistryKey—Checks whether a specific registry key exists in the registry.
  • RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.
  • RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_CONFIG (HKCC)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_USERS (HKU)
  • HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash (“\”) allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Name

(Default)

Value Data Type

From the Value Data Type field, selecting the data type allows you to check the registry key value data type, and its value using an operator. Click the drop-down arrow to view the predefined settings:

  • Number—choose one of the operators in the drop-down list to check the registry key value using a number in the registry key value
  • String—choose one of the operators in the drop-down list to check the registry key value using a string in the registry key value
  • Version—choose one of the operators in the drop-down list to check the registry key value using its version

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of data type of the registry key value using an operator.

Click the drop-down arrow to view the following settings:

  • Exists
  • DoesNotExist

Value Data

From the Value Data field, enter the value of the registry key for the data type of the registry that you select.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Filtering Registry Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Registry Conditions page. A quick filter is a simple and quick filter that can be used to filter registry conditions on the Registry Conditions page. It filters registry conditions based on the field description such as the name of the registry conditions, description, and the type of registry conditions on the Registry Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Registry Conditions page. It filters registry conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Registry Conditions page. You can also edit preset filters and remove them from the preset filters list.

To filter registry conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition .

The Registry Conditions page appears, which lists all the registry conditions that you have created.

Step 5 From the Registry Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-16 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Registry Conditions page, choose All from the Show drop-down to display all the registry conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters registry conditions based on each field description on the Registry Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Registry Conditions page. If you clear the field, it displays the list of all the registry conditions on the Registry Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter registry conditions by using variables that are more complex. It contains one or more filters, which filter registry conditions based on the values that match the field description. A filter on a single row filters registry conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter registry conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-16 describes the fields that allow you to filter registry conditions on the Registry Conditions page.

Table 20-16 Filtering Registry Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter registry conditions by the condition name.

Description

This field enables you to filter registry conditions by the condition description.

Registry Type

This field enables you to filter registry conditions by the registry type.

Condition Type

This field enables you to filter registry conditions by Cisco predefined and not Cisco predefined conditions

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Registry Type
  • Condition type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter registry conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter registry conditions.

Application Conditions

An application condition is a simple (single) condition, which checks applications that are running, and are not running on the client. The application condition can check for various application processes that are typically viewable under Windows Task Manager.

The Application Conditions page displays application conditions along with their names, description, as well as applications that are running and are not running on the client. It also shows the status of applications whether they are running, or are not running on the client.


Note Cisco predefined application conditions that are listed on the Application Conditions page are not editable.


This section provides the procedure that you can use to configure application conditions.

Configuring Application Conditions

Configuring Application Conditions

You can create an application condition to check that an application is running, or not running on the client. You can also duplicate, edit, delete, or filter application conditions from the Application Conditions page.

This section covers the following procedures:

Viewing Application Conditions

You can use the Application Conditions page to view application conditions.

To view application conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition .

The Application Conditions page appears, which lists predefined Cisco application conditions and all the application conditions that you create.

Step 5 Choose an application condition from the application conditions list.

Step 6 Click View .

Here, you can choose an application condition to view the details.

Step 7 Click the Application Conditions List link to return to the Application Conditions page.


 

Creating, Duplicating, Editing, and Deleting an Application Condition

You can use the Application Conditions page to create, duplicate, edit, or delete an application condition, which allows you to check various application processes that are running, or are not running on the client.

To create an application condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition .

The Application Conditions page appears, which lists predefined Cisco application conditions and all the application conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the application condition is not editable.

Step 6 Modify the values on the New Application Condition page, as shown in Table 20-17 .

Here, you can create to add an application condition, which appears on the Application Conditions page.

Step 7 Click Submit to create an application condition.


 

To duplicate an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition .

The Applications conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to duplicate.

Step 3 From the Application Conditions page, choose Duplicate .

Here, you can create a copy of the application condition.

Step 4 Click Submit to create a copy of the application condition.


 

To edit an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition .

The Application Conditions page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to edit.

Step 3 From the Application Conditions page, choose Edit .

Here, you can edit an application condition.

Step 4 Click Save to save the changes to the application condition.

The application condition will appear on the Application Conditions page after editing on the edit page.

Step 5 Click the Application Conditions List link from the edit page to return to the Application Conditions page.


 

To delete an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition .

The Application Conditions page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to delete.

Step 3 From the Application Conditions page, choose Delete .

Here, you can delete an application condition.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-17 describes the fields on the New Application Condition list page that allow you to create, duplicate, or edit an application condition on its edit page.

 

Table 20-17 Application Condition

Field Name
Field Description

Name

From the Name field, enter the name of the application condition that you want to create.

Description

From the Description field, enter the description of the application condition that you want to create.

Process Name

From the Process Name field, enter the name of the application that you want to check whether it is running, or not running on the client.

Application Operator

From the Application Operator field, selecting the status of an application allows you to check whether that application is running, or not running on the client. Click the drop-down arrow to view the following predefined settings:

  • Running
  • NotRunning

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Filtering Application Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Applications Conditions page. A quick filter is a simple and quick filter that can be used to filter application conditions on the Application Conditions page. It filters application conditions based on the field description such as the name of the application conditions, description, and that shows the status whether applications are running, or not running on the client on the Application Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Application Conditions page. It filters application conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Application Conditions page.You can also edit preset filters and remove them from the preset filters list.

To filter application conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition .

The Application Conditions page appears, which lists all the application conditions that you have created.

Step 5 From the Application Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-18 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Application Conditions page, choose All from the Show drop-down to display all the application conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters application conditions based on each field description on the Application Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Application Conditions page. If you clear the field, it displays the list of all the application conditions on the Application Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter application conditions by using variables that are more complex. It contains one or more filters, which filter application conditions based on the values that match the field description. A filter on a single row filters application conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter application conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-18 describes the fields that allow you to filter application conditions on the Application Conditions page.

Table 20-18 Filtering Application Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter application conditions by the condition name.

Description

This field enables you to filter application conditions by the condition description.

Status

This field enables you to filter application conditions by checking the status of applications whether they are running or not running.

Condition Type

This field enables you to filter application conditions by Cisco defined and user defined conditions.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Status
  • Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter application conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter application conditions.

Service Conditions

A service condition is a simple (single) condition, which checks services that are running, and are not running on the client. The service condition can check for various services such as security, or application agents that are typically viewable from the Windows Services console.

The Service Conditions page displays service conditions along with their names and description of the service conditions. It also shows the status whether the services are, or are not running on the client.

Cisco Predefined Checks

The Service Conditions page displays predefined Cisco checks as well as service conditions that you create on the Service Condition page. The predefined Cisco checks are downloaded on your Cisco ISE deployment as a result of dynamic posture updates. The pc_AutoUpdateCheck is one of the predefined Cisco checks, which is downloaded to the service conditions list (simple conditions).

For information on downloading Posture updates through the web, see the “Dynamic Posture Updates” section.

pc_AutoUpdateCheck

The pc_AutoUpdateCheck is a single (simple) condition, which can be used in a compound condition. The pr_AutoUpdateCheck_Rule is a compound condition that uses the pc_AutoUpdateCheck simple condition.

For information on how the pr_AutoUpdateCheck_Rule is used in a Windows update remediation, see the “pr_AutoUpdateCheck_Rule” section.


Note Cisco predefined service conditions that are listed on the Service Conditions page are not editable.


This section provides the procedure that you can use to configure service conditions.

Configuring Service Conditions

Configuring Service Conditions

You can create a service condition to check that a service is running, or not running on the client. You can also duplicate, edit, delete, or filter service conditions from the Services conditions list page.

This section covers the following procedures:

Viewing Service Conditions

You can use the Service Conditions page to view service conditions.

To view service conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists predefined Cisco service conditions and all the service conditions that you create.

Step 5 Choose a service condition from the service conditions list.

Step 6 Click View .

Here, you can choose a service condition to view the details.

Step 7 Click the Service Conditions List link to return to the Service Conditions page.


 

Creating, Duplicating, Editing, and Deleting a Service Condition

You can use the Service Conditions page to create, duplicate, edit, or delete a service condition, which allows you to check various services that are running or not running on the client.

To create a service condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists predefined Cisco service conditions and all the service conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the service condition is not editable.

Step 6 Modify the values on the New Service Condition page, as shown in Table 20-19 .

Here, you can create to add a service condition, which appears on the Service Conditions page.

Step 7 Click Submit to create a Service condition.


 

To duplicate a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to duplicate.

Step 3 From the Service Conditions page, choose Duplicate .

Here, you can create a copy of the service condition.

Step 4 Click Submit to create a copy of the service condition.


 

To edit a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to edit.

Step 3 From the Service Conditions page, choose Edit .

Here, you can edit a service condition.

Step 4 Click Save to save the changes to the service condition.

The service condition will appear on the Service Conditions page after editing on the edit page.

Step 5 Click the Service Conditions List link from the edit page to return to the Service Conditions page.


 

To delete a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to delete.

Step 3 From the Service Conditions page, choose Delete .

Here, you can delete a service condition.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-19 describes the fields on the New Service Condition page that allow you to create, duplicate, or edit a service condition on its edit page.

 

Table 20-19 Service Condition

Field Name
Field Description

Name

From the Name field, enter the name of the service condition that you want to create.

Description

From the Description field, enter the description of the service condition that you want to create.

Service Name

From the Service Name field, enter the name of the service that you want to check whether it is running, or not running on the client.

Service Operator

From the Service Operator field, selecting the status of a service allows you to check whether that service is running, or not running on the client. Click the drop-down arrow to view the following predefined settings.

  • Running
  • NotRunning

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.

Filtering Service Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Service Conditions page. A quick filter is a simple and quick filter that can be used to filter service conditions on the Service Conditions page. It filters service conditions based on the field description such as the name of the service condition, description, and that checks for services that are running, or not running on the client on the Service Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Service Conditions page. It filters service conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Service Conditions page.You can also edit preset filters and remove them from the preset filters list.

To filter service conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition .

The Service Conditions page appears, which lists all the service conditions that you have created.

Step 5 From the Service Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-20 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.

Step 6 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Service Conditions page.


Note To return to the Service Conditions page, choose All from the Show drop-down to display all the service conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters service conditions based on each field description on the Service Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Service Conditions page. If you clear the field, it displays the list of all the service conditions on the Service Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter service conditions by using variables that are more complex. It contains one or more filters, which filter service conditions based on the values that match the field description. A filter on a single row filters service conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter service conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-20 describes the fields that allow you to filter service conditions on the Service Conditions page.

 

Table 20-20 Filtering Service Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter service conditions by the condition name.

Description

This field enables you to filter service conditions by the condition description.

Check for

This field enables you to filter service conditions by checking the status of applications whether it is running or not.

Condition Type

This field enables you to filter service conditions by Cisco predefined and not Cisco predefined conditions.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Check for
  • Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter service conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter service conditions.

Compound Conditions

A compound condition includes one or more simple conditions, or compound conditions of the type file, registry, application, service, or dictionary conditions. You can combine one or more conditions using an AND (ampersand [ & ]), an OR (horizontal bar [ | ]), or a NOT (exclamation point [ ! ]) operator to create a compound condition.

Cisco Predefined Rules

The Compound Conditions page displays predefined Cisco rules, as well as compound conditions that you create on the Compound Conditions page. The predefined Cisco rules are downloaded on your Cisco ISE deployment as a result of dynamic posture updates through the web.

For information on downloading Posture updates through the web, see the “Dynamic Posture Updates” section.

pr_AutoUpdateCheck_Rule

The pr_AutoUpdateCheck_Rule is a predefined Cisco Rule, which is downloaded to the Compound Conditions page. It contains only the pc_AutoUpdateCheck, a single (simple) condition.

When used in a posture requirement, the pr_AutoUpdateCheck_Rule compound condition allows you to check whether Windows clients are enabled with the automatic updates feature. If the Windows clients fail to meet the requirement, then the NAC Agents enforce Windows clients to be enabled (remediate) with the automatic updates feature, and upon which the clients are postured compliant. The Windows update remediation that you associate in the posture requirement overrides the Windows administrator setting, if the automatic updates feature is not enabled on Windows clients.

The Compound Conditions page displays compound conditions along with their names and description according to their operating systems. The Compound Conditions page allows you to filter the conditions based on the operating systems, as every condition is associated with one or more operating systems. The filtering options allow you to quickly pick the right set of conditions for a specific operating system.


Note Cisco predefined compound conditions that are listed on the Compound Conditions page are not editable.


This section provides the procedure that you can use to configure compound conditions.

Configuring Compound Conditions

Configuring Compound Conditions

You can create, duplicate, edit, delete, or filter compound conditions from the Compound Conditions page.

This section covers the following procedures:

Viewing Compound Conditions

You can use the Compound Conditions page to view compound conditions.

To view compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears, which lists predefined Cisco compound conditions and all the service conditions that you create.

Step 5 Choose a compound condition from the compound conditions list.

Step 6 Click View .

Here, you can choose a compound condition to view the details.

Step 7 Click the Compound Conditions List link to return to the Compound Conditions page.


 

Creating, Duplicating, Editing, and Deleting a Compound Condition

You can use the Compound Conditions page to create, duplicate, edit, or delete a compound condition.

To add a compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears, which lists predefined Cisco compound conditions and compound conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the compound condition is not editable. The operating system is also not editable on the compound condition after you have associated the newly created compound condition to a requirement. In order to edit the operating system on the compound condition, you need to remove the compound condition association from the posture requirement.

Step 6 Modify the values on the New Compound Condition page, as shown in Table 20-21 .

Here, you can create an expression by using logical operators to form a compound condition by combining simple conditions. You can use the Simple Conditions (an object selector) widget to choose one or more simple conditions.

a. Choose Select a condition to insert below and click the down arrow.

The Simple Conditions widget appears that displays simple file, registry, application and service conditions.

b. Choose a simple condition from any one of the file, registry, application, and service condition types from the conditions list or click the Quick Picker (down arrow) on the Action button to create a simple condition that allows you to save it to the existing list of respective simple conditions

c. Choose one of the following simple conditions:

Create File Condition

Add File Condition widget appears. Here, you can create a file (simple) condition.

Create Registry Condition

Add Registry Condition widget appears. Here, you can create a registry (simple) condition.

Create Application Condition

Add Application Condition widget appears. Here, you can create an application (simple) condition.

Create Service Condition

Add Service Condition widget appears. Here, you can create a service (simple) condition.

d. Choose an AND (ampersand [ & ]), an OR (horizontal bar [ | ]), or a NOT (exclamation point [ ! ]) operator to combine simple conditions. Use the parentheses [ ( ) ], and the logical operators to create a compound condition.

e. Choose a simple condition from any one of file, registry, application, and service condition types from the conditions list to the previously chosen simple conditions to create a compound condition.

Step 7 Click the Validate Expression button to validate the compound condition.

Step 8 Click Submit to create a compound condition.


 

To duplicate a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears, which lists predefined Cisco ISE compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to duplicate.

Step 3 From the Compound Conditions page, choose Duplicate .

Here, you can create a copy of the compound condition.

Step 4 Click Submit to create a copy of the compound condition


 

To edit a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to edit.

Step 3 From the Compound Conditions page, choose Edit .

Here, you can edit a compound condition, which you have already created, and saved on the Compound Conditions page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to the compound condition.

The compound condition will appear on the Compound Conditions page after editing on the edit page.

Step 5 Click the Compound Conditions List link to return to the Compound Conditions page.


 

To delete a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to delete.

Step 3 From the Compound Conditions page, choose Delete .

Here, you can delete a compound condition.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-21 describes the fields on the New Compound Condition page that allow you to create, duplicate, or edit a compound condition on its edit page.

 

Table 20-21 Compound Condition

Field Name
Field Description

Name

From the Name field, enter the name of the compound condition that you want to create.

Description

From the Description field, enter the description of the compound condition that you want to create.

Operating System

From the Operating System field, selecting one or more Windows operating systems allow you to associate Windows operating systems to which the condition is applied.

Select a condition to insert below

From the Select a condition to insert below button, click the down arrow to display the Simple Conditions widget.

Expression

An area in the New Compound Condition page where you can create compound conditions using logical operators.

Parentheses ( )

Within the parentheses, you can combine two simple conditions from the following simple condition types: file, registry, application, and service conditions.

( & )—AND operator (use “&” for an AND operator, without the quotes)

You can use the AND operator (ampersand [ & ]) in a compound condition. For example, enter Condition1 & Condition2 .

( | )—OR operator (use “|” for an OR operator, without the quotes)

You can use the OR operator (horizontal bar [ | ]) in a compound condition. For example, enter Condition1 | Condition2 .

( ! )—NOT operator (use “!” for a NOT operator, without the quotes)

You can use the NOT operator (exclamation point [ ! ]) in a compound conditions. For example, enter Condition1 & (!Condition2) .

Simple Conditions

The Simple Conditions widget provides you with the list of simple conditions of the following types: file, registry, application, and service. You can also create simple conditions of file, registry, application and service conditions from here.

Click the Quick Picker (down arrow) on the Action button to create simple conditions of file, registry, application, and service conditions.

Filtering Compound Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Compound Conditions page. A quick filter is a simple and quick filter that can be used to filter compound conditions on the Compound Conditions page. It filters compound conditions based on the field description such as the name and description of the compound condition on the Compound Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Compound Conditions page. It filters compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Compound Conditions page. You can also edit preset filters and remove them from the preset filters list.

To filter compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition .

The Compound Conditions page appears which lists all the compound conditions that you have created.

Step 5 From the Compound Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-22 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Compound Conditions page, choose All from the Show drop-down to display all the compound conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters compound conditions based on each field description on the Compound Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound Conditions page. If you clear the field, it displays the list of all the compound conditions on the Compound Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter compound conditions by using variables that are more complex. It contains one or more filters, which filter compound conditions based on the values that match the field description. A filter on a single row filters compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-22 describes the fields that allow you to filter compound conditions on the Compound Conditions page.

 

Table 20-22 Filtering Compound Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter compound conditions by the condition name.

Description

This field enables you to filter compound conditions by the condition description.

Condition Type

This filed enables you to filter compound conditions by Cisco defined and not Cisco defined conditions.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter compound conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter compound conditions.

Antivirus and Antispyware Compound Conditions

Prerequisites:

Before you begin, you should read and understand the following antivirus and antispyware topics:

An Antivirus Compound Condition

Cisco ISE loads preconfigured antivirus compound conditions on the AV Compound Conditions page, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antivirus compound conditions can check for antivirus products for their existence on all the clients. You can also create new antivirus compound conditions on the New Anti-virus Compound Condition page.

The New Anti-virus Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.

An Antispyware Compound Condition

Cisco ISE loads preconfigured antispyware compound conditions on the AS Compound Conditions page, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antispyware compound conditions can check for antispyware products for their existence on all the clients. You can also create new antispyware compound conditions on the New Anti-spyware Compound Condition page.

The New Anti-spyware Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.

Antivirus and Antispyware Support Charts

Cisco ISE uses an antivirus and antispyware support chart, which provides the latest version and date on the definition files for each vendor product. Users need to frequently poll antivirus and antispyware support charts for updates. The antivirus and antispyware vendors frequently update antivirus and antispyware definition files, and the antivirus and antispyware chart provides them the latest version and date on the definition files for each vendor product.

Each time the antivirus and antispyware support chart is updated to reflect support for new antivirus and antispyware vendors, products, and their releases, the NAC Agents receive a new antivirus and antispyware library. It helps NAC Agents to support newer additions. Once the NAC Agents retrieve this support information, they check the latest definition information from the periodically updated se-checks.xml file (which is published along with the se-rules.xml file in the se-templates.tar.gz archive), and determine whether clients are compliant with the posture policies. Depending upon what is supported by the antivirus and antispyware library for a particular antivirus, or antispyware product, the appropriate requirements will be sent to the NAC Agents for validating their existence, and the status of particular antivirus and antispyware products on the clients during posture validation.

Antivirus and Antispyware Definition Updates

The New Anti-virus Compound Condition and New Anti-spyware Compound Condition configuration pages allow you to use the information from the av-chart archive files, which display the list of vendors, supported products, and their releases to configure client remediations on the AV Remediations and AS Remediations page.

On the New Anti-virus Compound Condition and New Anti-spyware Compound Condition configuration pages, you have an option to check for antivirus and antispyware definition file date, or version on all the clients for the following: a particular vendor product, or any product from a vendor, or for any vendor any product. In addition, you also have an option to specify that the definition files can be older than a specified certain number of days. It gives users a certain amount of time to enforce security policies with respect to how old the definition files can be on their system.

Antivirus and antispyware compound conditions allow you to verify that the virus definition files for a specified vendor are up-to-date on your clients. You can optionally configure antivirus and antispyware definition files of antivirus and antispyware compound conditions to be older by a number of days than the definition files, which are updated in the Cisco ISE servers. Even if the definition files have not been updated by the vendor, this option allows you to configure antivirus and antispyware compound conditions so that clients are validated for compliance with older versions by a few days.

For antivirus definition file updates, you can specify the number of days either from the latest antivirus definition file updates for a specified vendor, or from the current system date on Cisco ISE. For antispyware definition file updates, you must specify the number of days from the current system date. You do not have the option to specify the number of days from the latest antispyware definition file updates. The default number of days is zero (0), indicating that the antivirus and antispyware file definition date cannot predate the latest file or current system date.

You can also associate antivirus and antispyware compound conditions to the AV remediations and AS remediation actions. If your clients fail to meet antivirus and antispyware compound conditions, then the NAC Agents that are installed on your clients communicate directly with the installed antivirus and antispyware software on the clients. The NAC Agents display a dialog with an update, or remediate button on it for end users to use them to remediate clients automatically with the latest antivirus and antispyware definition files.

Related Topics

Antivirus Compound Conditions

Antispyware Compound Conditions

Antivirus Compound Conditions

An antivirus compound condition contains one or more antivirus conditions (simple conditions), or antivirus compound conditions. An antivirus compound condition checks an antivirus installation, or checks for an antivirus signature definition version/date on a client. You can create an antivirus compound condition to check for an antivirus installation, or definition updates on the client for any vendor.

This section provides the procedure that you can use to configure antivirus compound conditions.

Configuring Antivirus Compound Conditions

Configuring Antivirus Compound Conditions

The AV Compound Conditions page displays antivirus compound conditions along with their names and description.

You can create an antivirus compound condition to check that an antivirus installation exists on your clients, or check that the latest antivirus signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter antivirus compound conditions from the AV Compound Conditions page.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition

You can use the AV Compound Conditions page to create, duplicate, edit, or delete an antivirus compound condition.

To create an antivirus compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AV Compound Condition .

The AV Compound Conditions page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you create on the New Anti-virus Compound Condition page.

Step 5 Click Add .

Warning Once created and saved, the name of the antivirus compound condition is not editable.

Step 6 Modify the values on the New Anti-virus Compound Conditions page, as shown in Table 20-23 .

Here, you can create an antivirus compound condition to check the installation of an antivirus program, or check that an antivirus definition file is up-to-date.


Note Choose a product from the Products for Selected Vendor table.


Step 7 Click Submit to create an antivirus compound condition.


 

To duplicate an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition .

The AV Compound Conditions page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.

Step 2 Choose the antivirus compound condition that you want to duplicate.

Step 3 From the AV Compound Conditions page, choose Duplicate .

Here, you can create a copy of the antivirus compound condition.

Step 4 Click Submit to create a copy of the antivirus compound condition.


 

To edit an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition .

The AV Compound Conditions page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.

Step 2 Choose an antivirus compound condition that you want to edit.

Step 3 From the AV Compound Conditions page, choose Edit .

Here, you can edit an antivirus compound condition, which you have already created and saved on the AV Compound Conditions page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to an antivirus compound condition.

The antivirus compound condition will appear on the AV Compound Conditions page after editing on the edit page.

Step 5 Click the Anti-virus Compound Conditions List link to return to the AV Compound Conditions page.


 

To delete an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition .

The AV Compound Conditions page appears, which lists all the Cisco predefined rules, and also AV compound conditions that you have already created.

Step 2 Choose an antivirus compound condition that you want to delete.

Step 3 From the AV Compound Conditions page, choose Delete .

Here, you can delete an antivirus compound condition.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-23 describes the fields on the AV Compound Conditions page that allow you to create, duplicate, or edit an antivirus compound condition.

 

Table 20-23 AV Compound Condition

Field Name
Field Description

Name

The name of the antivirus compound condition that you want to create.

Description

The description of the antivirus compound condition that you want to create.

Operating System

The field selection of Operating System allows you to check the installation of an antivirus programs on your client, or check the latest antivirus definition file updates to which the condition is applied.

Vendor

Choose a vendor from the drop-down list. The selection of Vendor retrieves their antivirus products and versions, which are displayed in a table (Products for Selected Vendor) on the New Anti-virus Compound Condition page.

Check Type

The field selection of Check Type allows you to choose whether to check an installation or check the latest definition file update on the client.

Installation radio button

The field selection of Installation radio button allows you to check only the installation of an antivirus program on the client.

Definition radio button

The field selection of Definition radio button allows you to check only the latest definition file update of an antivirus product on the client.

When enabled, Cisco ISE provides you the following two options to check clients against latest antivirus definition file version or latest antivirus definition file date:

  • Check against latest AV definition file version if available. Otherwise check against latest definition file date
  • Allow virus definition file to be a specific number of days days older than latest file date or current system date

Check against latest AV definition file version, if available. (Otherwise check against latest definition file date).

The field selection allows you to check the antivirus definition file version on the client against the latest antivirus definition file version, if available as a result of posture updates in Cisco ISE. Otherwise, it allows you to check the definition file date on the client against the latest definition file date in Cisco ISE.

Allow virus definition file to be check box (Enabled)

The Allow virus definition file to be check box is enabled only when you choose creating antivirus definition check types, and disabled when creating antivirus installation check types.

If checked, the selection allows you to check the antivirus definition file version and the latest antivirus definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the latest antivirus definition file date of the product or the current system date.

If unchecked, Cisco ISE allows you to check only the version of the antivirus definition file using the Check against latest AV definition file version, if available option.

days older than

The field defines the number of days that the latest antivirus definition file date on the client can be older from the latest antivirus definition file date of the product or the current system date. The default value is zero (0).

The latest file date radio button

When selected, the latest file date option checks that the antivirus definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the latest antivirus definition file date of the product.

The current system date radio button

When selected, the current system date option checks that the antivirus definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the current system date.

Products for Selected Vendor table

Choose an antivirus product from the table. Based on the vendor that you select in the New Anti-virus Compound Condition page, the table retrieves information on their antivirus products and their version, remediation support that they provide, latest definition file date and its version.

The selection of a product from the table allows you to check for the installation of an antivirus program, or check for the latest antivirus definition file date, and its latest version.

Filtering Antivirus Compound Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the AV Compound Conditions page. A quick filter is a simple and quick filter that can be used to filter antivirus compound conditions on the AV Compound Conditions page. It filters antivirus compound conditions based on the field description such as the name and description of the antivirus compound condition on the AV Compound Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AV Compound Conditions page. It filters antivirus compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the AV Compound Conditions page.You can also edit preset filters and remove them from the preset filters list.

To filter antivirus compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AV Compound Condition .

The AV Compound Conditions page appears which lists all the antivirus compound conditions.

Step 5 From the AV Compound Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-24 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the AV Compound Conditions page, choose All from the Show drop-down to display all the antivirus compound conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters antivirus compound conditions based on each field description on the AV Compound Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the AV Compound Conditions page. If you clear the field, it displays the list of all the antivirus compound conditions on the AV Compound Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antivirus compound conditions by using variables that are more complex. It contains one or more filters, which filter antivirus compound conditions based on the values that match the field description. A filter on a single row filters antivirus compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-24 describes the fields that allow you to filter antivirus compound conditions on the AV Compound Conditions page.

 

Table 20-24 Filtering Antivirus Compound Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter antivirus compound conditions by the condition name.

Description

This field enables you to filter antivirus compound conditions by the condition description.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description

Click the drop-down arrow to choose the field description.

Operator

Click the drop-down arrow to choose a value that can be used to filter in the Operator field.

Value

Enter the value for the field description that you selected against to filter the conditions.

Antispyware Compound Conditions

An antispyware compound condition contains one or more antispyware conditions (simple conditions), or antispyware compound conditions. An antispyware compound condition checks an antispyware installation, or checks for an antispyware signature definition version/date on a client against the current system date. You can create an antispyware compound condition to check for an antivirus installation, or definition updates on the client for any vendor.

When you create an antispyware definition file update condition, the antispyware definition file date can be older than the current system date by the number of days that you specify for checking the definition file date on the client. The default value is zero (0) days.

Here, you must enable (check) the Allow virus definition file to be check box to check that the latest antispyware definition file date on the client. It can be older than the current system date by the number of days, which you define in the days older than field.

This section provides the procedure that you can use to configure antispyware compound conditions.

Configuring Antispyware Compound Conditions

Configuring Antispyware Compound Conditions

The AS Compound Conditions page displays antispyware compound conditions along with their names and description.

You can create an antispyware compound condition to check that an antispyware installation exists on your clients, or check that the latest antispyware signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter antispyware compound conditions from the AS Compound Conditions page.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition

You can use the AS Compound Conditions page to create, duplicate, edit, or delete an antispyware compound condition.

To create an antispyware compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AS Compound Condition .

The AS Compound Conditions page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you create on the New Anti-spyware Compound Condition page.

Step 5 Click Add .

Warning Once created and saved, the name of the antispyware compound condition is not editable.

Step 6 Modify the values on the New Anti-spyware Compound Condition page, as shown in Table 20-25 .

Here, you can create an antispyware compound condition to check the installation of an antispyware program, or check that an antispyware definition file is up-to-date.


Note Choose a product from the Products for Selected Vendor table.


Step 7 Click Submit to create an antispyware compound condition.


 

To duplicate an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition .

The AS Compound Conditions page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.

Step 2 Choose the antispyware compound condition that you want to duplicate.

Step 3 From the AS Compound Conditions page, choose Duplicate .

Here, you can create a copy of the antispyware compound condition.

Step 4 Click Submit to create a copy of the antispyware compound condition.


 

To edit an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition .

The AS Compound Conditions page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.

Step 2 Choose an antispyware compound condition that you want to edit.

Step 3 From the AS Compound Conditions page, choose Edit .

Here, you can edit an antispyware compound condition, which you have already created and saved on the AS Compound Conditions page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to an antispyware compound condition.

The antispyware compound condition will appear on the AS Compound Conditions page after editing on the edit page.

Step 5 Click the AS Compound Conditions List link to return to the AS Compound Conditions page.


 

To delete an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition .

The AS Compound Conditions page appears, which lists all the Cisco predefined rules, and also AS compound conditions that you have already created.

Step 2 Choose an antispyware compound condition that you want to delete.

Step 3 From the AS Compound Conditions page, choose Delete .

Here, you can delete an antispyware compound condition.

Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.


 

Table 20-25 describes the fields on the AS Compound Conditions page that allow you to create, duplicate, or edit an antispyware compound condition.

 

Table 20-25 Antispyware Compound Condition

Field Name
Field Description

Name

The name of the antispyware compound condition that you want to create.

Description

The description of the antispyware compound condition that you want to create.

Operating System

The field selection of Operating System allows you to check the installation of an antispyware programs on your client, or check the latest antispyware definition file updates to which the condition is applied.

Vendor

Choose a vendor from the drop-down list. The selection of Vendor retrieves their antispyware products and versions, which are displayed in a table (Products for Selected Vendor) on the New Anti-spyware Compound Condition page.

Check Type

The field selection of Check Type allows you to choose a type whether to check an installation, or check the latest definition file update on the client.

Installation radio button

The field selection of Installation radio button allows you to check only the installation of an antispyware program on the client.

Definition radio button

The field selection of Definition radio button allows you to check only the latest definition file update of an antispyware product on the client.

Allow virus definition file to be check box (Enabled)

The Allow virus definition file to be check box is enabled only when creating antispyware definition check types, and disabled when creating antispyware installation check types.

If checked, the selection allows you to check antispyware definition file version and the latest antispyware definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the current system date.

If unchecked, the selection allows you to check only the version of the antispyware definition file as the Allow virus definition file to be check box is not checked.

days older than

The field defines the number of days that the latest antispyware definition file date on the client can be older from the current system date. The default value is zero (0).

The current system date radio button

When selected, the current system date option checks that the antispyware definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antispyware definition file date on the client should not be older than the current system date.

Products for Selected Vendor table

Choose an antispyware product from the table. Based on the vendor that you select in the New Anti-spyware Compound Condition page, the table retrieves information on their antispyware products and their version, remediation support that they provide, latest definition file date and its version.

The selection of a product from the table allows you to check for the installation of an antispyware program, or check for the latest antispyware definition file date, and its latest version.

Filtering Antispyware Compound Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the AS Compound Conditions page. A quick filter is a simple and quick filter that can be used to filter antispyware compound conditions on the AS Compound Conditions page. It filters antispyware compound conditions based on the field description such as the name and description of the antispyware compound condition on the AS Compound Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AS Compound Conditions page. It filters antispyware compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the AS Compound Conditions page.You can also edit preset filters and

remove them from the preset filters list.

To filter antispyware compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AS Compound Condition .

The AS Compound Conditions page appears, which lists all the antispyware compound conditions.

Step 5 From the AS Compound Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-26 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the AS Compound Conditions page, choose All from the Show drop-down to display all the antispyware compound conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters antispyware compound conditions based on each field description on the AS Compound Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the antispyware compound conditions on the AS Compound Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antispyware compound conditions by using variables that are more complex. It contains one or more filters, which filter antispyware compound conditions based on the values that match the field description. A filter on a single row filters antispyware compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antispyware compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-26 describes the fields that allow you to filter antispyware compound conditions on the AS Compound Conditions page.

 

Table 20-26 Filtering Antispyware Compound Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter conditions by the condition name.

Description

This field enables you to filter conditions by the condition description.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description

Click the drop-down arrow to choose the field description.

Operator

Click the drop-down arrow to choose a value that can be used to filter in the Operator field.

Value

Enter the value for the field description that you selected against to filter the conditions.

Dictionary Simple Conditions

A dictionary simple condition is a simple (single) condition, where you can associate a value to a dictionary attribute. Once created and saved, the dictionary simple conditions are added to a library. You can use these dictionary simple conditions to form a dictionary compound condition on the Dictionary Compound Conditions page.

This section provides the procedure that you can use to configure dictionary simple conditions.

Configuring Dictionary Simple Conditions

Configuring Dictionary Simple Conditions

You can create a dictionary simple condition to check the value of an attribute that you associate to the dictionary attribute in the dictionary simple condition. You can also duplicate, edit, delete, or filter dictionary simple conditions from the Dictionary Simple Conditions page.

The Dictionary Simple Conditions page displays dictionary simple conditions along with their names and description, as well as the conditions in detail that you define in the dictionary simple conditions.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition

You can use the Dictionary Simple Conditions page to create, duplicate, edit, or delete a dictionary simple condition.

To create a dictionary simple condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions page appears, which lists all the dictionary simple conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the dictionary simple condition is not editable.

Step 6 Modify the values on the New Dictionary Condition page, as shown in Table 20-27 .

Here, you can create a dictionary simple condition where you can associate a value to a dictionary attribute.

Step 7 Click Submit to create a dictionary simple condition.


 

To duplicate a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose a dictionary simple condition that you want to duplicate.

Step 3 From the Dictionary Simple Conditions page, choose Duplicate .

Here, you can create a copy of a dictionary simple condition.

Step 4 Click Submit to create a copy of a dictionary simple condition.


 

To edit a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose a dictionary simple condition that you want to edit.

Step 3 From the Dictionary Simple Conditions page, choose Edit .

Here, you can edit a dictionary simple condition.

Step 4 Click Save to save the changes to a dictionary simple condition.

The dictionary simple condition will appear on the Dictionary Simple Conditions page after editing on the edit page.

Step 5 Click the Dictionary Conditions List link to return to the Dictionary Simple Conditions page.


 

You cannot delete a dictionary simple condition, which is associated to a dictionary compound condition. To delete, you must first remove the association from the dictionary compound condition, and then delete it.

To delete a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition .

The Dictionary Simple Conditions page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose a dictionary simple condition that you want to delete.

Step 3 From the Dictionary Simple Conditions page, choose Delete .

Here, you can delete a dictionary simple condition.


 

Table 20-27 describes the fields on the Dictionary Simple Conditions page that allow you to create, duplicate a dictionary simple condition, or edit a dictionary simple condition on its edit page.

 

Table 20-27 Dictionary Simple Condition

Field Name
Field Description

Name

From the Name field, enter the name of the dictionary simple condition that you want to create.

Description

From the Description field, enter the description of the dictionary simple condition that you want to create.

Attribute

From the Attribute field, you can choose an attribute from a dictionary in the dictionaries widget.

Operator

From the Operator field, you can choose an operator to associate a value to an attribute that you have selected.

Click the drop-down arrow to choose an operator from the predefined settings for each of the dictionary attribute that you have selected.

Value

From the Value field, enter a value that you want to associate to the dictionary attribute, or choose a predefined value from the drop-down list.

Filtering Dictionary Simple Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Dictionary Simple Conditions page. A quick filter is a simple and quick filter that can be used to filter dictionary simple conditions on the Dictionary Simple Conditions page. It filters dictionary simple conditions based on the field description such as the name of the dictionary simple condition, condition that you define in the dictionary simple condition, and description on the Dictionary Simple Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Simple Conditions page. It filters dictionary simple conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Dictionary Simple Conditions page. You can also edit preset filters and remove them from the preset filters list.

To filter dictionary simple conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Simple Condition .

The Dictionary Simple Conditions page appears which displays all the dictionary simple conditions that you create.

Step 5 From the Dictionary Simple Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-28 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Dictionary Simple Conditions page, choose All from the Show drop-down to display all the dictionary simple conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters dictionary simple conditions based on each field description on the Dictionary Simple Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Simple Conditions page. If you clear the field, it displays the list of all the dictionary simple conditions on the Dictionary Simple Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter dictionary simple conditions by using variables that are more complex. It contains one or more filters, which filter dictionary simple conditions based on the values that match the field description. A filter on a single row filters dictionary simple conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-28 describes the fields on the Dictionary Simple Conditions page that allow you to filter dictionary simple conditions.

 

Table 20-28 Filtering Dictionary Simple Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter dictionary simple conditions by the condition name.

Condition

This field enables you to filter dictionary simple conditions by the condition that you define in the dictionary simple condition.

Description

This field enables you to filter dictionary simple conditions by the condition description.

Advanced Filter

Choose the field description from the following:

  • Name
  • Condition
  • Description

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter dictionary simple conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter dictionary simple conditions.

Dictionary Compound Conditions

A dictionary compound condition is a logical combination of more than one dictionary simple condition (a dictionary attribute that is associated with a value). It is a set of dictionary simple conditions (dictionary attributes that are associated with values) that are logically combined with an AND, or an OR operator. You can save a dictionary compound condition, only when you define more than one dictionary simple condition, and then combine them on the Dictionary Compound Conditions page. One or more dictionary simple conditions that you create on the Dictionary Compound Conditions page must be saved to a library first, which can be added later from the library to form a dictionary compound condition.

This section provides the procedure that you can use to configure dictionary compound conditions.

Configuring Dictionary Compound Conditions

Configuring Dictionary Compound Conditions

The Dictionary Compound Conditions page displays the list of dictionary compound conditions along with their names and description, as well as dictionary simple conditions that are logically combined.

This section covers the following procedure:

Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition

You can create, duplicate, edit, or delete a dictionary compound condition from the Dictionary Compound Conditions page.

To create a dictionary compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Compound Condition .

The Dictionary Compound Conditions page appears, which lists all the dictionary compound conditions that you create.

Step 5 Click Add .

Warning Once created and saved, the name of the dictionary compound condition is not editable.

Step 6 Modify the values on the New Dictionary Compound Condition page, as shown in Table 20-29 .

Here, you can create a dictionary compound condition where you can logically combine more than one dictionary simple conditions.

Step 7 Click Submit to create a dictionary compound condition.


 

To duplicate a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose a dictionary compound condition that you want to duplicate.

Step 3 From the Dictionary Compound Conditions page, choose Duplicate .

Here, you can create a copy of a dictionary compound condition.

Step 4 Click Submit to create a copy of a dictionary compound condition.


 

To edit a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose the dictionary compound condition that you want to edit.

Step 3 From the Dictionary Compound Conditions page, choose Edit .

Here, you can edit a dictionary compound condition.

Step 4 Click Save to save the changes to a dictionary compound condition.

The dictionary compound condition will appear on the Dictionary Compound Conditions page after editing on the edit page.

Step 5 Click the Dictionary Compound Conditions List link to return to the Dictionary Compound Conditions page.


 

To delete a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition .

The Dictionary Compound Conditions page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose the dictionary compound condition that you want to delete.

Step 3 From the Dictionary Compound Conditions page, choose Delete .

Here, you can delete a dictionary compound condition.


 

Table 20-29 describes the fields on the Dictionary Compound Conditions page that allow you to create, duplicate a dictionary compound condition, or edit a dictionary compound condition on its edit page.

 

Table 20-29 Dictionary Compound Condition

Field Name
Field Description

Name

From the Name field, enter the name of the dictionary compound condition that you want to create.

Description

From the Description field, enter the description of the dictionary compound condition that you want to create.

Select Existing Condition from Library

You can define an expression by selecting pre-defined conditions from the policy elements library.

Click the Action Icon button to do the following:

  • Add Attribute/Value
  • Add Condition from Library
  • Delete

You can add ad-hoc attribute/value pairs to your expression in the subsequent steps.

Click the Action Icon button to do the following:

  • Add Attribute/Value—allows you to create a dictionary simple condition
  • Add Condition from Library—allows you to choose a dictionary simple, or dictionary compound condition from the library that are already created and saved
  • Duplicate—allows to duplicate a condition that you create or choose on this page.
  • Add Condition to Library—allows you to save new dictionary simple, and dictionary compound conditions that you create here to the library for use later
  • Delete—allows to remove the association of a dictionary simple or dictionary compound condition from the dictionary compound condition.

Condition Name

From the Condition Name field, you can choose dictionary simple conditions that you have already created from the policy elements library.

Expression

The Expression field is updated based on your selection from the Condition Name field.

AND or OR operator

Either an AND operator, or an OR operator allows you to logically combine dictionary simple conditions, which can be added from the library.

Click the Action Icon button to do the following:

  • Add Attribute/Value
  • Add Condition from Library
  • Delete

Create New Condition (Advance Option)

You can define an expression by selecting attributes from various system or user-defined dictionaries.

Click the Action Icon button to do the following:

  • Add Attribute/Value
  • Add Condition from Library
  • Duplicate
  • Add Condition to Library
  • Delete

You can add pre-defined conditions from the policy elements library in the subsequent steps.

Condition Name

From the Condition Name field, you can create a new dictionary simple condition and then save it to the library, or choose dictionary simple conditions that you have already created from the library.

Expression

From the Expression field, you can create a dictionary simple condition by choosing an attribute from a dictionary in the dictionaries widget to which you can associate a value.

Operator

From the Operator field, you can choose an operator to associate a value to an attribute.

Click the drop-down arrow to choose an operator from the predefined settings for each of the dictionary attribute that you select.

Value

From the Value field, enter a value that you want to associate to the dictionary attribute, or choose a value from the drop-down list.

AND or OR operator

Either an AND operator, or an OR operator allows you to logically combine dictionary simple conditions, which can be added from the library.

Filtering Dictionary Compound Conditions

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Dictionary Compound Conditions page. A quick filter is a simple and quick filter that can be used to filter dictionary compound conditions on the Dictionary Compound Conditions page. It filters dictionary compound conditions based on the field description such as the name of the dictionary compound condition, conditions that you define in the dictionary compound condition, and description on the Dictionary Compound Conditions page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Compound Conditions page. It filters dictionary compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Dictionary Compound Conditions page. You can also edit preset filters and remove them from the preset filters list.

To filter compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture .

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Compound Condition .

The Dictionary Compound Conditions page appears which lists all the dictionary compound conditions that you create.

Step 5 From the Dictionary Compound Conditions page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-30 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Dictionary Compound Conditions page, choose All from the Show drop-down to display all the dictionary compound conditions without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters dictionary compound conditions based on each field description on the Dictionary Compound Conditions page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Compound Conditions page. If you clear the field, it displays the list of all the compound conditions on the Dictionary Compound Conditions page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter dictionary compound conditions by using variables that are more complex. It contains one or more filters, which filter dictionary compound conditions based on the values that match the field description. A filter on a single row filters dictionary compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-30 describes the fields on the Dictionary Compound Conditions page that allow you to filter dictionary compound conditions.

 

Table 20-30 Filtering Dictionary Compound Conditions

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter compound conditions by the condition name.

Condition

This field enables you to filter dictionary compound conditions by the condition that you define in the dictionary compound condition.

Description

This field enables you to filter compound conditions by the condition description.

Advanced Filter

Choose the field description from the following:

  • Name
  • Condition
  • Description

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter dictionary compound conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter dictionary compound conditions.

Posture Results

Posture results are associated mandatory requirements to posture policies that all clients must meet their requirements during posture evaluation, and associated remediation actions to requirements that are required by clients to remediate themselves to meet failed requirements in order to become compliant on your network.

Posture results in posture requirements which all clients must meet for compliance with your organization security policies during policy evaluation of endpoints The posture requirements can be set to mandatory, optional, or audit types in posture policies during posture evaluation of endpoints.

Mandatory Requirements

If clients fail to meet mandatory requirements as defined in posture policies, then they are provided with remediation options in order for clients to meet them during policy evaluation. When clients fail to meet mandatory requirements during policy evaluation, it results in remediation actions that are associated to requirements, and end users are given remediation time within minutes specified in the remediation timer settings to remediate failed requirements.

If a client machine is unable to remediate a mandatory requirement, the session posture status changes to “non-compliant” and the agent session is quarantined. The only way to get the client machine past this “non-compliant” state is by initiating a new RADIUS or posture session where the agent starts posture assessment on the client machine again.

You can restart posture assessment on the client machine by doing one of the following:

  • For wired and wireless CoA in an 802.1X environment—You can configure the Reauthentication Timer for the specific authorization policy in the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. When you have the authorization policy page open, enable the Reauthentication function under Common Tasks and set the Maintain Connectivity During Reauthentication option to “Default.” The result is that the timer expires and a brand new session launches, thus restarting posture assessment. For more details, see Modifying an Existing Authorization Profile. (This method is not supported in Inline Posture deployments.)

Alternatively, wired users can get out of the quarantine state once they disconnect and reconnect to the network. In a wireless environment, the user must disconnect from the WLC and wait until the user idle timeout period has expired before attempting to reconnect to the network.

  • In a VPN environment—The only option is to disconnect and reconnect the VPN tunnel.

Optional Requirements

If client machines fail to meet optional requirements during policy evaluation, then the agents prompt end users with an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.

Audit Requirements

Audit requirements are not shown to end users even though they pass, or fail during policy evaluation.

Related Topics

Troubleshooting Topics

Custom Posture Remediation Actions

A custom posture remediation action can take the form of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types.

Here, you also have a text box for all the remediation types that can be used to communicate to the Agent users. In addition to remediation actions, you can also communicate to Agent users of non compliance of clients only with messages. Here, the NAC Agent does not trigger any remediation action.

Message Text Only

The Message Text Only option informs Agent users about noncompliance of clients. It also provides optional instructions to the user to contact the Help desk for more information, or to remediate the client manually.

When you create a posture requirement on the Requirements page, you can associate any one of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types to the requirement.

You can use the Posture Remediation Actions menu to manage the following remediations for a posture in Cisco ISE:

  • A file remediation—downloads the required file version on your client for compliance
  • A link remediation—provides a URL link for the client to click for access to a remediation page or resource
  • An antivirus remediation—updates antivirus signature definitions on the client for compliance
  • An antispyware remediation—updates antispyware signature definitions on the client for compliance
  • Launch programs remediation—launches one or more programs on the client for compliance
  • Windows update remediation—changes the Windows Automatic Update configuration (System Properties) on the client per customer security policy, and helps to ensure Windows Update remediates the client for compliance
  • Windows Server Update Services (WSUS) remediation—remediates the Windows client from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest WSUS updates for compliance

To manage the posture remediation actions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to view the posture results.

The following results appear:

    • Remediation Actions—associated to requirements, which are required by clients to remediate themselves to meet failed requirements during policy evaluation
    • Requirements—associated to posture policies that all clients must meet during policy evaluation

Step 4 Choose Remediation Actions .

The following remediation types appear:

Step 5 Choose a remediation type to view the remediations list.


 

Configuring Custom Posture Remediation Actions

This section describes the custom remediation types that you can define in Cisco ISE.

Table 20-31 shows remediation types that are supported by NAC web agent, NAC agents for Windows and Macintosh clients.

 

Table 20-31 Remediation Types Supported by Agents

Remediation Action Type
Web Agent
NAC Agent for Windows
NAC Agent for Macintosh

File Remediation

Supported

Supported

Not applicable

Link remediation (manual)

Supported

Supported

Supported

Link remediation (automatic)

Not supported

Supported

Not supported

Antivirus remediation (manual)

Not supported

Supported

Supported

Antivirus remediation (automatic)

Not supported

Supported

Not supported

Antispyware remediation (manual)

Not supported

Supported

Not supported

Antispyware remediation (automatic)

Not supported

Supported

Not supported

Launch Program remediation (manual)

Not supported

Supported

Not applicable

Launch Program remediation (automatic)

Not supported

Supported

Not applicable

Windows Update remediation (manual)

Not supported

Supported

Not applicable

Windows Update remediation (automatic)

Not supported

Supported

Not applicable

Windows Server Update Services remediation (manual)

Not supported

Supported

Not applicable

Windows Server Update Services remediation (automatic)

Not supported

Supported

Not applicable

This section covers the following procedures for managing remediation actions for a posture:

Filtering File Remediations

Filtering Link Remediations

Filtering Antivirus Remediations

Filtering Antispyware Remediations

Filtering Launch Program Remediations

Filtering Windows Update Remediations

Filtering Windows Server Update Services Remediations

Troubleshooting Topics

File Remediation

A file remediation allows clients to download the required file version for compliance. You are only allowed to create a file remediation, where the NAC Agent and Web Agent can remediate an endpoint with a file that is required by the client for compliance.

You can filter, view, or delete file remediations on the File Remediations page, but you cannot edit file remediations as you are allowed to edit other remediation types. The File Remediations page displays all the file remediations along with their names, description, and the files that are required for remediation.

This section describes the following procedures to configure and filter file remediations.

Viewing, Adding, and Deleting a File Remediation

This section describes the procedures to view, add, or delete file remediations from the File Remediations page.

To view a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation .

The File Remediations page appears, which lists all the file remediations on the File Remediations page.

Step 7 Click the check box to choose a file remediation from the File Remediations page.

Step 8 From the File Remediations page, choose View .

Here, you can view a file remediation.

Step 9 Click the File Remediations List link to return back to the File Remediations page.


 

To add a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation .

The File Remediations page appears, which lists all the file remediations on the File Remediations page.

Step 7 From the File Remediations page, choose Add .

The New File Remediation page appears. Here, you can create to add a new file remediation.

Warning Once created and saved, the name of the file remediation is not editable.

Step 8 Modify the values on the New File Remediation page, as shown in Table 20-32 .

Step 9 Click Submit to save the file remediation.

The new file remediation appears on the File Remediations page.


 

To delete a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation .

The File Remediations page appears, which lists all the file remediations on the File Remediations page.

Step 7 Click the check box to choose a file remediation from the File Remediations page.

Step 8 From the File Remediations page, choose Delete .

Here, you can delete a file remediation from the File Remediations page.


 

Table 20-32 describes the fields that allow you to create a file remediation on the New File Remediation page.

Table 20-32 File Remediation

Field Name
Field Description

File Remediation Name

From the File Remediation Name field, enter the name of the file remediation that you want to create.

File Remediation Description

from the File Remediation Description field, enter the description of the file remediation.

Version

From the Version field, add the version of the file.

File to upload

From the File to upload field, browse to the name of the file to be uploaded to the Cisco ISE server. This is in turn the file that is downloaded to the client, if file remediation action is triggered.

Filtering File Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the File Remediations page. A quick filter is a simple and quick filter that can be used to filter file remediations on the File Remediations page. It filters file remediations based on the field description such as the name of the file remediations, description, and the file to be uploaded that is required for remediation on the File Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File Remediations page. It filters file remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the File Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter file remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation .

Step 7 From the File Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-32 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the File Remediations page, choose All from the Show drop-down to display all the file remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters file remediations based on each field description on the File Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File Remediations page. If you clear the field, it displays the list of all the file remediations on the File Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter file remediations by using variables that are more complex. It contains one or more filters, which filter file remediations based on the values that match the field description. A filter on a single row filters file remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-33 describes the fields that allow you to filter file remediations.

Table 20-33 Filtering File Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter file remediations by the name of the file remediation.

Description

This field enables you to filter file remediations by the description of the file remediation.

File Name

This field enables you to filter file remediations by the file name.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • File Name

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter file remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter file remediations.

Link Remediation

A link remediation allows clients to click a URL link for access to a remediation page, or resource. You can create a link remediation, where the NAC Agents and Web Agents open a browser with a link for clients to access a remediation page or resource, and remediate themselves for compliance.

You can filter, duplicate, edit, or delete link remediations on the Link Remediations page. The Link Remediations page displays all the link remediations along with their names, description, and their modes of remediation.

This section describes the procedures to configure and filter link remediations.

Adding, Duplicating, Editing, and Deleting a Link Remediation

This section describes the procedures to add, duplicate, edit, or delete link remediations from the Link Remediations page.

To add a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation .

The Link Remediations page appears, which lists all the link remediations on the Link Remediations page.

Step 7 From the Link Remediations page, choose Add .

The New Link Remediation page appears. Here, you can create to add a new link remediation.

Warning Once created and saved, the name of the link remediation is not editable.

Step 8 Modify the values on the New Link Remediation page, as shown in Table 20-34 .

Step 9 Click Submit to save the link remediation.

The new link remediation appears on the Link Remediations page.


 

To duplicate a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation .

The Link Remediations page appears, which lists all the link remediations on the Link Remediations page.

Step 7 Click the check box to choose a link remediation from the Link Remediations page.

Step 8 From the Link Remediations page, choose Duplicate .

Here, you can duplicate a link remediation on the Link Remediations page. You cannot duplicate a link remediation with the same name.

Step 9 Click Submit to duplicate a link remediation.

A copy of a link remediation appears on the Link Remediations page.


 

To edit a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation .

The Link Remediations page appears, which lists all the link remediations on the Link Remediations page.

Step 7 Click the check box to choose a link remediation from the Link Remediations page.

Step 8 From the Link Remediations page, choose Edit .

Here, you can edit a link remediation on the edit page.

Step 9 Click Save to save the link remediation.

The link remediation will be available on the Link Remediations after editing on the edit page.

Step 10 Click the Link Remediations List link from the edit page to return to the Link Remediations page.


 

To delete a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation .

The Link Remediations page appears, which lists all the link remediations on the Link Remediations page.

Step 7 Click the check box to choose a link remediation from the Link Remediations page.

Step 8 From the Link Remediations page, choose Delete .

Here, you can delete a link remediation from the Link Remediations page.


 

Table 20-34 describes the fields that allow you to create a link remediation on the New Link Remediation page.

Table 20-34 Link Remediation

Field Name
Field Description

Link Remediation Name

From the Link Remediation Name field, enter the name of the link remediation that you want to create.

Link Remediation Description

From the Link Remediation Description field, enter the description of the link remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for a link remediation:

  • Automatic
  • Manual—when selected, Retry Count and Interval fields are not editable

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to remediate from the link.

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate from the link after previous attempts.

URL

A valid URL that clients can access a remediation page or resource to remediate.

Filtering Link Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Link remediations page. A quick filter is a simple and quick filter that can be used to filter link remediations on the Link Remediations page. It filters link remediations based on the field description such as the name of the link remediation, description, and the mode of remediation on the Link Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Link Remediations page. It filters link remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Link Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter link remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation .

Step 7 From the Link Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-35 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Link Remediations page, choose All from the Show drop-down to display all the link remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters link remediations based on each field description on the Link Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Link Remediations page. If you clear the field, it displays the list of all the link remediations on the Link Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter link remediations by using variables that are more complex. It contains one or more filters, which filter link remediations based on the values that match the field description. A filter on a single row filters link remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter link remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-35 describes the fields that allow you to filter link remediations.

Table 20-35 Filtering Link Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter link remediations by the name of the link remediation.

Description

This field enables you to filter link remediations by the description of the link remediation.

Type

This field enables you to filter link remediations by the mode of remediation.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter link remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter link remediations.

Antivirus Remediation

An antivirus remediation updates clients with antivirus signature definitions for compliance. You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.

You can filter, duplicate, edit, or delete antivirus remediations on the AV Remediations page. The AV Remediations page displays all the antivirus remediations along with their names, description, and their modes of remediation.

This section describes the following procedures to configure and filter antivirus remediations.

Adding, Duplicating, Editing, and Deleting an Antivirus Remediation

This section describes the procedures to add, duplicate, edit, or delete antivirus remediations from the AV Remediations page.

To add an antivirus remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AV Remediation .

The AV Remediations page appears, which lists all the antivirus remediations on the AV Remediations page.

Step 7 From the AV Remediations page, choose Add .

The New AV Remediation page appears. Here, you can create to add a new antivirus remediation.

Warning Once created and saved, the name of the antivirus remediation is not editable.

Step 8 Modify the values on the New AV Remediation page, as shown in Table 20-36 .

Step 9 Click Submit to save an antivirus remediation.

The new antivirus remediation appears on the AV Remediations page.


 

To duplicate an antivirus remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AV Remediation .

The AV Remediations page appears, which lists all the antivirus remediations on the AV Remediations page.

Step 7 Click the check box to choose an antivirus remediation from the AV Remediations page.

Step 8 From the AV Remediations page, choose Duplicate .

Here, you can duplicate an antivirus remediation on the AV Remediations page. You cannot duplicate an antivirus remediation with the same name.

Step 9 Click Submit to duplicate an antivirus remediation.

A copy of an antivirus remediation appears on the AV Remediations page.


 

To edit an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AV Remediation .

The AV Remediations page appears, which lists all the antivirus remediations on the AV Remediations page.

Step 7 Click the check box to choose an antivirus remediation from the AV Remediations page.

Step 8 From the AV Remediations page, choose Edit .

Here, you can edit an antivirus remediation on the edit page.

Step 9 Click Save to save the antivirus remediation.

The antivirus remediation will be available on the AV Remediations after editing on the edit page.

Step 10 Click the AV Remediations List link from the edit page to return to the AV Remediations page.


 

To delete an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AV Remediation .

The AV Remediations page appears, which lists all the antivirus remediations on the AV Remediations page.

Step 7 Click the check box to choose an antivirus remediation from the AV Remediations page.

Step 8 From the AV Remediations page, choose Delete .

Here, you can delete an antivirus remediation from the AV Remediations page.


 

Table 20-36 describes the fields that allow you to create an antivirus remediation.

Table 20-36 Antivirus Remediation

Field Name
Field Description

Name

From the Name field, enter the name of an antivirus remediation that you want to create.

Description

From the Description field, enter the description of an antivirus remediation.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for an antivirus remediation:

  • Automatic
  • Manual—when selected, Interval and Retry Count fields are not editable

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to update an antivirus definition.

Operating System

From the Operating System field, choose one of the following options:

  • Windows
  • Macintosh—when selected, Remediation Type, Interval, and Retry Count fields are not editable

This option specifies the operating system to which AV remediations apply.

AV Vendor Name

Click the drop-down arrow to view the predefined values for antivirus vendors.

Filtering Antivirus Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the AV Remediations page. A quick filter is a simple and quick filter that can be used to filter antivirus remediations on the AV Remediations page. It filters antivirus remediations based on the field description such as the name of the antivirus remediation, description, and as well as the mode of remediation on the AV Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AV Remediations page. It filters antivirus remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to

manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the AV Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter antivirus remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AV Remediation .

Step 7 From the AV Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-37 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.

Step 8 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the AV Remediations page.


Note To return to the AV Remediations page, choose All from the Show drop-down to display all the antivirus remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters antivirus remediations based on each field description on the AV Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the AV Remediations page. If you clear the field, it displays the list of all the antivirus remediations on the AV Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antivirus remediations by using variables that are more complex. It contains one or more filters, which filter antivirus remediations based on the values that match the field description. A filter on a single row filters antivirus remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-37 describes the fields that allow you to filter antivirus remediations.

Table 20-37 Filtering AV Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter antivirus remediations by the name of an antivirus remediation.

Description

This field enables you to filter antivirus remediations by the description of an antivirus remediation.

Type

This field enables you to filter antivirus remediations by the mode of remediation.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter antivirus remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter antivirus remediations.

Antispyware Remediation

An antispyware remediation updates clients with antispyware signature definitions for compliance. You can create an antispyware remediation, which updates clients with up-to-date file definitions for compliance after remediation.

You can filter, duplicate, edit, or delete antispyware remediations on the AS Remediations page. The AS Remediations page displays all the antivirus remediations along with their names, description, and their modes of remediation.

This section describes the following procedures to configure and filter antispyware remediations.

Adding, Duplicating, Editing, and Deleting an Antispyware Remediation

This section describes the procedures to add, duplicate, edit, or delete antispyware remediations from the AS Remediations page.

To add an antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AS Remediation .

The AS Remediations page appears, which lists all the antispyware remediations on the AS Remediations page.

Step 7 From the AS Remediations page, choose Add .

The New AS Remediation page appears. Here, you can create to add a new antispyware remediation.

Warning Once created and saved, the name of the antispyware remediation is not editable.

Step 8 Modify the values on the New AS Remediations page, as shown in Table 20-38 .

Step 9 Click Submit to save an antispyware remediation.

The new antispyware remediation appears on the AS Remediations page.


 

To duplicate an antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AS Remediation .

The AS Remediations page appears, which lists all the antispyware remediations on the AS Remediations page.

Step 7 Click the check box to choose an antispyware remediation from the AS Remediations page.

Step 8 From the AS Remediations page, choose Duplicate .

Here, you can duplicate an antispyware remediation on the AS Remediations page. You cannot duplicate an antispyware remediation with the same name.

Step 9 Click Submit to duplicate an antispyware remediation.

A copy of an antispyware remediation appears on the AS Remediations page.


 

To edit an antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AS Remediation .

The AS Remediations page appears, which lists all the antispyware remediations on the AS Remediations page.

Step 7 Click the check box to choose an antispyware remediation from the AS Remediations page.

Step 8 From the AS Remediations page, choose Edit .

Here, you can edit an antispyware remediation on the edit page.

Step 9 Click Save to save the antispyware remediation.

The antispyware remediation will be available on the AS Remediations after editing on the edit page.

Step 10 Click the AS Remediations List link from the edit page to return to the AS Remediations page.


 

To delete an antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AS Remediation .

The AS Remediations page appears, which lists all the antispyware remediations on the AS Remediations page.

Step 7 Click the check box to choose an antispyware remediation from the AS Remediations page.

Step 8 From the AS Remediations page, choose Delete .

Here, you can delete an antispyware remediation from the AS Remediations page.


 

Table 20-38 describes the fields that allow you to create an antispyware remediation:

Table 20-38 Antispyware Remediation

Field Name
Field Description

Name

From the Name field, enter the name of an antispyware remediation that you want to create.

Description

From the Description field, enter the description of an antispyware remediation.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for an antispyware remediation:

  • Automatic
  • Manual—when selected, Interval and Retry Count fields are not editable

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to update an antispyware definition.

Operating System

From the Operating System field, choose one of the following options:

  • Windows
  • Macintosh—when selected, Remediation Type, Interval, and Retry Count fields are not editable

This option specifies the operating system to which AS remediations apply.

AS Vendor Name

Click the drop-down arrow to view the predefined values for antispyware vendors.

Filtering Antispyware Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the AS remediations page. A quick filter is a simple and quick filter that can be used to filter antispyware remediations on the AS Remediations page. It filters antispyware remediations based on the field description such as the name of the antispyware remediation, description, and as well as the mode of remediation on the AS Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AS Remediations page. It filters antispyware remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the AS Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter antispyware remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AS Remediation .

Step 7 From the AS Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-39 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the AS Remediations page, choose All from the Show drop-down to display all the antispyware remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters antispyware remediations based on each field description on the AS Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the AS Remediations page. If you clear the field, it displays the list of all the antispyware remediations on the AS Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antispyware remediations by using variables that are more complex. It contains one or more filters, which filter antispyware remediations based on the values that match the field description. A filter on a single row filters antispyware remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antispyware remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-39 describes the fields that allow you to filter antispyware remediations.

Table 20-39 Filtering AS Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter antispyware remediations by the name of an antispyware remediation.

Description

This field enables you to filter antispyware remediations by the description of an antispyware remediation.

Type

This field enables you to filter antispyware remediations by the mode of remediation.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter antispyware remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter antispyware remediations.

Launch Program Remediation

A launch program remediation launches one, or more programs on clients for compliance. You can create a launch program remediation, where the NAC Agents and Web Agents remediate clients by launching one, or more applications on clients for compliance.

You can filter, duplicate, edit, or delete launch program remediations on the Launch Program Remediations page. The Launch Program Remediations page displays all the launch program remediations along with their names, description, and their modes of remediation.

This section describes the following procedures to configure and filter launch program remediations.

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

This section describes the procedures to add, duplicate, edit, delete launch program remediations from the Launch Program Remediations page.

To add a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation .

The Launch Program Remediations page appears, which lists all the launch program remediations on the Launch Program Remediations page.

Step 7 From the Launch Program Remediations page, choose Add .

The New Launch Program Remediation page appears. Here, you can create to add a new launch program remediation.

Warning Once created and saved, the name of the launch program remediation is not editable.

Step 8 Modify the values on the New Launch Program Remediation page, as shown in Table 20-40 .

Step 9 Click Submit to save the launch program remediation.

The new launch program remediation appears on the Launch Program Remediations page.


 

To duplicate a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation .

The Launch Program Remediations page appears, which lists all the launch program remediations on the Launch Program Remediations page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program Remediations page.

Step 8 From the Launch Program Remediations page, choose Duplicate .

Here, you can duplicate a launch program remediation on the Launch Program Remediations page. You cannot duplicate a launch program remediation with the same name.

Step 9 Click Submit to duplicate a launch program remediation.

A copy of a launch program remediation appears on the Launch Program Remediations page.


 

To edit a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation .

The Launch Program Remediations page appears, which lists all the launch program remediations on the Launch Program Remediations page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program Remediations page.

Step 8 From the Launch Program Remediations page, choose Edit .

Here, you can edit a launch program remediation on the edit page.

Step 9 Click Save to save the launch program remediation.

The launch program remediation will be available on the Launch Program Remediations after editing on the edit page.

Step 10 Click the Launch Program Remediations List link from the edit page to return to the Launch Program Remediations page.


 

To delete a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation .

The Launch Program Remediations page appears, which lists all the launch program remediations on the Launch Program Remediations page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program Remediations page.

Step 8 From the Launch Program Remediations page, choose Delete .

Here, you can delete a launch program remediation from the Launch Program Remediations page.


 

Table 20-40 describes the fields that allow you to create a launch program remediation.

Table 20-40 Launch Program Remediation

Field Name
Field Description

Name

From the Name field, enter the name of the launch program remediation that you want to create.

Description

From the Description field, enter the description of the launch program remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined to launch programs:

  • Automatic
  • Manual

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to launch required programs.

Program Installation Path

From the Program Installation Path field, choose the path in which a remediation program has to be installed.

Click the drop-down arrow to view the following predefined paths to installing programs:

  • ABSOLUTE_PATH—remediation program is installed in the fully qualified path of the file. For example, C:\<directory>\
  • SYSTEM_32—remediation program is installed in the C:\WINDOWS\system32 directory
  • SYSTEM_DRIVE—remediation program is installed in the C:\ drive
  • SYSTEM_PROGRAMS—remediation program is installed in the C:\Program Files
  • SYSTEM_ROOT—remediation program is installed in the root path for Windows system

Program Executable

From the Program Executable field, enter the name of the remediation program executable, or an installation file.

Program Parameters

From the Program Parameters field, enter (optional) required parameters for the remediation programs.

Existing Programs

An area to display the installation paths of existing remediation programs, the name of the remediation programs installed, and parameters if any.

Add—to add remediation programs to the list after entering program executable, or an installation file.

Delete—to delete remediation programs from the list.

Filtering Launch Program Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Launch Program Remediations page. A quick filter is a simple and quick filter that can be used to filter launch program remediations on the Launch Program Remediations page. It filters launch program remediations based on the field description such as the name of the launch program remediations, description, and as well as the mode of remediation on the Launch Program Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Launch Program Remediations page. It filters launch program remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Launch Program Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter launch program remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation .

Step 7 From the Launch Programs Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-41 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Launch Program Remediations page, choose All from the Show drop-down to display all the launch program remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters launch program remediations based on each field description on the Launch Program Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Launch Program Remediations page. If you clear the field, it displays the list of all the launch program remediations on the Launch Program Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter launch program remediations by using variables that are more complex. It contains one or more filters, which filter launch program remediations based on the values that match the field description. A filter on a single row filters launch program remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter launch program remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-41 describes the fields that allow you to filter launch program remediations.

Table 20-41 Filtering Launch Program Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter launch program remediations by the name of the program remediation.

Description

This field enables you to filter launch program remediations by the description of the program remediation.

Type

This field enables you to filter launch program remediations by type.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter launch program remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter launch program remediations.

Windows Update Remediation

A Windows update remediation ensures that Automatic Updates configuration is turned on Windows clients per your security policy, and helps you to ensure that Automatic Updates remediates Windows clients to result in successful posture assessments for compliance.

You can filter, duplicate, edit, or delete Windows update remediations from the Windows Update Remediations page. The Windows Update Remediations page displays all the Windows update remediations along with their names, description, and as well as their modes of remediation.

This section describes the following procedures to configure and filter Windows update remediations.

Windows Automatic Updates

The Windows administrators have an option to turn on or turn off Automatic Updates on Windows clients. The Microsoft Windows uses this feature to regularly check for important updates and install them on your clients. If the Automatic Updates feature is turned on, then the Windows automatically updates Windows-recommended updates before any other updates.

Windows XP provides the following settings for configuring Automatic Updates:

  • Automatic (recommended)—Windows allows clients automatically download recommended Windows updates for their computers and install them
  • Download updates for me, but let me choose when to install them—Windows downloads updates for clients, and allows clients to choose when to install them
  • Notify me but don’t automatically download or install them—Windows only notifies clients, but does not automatically download, or install them
  • Turn off Automatic Updates—Windows allows clients to turn off Windows Automatic Updates feature. Here, clients are vulnerable unless clients install updates regularly. They can install updates from the Windows Update Web site link.

Note The Windows Automatic Updates setting will differ for different Windows operating systems.


You can create a Windows update remediation to check for the Windows updates service (wuaserv) whether the service is started or stopped in any Windows client by using the pr_AutoUpdateCheck_Rule . It is a predefined Cisco rule, which can be used to create a posture requirement. If the posture requirement fails, the remediation action (Windows update remediation) that you associate to the requirement enforces the Windows client to remediate by using one of the automatic updates options.

Override User’s Windows Update Setting With Administrator’s Option in Windows Update Remediations

You can enable the “Override User’s Windows Update setting with administrator’s” option to override the user’s with remediation settings, or else you can disable the option.


Note The users setting are not restored back here to their original setting even after they exit from NAC Agents, or when they reboot their Windows clients, or when they restart the Windows Automatic Updates service on their Windows clients.


If “Override User's Windows update setting with administrator's” option is disabled, Windows update remediations will not be enforced except for “Turn Off Automatic Updates” settings on Windows clients.

Windows update remediations will fail when you want to change the Windows Automatic Updates setting:

    • From Automatic (recommended) to Download updates for me, but let me choose when to install them and vice versa.
    • From Automatic (recommended) to Notify me but don’t automatically download or install them and vice versa.
  • From Notify me but don’t automatically download or install them to Download updates for me, but let me choose when to install them and vice versa.

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

This section describes the procedures to add, duplicate, edit, or delete Windows update remediations from the Windows Update Remediations page.

To add a Windows update remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation .

The Windows Update Remediations page appears, which lists all the Windows update remediations on the Windows Update Remediations page.

Step 7 From the Windows Update Remediations page, choose Add .

The New Windows Update Remediation page appears. Here, you can create to add a new Windows update remediation.

Warning Once created and saved, the name of the Windows update remediation is not editable.

Step 8 Modify the values on the New Windows Update Remediation page, as shown in Table 20-42 .

Step 9 Click Submit to save the Windows update remediation.

The new Windows update remediation appears on the Windows update remediations page.


 

To duplicate a Windows update remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation .

The Windows Update Remediations page appears, which lists all the Windows update remediations on the Windows Update Remediations page.

Step 7 Click the check box to choose a Windows update remediation from the Windows Update Remediations page.

Step 8 From the Windows Update Remediations page, choose Duplicate .

Here, you can duplicate a Windows update remediation on the Windows Update Remediations page. You cannot duplicate a Windows update remediation with the same name.

Step 9 Click Submit to duplicate a Windows update remediation.

A copy of a Windows update remediation appears on the Windows Update Remediations page.


 

To edit a Windows update remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation .

The Windows Update Remediations page appears, which lists all the Windows update remediations on the Windows Update Remediations page.

Step 7 Click the check box to choose a Windows update remediation from the Windows Update Remediations page.

Step 8 From the Windows Update Remediations page, choose Edit .

Here, you can edit a Windows update remediation on the edit page.

Step 9 Click Save to save the Windows update remediation.

The Windows update remediation will be available on the Windows Update Remediations after editing on the edit page.

Step 10 Click the Windows Update Remediations List link from the edit page to return to the Windows Update Remediations page.


 

To delete a Windows update remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation .

The Windows Update Remediations page appears, which lists all the Windows update remediations on the Windows Update Remediations page.

Step 7 Click the check box to choose a Windows update remediation from the Windows Update Remediations page.

Step 8 From the Windows Update Remediations page, choose Delete .

Here, you can delete a Windows update remediation from the Windows Update Remediations page.


 

Table 20-42 describes the fields that allow you to create a Windows update remediation:

Table 20-42 Windows Update Remediation

Field Name
Field Description

Name

From the Name field, enter the name of the Windows update remediation that you want to create.

Description

From the Description field, enter the description of the Windows update remediation.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for Windows updates:

  • Automatic
  • Manual—when selected, Interval and Retry Count fields are not editable

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that Windows clients can try for Windows updates.

Windows Update Setting

Cisco ISE provides the following four options for Windows update remediations:

a. Do not change setting—If selected, the Windows Automatic Updates client configuration does not change during, or after Windows update remediation.

b. Notify to download and install—Windows only notifies clients, but does not automatically download, or install them. If selected, Windows only notifies clients to download, or install Windows updates.

c. Automatically download and notify to install—Windows downloads updates for clients, and allows them to choose when to install them. If selected, Windows automatically downloads, and notifies clients to install Windows updates.

d. Automatically download and install—Windows allows clients automatically download recommended Windows updates for their computers and install them. If selected, Windows automatically downloads, and installs Windows updates. This is the highly recommended setting from Windows for Windows clients.

Click the drop-down arrow to choose an option for Automatic Updates setting on Windows clients.

Override User’s Windows Update setting with administrator’s check box.

A check box, which allows Cisco ISE administrators to override Automatic Updates configuration of Windows clients.

If checked, the setting enforces the Cisco ISE administrator-specified setting for Windows Automatic Updates on all the client machines during, and after Windows update remediation.

If unchecked, the setting enforces the following:

  • The Cisco ISE administrator-specified setting only when Automatic Updates are disabled on Windows clients.
  • The Windows clients-specified setting only when Windows Automatic Updates are enabled on the client.

Filtering Windows Update Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Windows Update Remediations page. A quick filter is a simple and quick filter that can be used to filter Windows update remediations on the Windows Update Remediations page. It filters Windows update remediations based on the field description such as the name of the Windows update remediations, description, and as well as the mode of remediation on the Windows Update Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows Update Remediations page. It filters Windows update remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Windows Update Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter Windows update remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Step 6 Choose Windows Update Remediation .

Step 7 From the Windows Update Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option which allows you to manage preset filters for filtering. See Table 20-43 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Windows Update Remediations page, choose All from the Show drop-down to display all the Windows update remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters Windows update remediations based on each field description on the Windows Update Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows Update Remediations page. If you clear the field, it displays the list of all the Windows update remediations on the Windows Update Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter Windows update remediations by using variables that are more complex. It contains one or more filters, which filter Windows update remediations based on the values that match the field description. A filter on a single row filters Windows update remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter Windows update remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-43 describes the fields that allow you to filter Windows update remediations:

Table 20-43 Filtering Windows Update Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter Windows update remediations by the name of the Windows update remediation.

Description

This field enables you to filter Windows update remediations by the description of the Windows update remediation.

Type

This field enables you to filter Windows update remediations by type.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter Windows update remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter Windows update remediations.

Windows Server Update Services Remediation

A Windows Server Update Services (WSUS) remediation remediates Windows clients from a locally managed WSUS server, or a Microsoft-managed WSUS server with the latest Windows service packs, hotfixes, and patches (WSUS updates) for compliance.

You can create a WSUS remediation where a NAC Agent integrates with the local WSUS Agent to check whether the endpoint is up-to-date for WSUS updates. You can filter, duplicate, edit or delete WSUS remediations from the remediations list. You can configure Windows clients to receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally administered WSUS server for compliance.The Windows Server Update Services (WSUS) Remediations page displays all the WSUS remediations along with their names, description, and as well as their modes of remediation.


Note When you associate a WSUS remediation action to a posture requirement to validate Windows updates by using the severity level option, you must choose the pr_WSUSRule (a dummy compound condition) compound condition in the posture requirement. When the posture requirement fails, the NAC Agent enforces the remediation action (Windows updates) based on the severity level that you define in the WSUS remediation.


This section describes the following procedures to configure and filter WSUS remediations.

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

This section describes the procedures to add, duplicate, edit, or delete WSUS remediations from the Windows Server Update Services Remediations page.

To add a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation .

The Windows Server Update Services Remediations page appears, which lists all the WSUS remediations on the Windows Server Update Services Remediations page.

Step 7 From the Windows Server Update Services Remediations page, choose Add .

The New Windows Server Update Services Remediation page appears. Here, you can create to add a new WSUS remediation.

Warning Once created and saved, the name of the Windows server update services remediation is not editable.

Step 8 Modify the values on the New Windows Server Update Services Remediation page, as shown in Table 20-44 .

Step 9 Click Submit to save the WSUS remediation.

The new WSUS remediation appears on the Windows Server Update Services Remediations page.


 

To duplicate a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation .

The Windows Server Update Services Remediations page appears, which lists all the WSUS remediations on the Windows Server Update Services Remediations page.

Step 7 Click the check box to choose a WSUS remediation from the Windows Server Update Services Remediations page.

Step 8 From the Windows Server Update Services Remediations page, choose Duplicate .

Here, you can duplicate a WSUS remediation on the Windows Server Update Services Remediations page. You cannot duplicate a WSUS remediation with the same name.

Step 9 Click Submit to duplicate a WSUS remediation.

A copy of a WSUS remediation appears on the Windows Server Update Services Remediations page.


 

To edit a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation .

The Windows Server Update Services Remediations page appears, which lists all the WSUS remediations on the Windows Server Update Services Remediations page.

Step 7 Click the check box to choose a WSUS remediation from the Windows Server Update Services Remediations page.

Step 8 From the Windows Server Update Services Remediations page, choose Edit .

Here, you can edit a WSUS remediation on the edit page.

Step 9 Click Save to save the WSUS remediation.

The WSUS remediation will be available on the Windows Server Update Services Remediations after editing on the edit page.

Step 10 Click the Windows Server Update Services Remediations List link to return back to the WSUS remediation list page.


 

To delete a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation .

The Windows Server Update Services Remediations page appears, which lists all the WSUS remediations on the Windows Server Update Services Remediations page.

Step 7 Click the check box to choose a WSUS remediation from the Windows Server Update Services Remediations page.

Step 8 From the Windows Server Update Services Remediations page, choose Delete .

Here, you can delete a WSUS remediation from the Windows Server Update Services Remediations page.


 

Table 20-44 describes the fields that allow you to create a WSUS remediation.

 

Table 20-44 WSUS Remediation

Field Name
Field Description

Name

From the Name field, enter the name of the WSUS remediation that you want to create.

Description

From the Description field, enter the description of the WSUS remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for WSUS remediations.

The following options are available:

  • Automatic—The NAC Agents automatically updates Windows clients with the latest WSUS updates.
  • Manual—When it is selected, Interval and Retry Count fields are nor editable. The user manually updates the Windows client with the latest WSUS updates from a Microsoft-managed WSUS server, or from the locally administered WSUS server for compliance.

Interval (in seconds)

From the Interval field, you can specify the interval in seconds (the default interval is 0) to delay WSUS updates before the NAC Agents and Web Agents attempt to retry after the previous attempt.

Retry Count

From the Retry Count field, you can set a limit on the number of attempts that the NAC Agents and web Agents retry to update Windows clients with WSUS updates.

Validate Windows updates using

The validation method that you use to check the Windows operating system that is installed on the client for Windows updates.

The available options are:

  • Cisco Rules
  • Severity Level

Cisco Rules radio button

The validation method that you will use to check the client Windows operating system to meet minimum security standards as a result of dynamic posture updates downloaded to the Cisco ISE server.

Click the Cisco Rules radio button to validate WSUS updates using Cisco Rules. If selected, custom or pre-configured rules must be selected as conditions in the posture requirement.

Severity Level radio button

The validation method that you will use to check the client Windows operating system to meet minimum security standards by using a Microsoft-managed WSUS server, or locally administered WSUS server.

Click the Security Level radio button to validate WSUS updates based on the Security Level set on the WSUS server. If selected, custom or pre-configured rules can be selected as conditions in the posture requirement, but they are not used. For this purpose, the pr_WSUSRule can be used as a placeholder condition (a dummy condition) in the posture requirement that specifies a WSUS remediation.

Windows Updates Severity Level

The severity level of Windows updates that you select to install on Windows clients.

The following are the severity levels of WSUS updates that you can install on Windows clients:

  • Critical—Installs only critical Windows updates
  • Express—Installs important and critical Windows updates
  • Medium—Installs all critical, important and moderate Windows updates
  • All—Installs all critical, important, moderate and low Windows updates

Update to latest OS Service Pack check box

If checked, then the WSUS remediation installs the latest service pack available for the client's operating system automatically.

Note The operating system service packs are updated automatically irrespective of the Medium and All severity level options selected in WSUS remediation.

Windows Updates Installation Source

This selection specifies the source from where you install WSUS updates on Windows clients:

  • Microsoft server—Microsoft-managed WSUS server
  • Managed server—Locally administered WSUS server

Installation Wizard Interface Setting

An option to display the installation wizard on the client during WSUS updates:

  • Show UI—an option to display the Windows Update Installation Wizard progress on Windows clients. (Users must have Administrator privileges on client machines in order to see the installation wizard user interface during WSUS updates.)
  • No UI—an option to hide the Windows Update Installation Wizard progress on Windows clients.

Filtering Windows Server Update Services Remediations

You can use the Show drop-down list, or click the filter icon to invoke a quick filter and close it as well on the Windows Server Update Services Remediations page. A quick filter is a simple and quick filter that can be used to filter WSUS remediations on the Windows Server Update Services Remediations page. It filters WSUS remediations based on the field description such as the name of the WSUS remediations, description, and the mode of remediation on the Windows Server Update Services Remediations page.

You can use the Show drop-down list to invoke an advanced filter. An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows Server Update Services Remediations page. It filters WSUS remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter.

You can use the Manage Preset Filters option which lists all the preset filters. This option allows you to manage preset filters. Once created and saved a preset filter, you can choose a preset filter from the list which displays the results on the Windows Server Update Services Remediations page. You can also edit preset filters and remove them from the preset filters list.

To filter WSUS remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results .

Step 2 From the Results menu window, choose Posture .

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions .

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Step 6 Choose WSUS Server Update Services Remediation .

Step 7 From the Windows Server Update Services Remediations page, click the drop-down arrow of Show to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or Manage Preset Filters option

which allows you to manage preset filters for filtering. See Table 20-45 .

For more information, see the “To filter by using the Quick Filter option, complete the following steps:” section and “To filter by using the Advanced Filter option, complete the following steps:” section.


Note To return to the Windows Server Update Services Remediations page, choose All from the Show drop-down to display all the WSUS remediations without filtering.



 

To filter by using the Quick Filter option, complete the following steps:

A quick filter filters WSUS remediations based on each field description on the Windows Server Update Services Remediations page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows Server Update Services Remediations page. If you clear the field, it displays the list of all the WSUS remediations on the Windows Server Update Services Remediations page.


Step 1 To filter, click the Go button within each field.

Step 2 To clear the field, click the Clear button within each field.


 

To filter by using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter WSUS remediations by using variables that are more complex. It contains one or more filters, which filter WSUS remediations based on the values that match the field description. A filter on a single row filters WSUS remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter WSUS remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter and click Save , or Cancel to clear the filter.


 

Table 20-45 describes the fields that allow you to filter WSUS remediations.

Table 20-45 Filtering Windows Server Update Services Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter WSUS remediations by the name of the WSUS remediation.

Description

This field enables you to filter WSUS remediations by the description of the WSUS remediation.

Type

This field enables you to filter WSUS remediations by type.

Advanced Filter

Choose the field description from the following:

  • Name
  • Description
  • Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter WSUS remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter WSUS remediations.

Client Posture Assessment Requirements

Prerequisite

You must have an understanding of Acceptable Use Policy (AUP) for a posture as you create posture requirements. Refer to the following location on AUP with respect to posture compliance:

Administration > System > Settings > Posture > Acceptable Use policy .

For more information on AUP, see Posture Acceptable Use Policy.

A posture requirement is a set of compound conditions with an associated remediation action that can be linked with a role in conjunction with an operating system. All the clients that are connecting to your network must meet mandatory requirements during posture policies evaluation, which are associated to posture policies in order to become compliant on your network. If requirements are optional and clients fail these requirements, then the clients have an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.

If clients fail to meet mandatory requirements during posture policies evaluation, then they are denied network access to your network, and they are moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again in order to meet mandatory requirements for compliance.

For information on configuration guidance of posture clients quarantine state, see “Authorization Profile Configuration Guidance for Posture Clients Quarantine State” section.

pr_WSUSRule

The pr_WSUSRule is a dummy compound condition, which is used in a posture requirement with a Windows Server Update Services (WSUS) remediation associated to it. The associated WSUS remediation action must be configured to validate Windows updates by using the severity level option. When this requirement fails, the NAC Agent that is installed on the Windows client enforces the WSUS remediation action based on the severity level that you define in the WSUS remediation.


Note The pr_WSUSRule cannot be viewed in the Compound conditions list page. You can only select the pr_WSUSRule from the Conditions widget.


You can use the Posture Requirements page to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement.

Creating User Defined Conditions and Remediation Actions

Cisco ISE allows you to create and associate user defined conditions, associate Cisco defined conditions, and create and associate remediation actions on the Requirements page itself that simplifies requirement configuration without navigating to their respective pages. Once created and saved on the Requirements page, these user defined conditions and remediation actions can be viewed from their respective lists.

Table 20-46 describes the fields on the Posture Requirements page that allow you to insert a new posture requirement, or duplicate an existing requirement or delete an existing posture requirement.

 

Table 20-46 Posture Requirement

Field
Field Description

Name

From the Name field, enter the name of the requirement that you want to create.

Operating Systems

From the Operating Systems field, choose an operating system. It allows you to select all, or specific Windows, or Macintosh operating systems to which the posture requirement is applied.

Conditions

From the Conditions field, choose one or more dictionary simple conditions, and dictionary compound conditions to which the posture requirement should apply.

If more than one condition is selected, then all the conditions must be met (a logical AND operation) to form a compound condition. The system uses “&” as the AND operator.

The conditions are defined in the following location:

Policy > Policy Elements > Conditions > Posture.

For more information on the posture conditions, see the Custom Conditions for Posture.

Remediation Actions

The remediation action defines the action to be taken when the posture requirement fails on the client.

The remediation actions are defined in the following location:

Policy > Policy Elements > Results > Posture > Remediation Actions .

For information on the posture remediation actions, see the Custom Posture Remediation Actions.

For more information on how to manage posture requirements, see the “Creating, Duplicating, and Deleting Client Posture Requirements” section

Related Topics

Client Posture Assessment Policies

Custom Posture Remediation Actions

Creating, Duplicating, and Deleting Client Posture Requirements

This section describes the following procedures on how to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement on the Posture Requirements page.

Creating a New Posture Requirement

You can create a new posture requirement on the Requirements page.

To insert a new requirement, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results > Posture > Requirements .

Step 2 Choose Requirements .

The Posture Requirements page appears.

Step 3 Enter the requirement name.

Warning The operating system is also not editable on the posture requirement after you have associated the newly created requirement to a posture policy. In order to edit the operating system on the requirement, you need to remove the posture requirement association from the posture policy.

 

Step 4 From the Operating Systems field, choose Select Operating Systems .

To choose an operating system, complete the following steps:

a. From the Select Operating System field, click the plus [+] sign to expand the operating system anchored overlay.

The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Operating System Quick Picker (down arrow) icon.

The Operating System Groups widget appears.

c. From the Operating System Groups widget, choose All .

Here, click the Quick Picker (right arrow) icon to view the operating system groups.

d. From the All widget, choose the operating system group.

The parent groups for the operating system appears.

e. Choose the parent operating system group.

  • For Mac OS X (Macintosh), the group has three underlying versions.
  • For Windows All, the group has the Windows 7 (All), Windows Vista (All), and Windows XP (All) groups that contain underlying versions for each of the groups.

f. From the Mac OS X (Macintosh) group, choose the underlying Macintosh operating system.

g. From the Windows All group, choose the underlying Windows group and the Windows version.

Each Windows group contains its own underlying versions.

h. Click the Add (plus [+] sign) button to associate more than one operating system to the policy.

i. Click the Remove (minus [-] sign) button to remove the operating system from the policy.

Step 5 From the Conditions field, choose Select Conditions .

To choose a condition, complete the following steps:

a. From the Conditions field, click the plus [+] sign to expand the conditions anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Conditions Quick Picker (down arrow) icon.

The Conditions widget appears. The Conditions widget lists User Defined Conditions and Cisco Defined Conditions. Here, you can create a user defined condition that can be saved to the respective user defined conditions list.

c. From the Conditions widget, choose User Defined Conditions .

The Table view button shows the list of user defined conditions in a row format in the right pane of the widget. The Tree view button shows the list of user defined conditions in a tree format under the user defined conditions.

To choose a user defined condition, complete the following steps:

d. Click the Quick Picker (right arrow) to view the list of user defined conditions.

Here, you can choose one of the following user defined conditions:

File Conditions

Registry Conditions

Service Conditions

Application Conditions

Regular Compound Condition

AV Compound Condition

AS Compound Condition

e. Click the Quick Picker (right arrow) to view the list of each user defined condition.

Here, you can choose a user defined condition from the list.

To create a user defined condition from the Conditions widget, complete the following steps:

You cannot edit the associated parent operating system while creating user defined conditions on the Requirements page.

a. Click the Select Conditions Quick Picker (down arrow) icon.

The Conditions widget appears. The Condition widget lists User Defined Conditions and Cisco Defined Conditions.

b. Click the Quick Picker (down arrow) on the Action button.

Here, you can create any user defined condition that allows you to save it to the existing list of respective user defined conditions, as well as associate it from the Requirements page.

c. Choose one of the user defined conditions from the following conditions:

Create File Condition

The Add File Condition widget appears. Here, you can create a file (simple) condition.

Create Registry Condition

The Add Registry Condition widget appears. Here, you can create a registry (simple) condition.

Create Application Condition

The Add Application Condition widget appears. Here, you can create an application (simple) condition.

Create Service Condition

The Add Service Condition widget appears. Here, you can create a service (simple) condition.

Create Compound Condition

The Add Compound Condition widget appears. Here, you can create a regular compound condition where you can add simple file conditions, registry conditions, application conditions and service conditions and form a compound condition by using AND. OR, NOT logical operators.

Create AV Compound Condition

The Add AV Compound Condition widget appears. Here, you can create an AV compound condition.

Create AS Compound Condition

The Add AS Compound Condition widget appears. Here, you can create an AS compound condition.

d. Click Save and Select .

Once created, the user defined condition can be saved to the existing list of respective user defined conditions, as well as associated to the requirements from the Requirements page.

To choose a Cisco defined condition, complete the following steps:

a. From the Conditions widget, choose Cisco Defined Conditions .

The Table view button shows the list of Cisco defined conditions in a row format in the right pane of the widget. The Tree view button shows the list of Cisco defined conditions in a tree format under the compound conditions.

b. Click the Quick Picker (right arrow) to view to view the list of each Cisco defined conditions.

Here, you can choose one of the following Cisco defined conditions:

File Conditions

Registry Conditions

Service Conditions

Application Conditions

Regular Compound Condition

pr_WSUSRule is a dummy compound condition. For more information, see the pr_WSUSRule.

AV Compound Condition

AS Compound Condition

c. Choose a Cisco defined condition.

To associate one or more conditions to the requirement, complete the following steps:

a. Click the Add (plus [+] sign) button to associate more than one condition to the requirement.

b. Click the Remove (minus [-] sign) button to remove the condition from the requirement.

To validate associated conditions in a requirement, complete the following step:

a. Choose one of the following options:

All selected conditions succeed

Any selected condition succeeds

No selected condition succeeds

Step 6 From the Remediations Actions field, choose Select Remediations .

To choose a remediation action, complete the following steps:

a. From the Remediation Actions field, click the plus [+] sign to expand the remediation anchored overlay.

The Remediations anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Remediations Quick Picker (down arrow) icon.

The Remediations widget appears.

c. Choose the remediation action.

For Message Text only action, enter appropriate information in text so that the NAC Agent displays it on the client. For more information, see the Message Text Only.

To create a remediation action, complete the following steps:

a. Click the Select Remediation Quick Picker (down arrow) icon.

The Remediation widget appears, which lists all the remediation actions.

b. Click the Quick Picker (down arrow) on the Action button.

Here, you can create a remediation action that allows you to save it to the existing list of respective remediation actions, as well as associate it from the Requirements page.

c. Choose one of the remediation actions from the following:

Create AV Remediation

The Add AV Remediation widget appears. Here, you can create an AV remediation.

Create AS Remediation

The Add AS Remediation widget appears. Here, you can create an AS remediation.

Create File Remediation

The Add File Remediation widget appears. Here, you can create a file remediation.

Create Launch Program Remediation

The Add Launch Program Remediation widget appears. Here, you can create a launch program remediation.

Create Link Remediation

The Add Link Remediation widget appears. Here, you can create a link remediation.

Create Windows Server Update Services Remediation

The Add Windows Server Update Services Remediation widget appears. Here, you can create a WSUS remediation.

Create Windows Update Remediation

The Add Windows Update Remediation widget appears. Here, you can create a Windows update remediation.

d. Click Save and Select .

Once created, the remediation actions can be saved to the existing list of respective remediation actions list, as well as associated to the requirements from the Requirements page.

Step 7 Click Save to save the posture requirement.


 

Duplicating a Posture Requirement

You can create a copy of a posture requirement that you want to duplicate on the Requirements page.

To duplicate a requirement, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Duplicate .

Here, you can create a copy of the requirement that you want to duplicate on the Requirements page.


 

Deleting a Posture Requirement

You can also delete a posture requirement from the Requirements page.

To delete a requirement, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Delete .

Here, you can delete a requirement from the Requirements page.


 

Custom Authorization Policies for Posture

This section describes the standard authorization policies that you define for posture in the Cisco ISE appliance.

You can define two types of authorization policies on the Authorization Policy page, the standard authorization policies and the exceptions authorization policies. The standard authorization policies that are specific to posture on the Authorization Policy page are used to make policy decisions (enforce policies) based on the compliance status of endpoints such as unknown, compliant, and noncompliant. The standard authorization profiles (permissions) that you define on the Authorization Profiles page set access privileges based on the matching compliance status.

You can create posture-specific authorization policies for all wired, wireless, and guest deployments by specifying the Session:PostureStatus attribute in the authorization policies. This attribute has three values, unknown, compliant, and noncompliant, which you can use n the authorization policies.

First Matched Rule Applies

With this option selected, one or more authorization profiles (permissions) that are defined in the authorization policy set the access privileges (authorization) for an end user based on the first matching authorization policy during evaluation.

The selection of First Matched Rule Applies option allows you to configure authorization profiles for an end user by applying the first matching authorization policy from the standard authorization policies that are enabled on the Authorization Policy page. Cisco ISE evaluates the standard authorization policies that are enabled on the Authorization Policy page and then determines the authorization profile, or authorization profiles that are associated in the standard authorization policies. Once the first matching authorization policy is found, Cisco ISE stops evaluating the rest of the standard authorization policies on the Authorization Policy page.

Multiple Matched Rule Applies

With this option selected, one or more authorization profiles that are defined in the authorization policies determine the access privileges for an end user based on multiple matching authorization policies during evaluation.

The selection of Multiple Matched Rule Applies option allows you to configure authorization profiles for an end user by applying multiple matching authorization policies from the standard authorization policies that are enabled on the Authorization Policy page. Cisco ISE evaluates all the standard authorization policies that are enabled on the Authorization Policy page and finds all the matching authorization policies on the Authorization Policy page. When multiple matching authorization policies are found, Cisco ISE determines the authorization profile or profiles for the end user.

Prerequisites:

Before you begin, you should have an understanding of authorization policies in Cisco ISE.

For information on the authorization policies, see Chapter17, “Managing Authorization Policies and Profiles”

This section covers the following procedures:

Standard Authorization Policies for a Posture

This section describes the basic operations that allow you to manage the standard authorization policies that are specific to posture service.

The Authorization Policy page displays the list of exceptions authorization policies and the standard authorization policies. The Authorization Policy page allows you to configure the standard authorization policies that can be applied to the first matching rule (authorization policy) or multiple matching rules (authorization policies) on the Authorization Policy page.

When they are created and saved, you can also prioritize the standard authorization policies by moving the standard authorization policy widgets up and down on the Authorization Policy page. If the policies are set to be enabled within the standard authorization policy widget, then the standard authorization policies enforce policies based on the compliance status of the endpoints. If they are set to be disabled, then the standard authorization policies do not enforce policies on the endpoints. You can also configure the standard authorization policies that can be set to monitor policies based on the compliance status.

To create a standard authorization policy, complete the following steps:


Step 1 Choose Policy > Authorization .

The Authorization Policy page appears. This page displays the list of authorization policies for standard and exceptions types.

Step 2 Click the drop-down arrow to view the matching rule option.

Step 3 Choose the First Matched Rule Applies option, or choose the Multiple Matched Rule Applies option.

The first matched rule applies option sets access privileges (standard authorization profiles) with a single authorization policy that is first matched during evaluation from the list of standard authorization policies.

The multiple matched rule applies option sets access privileges (standard authorization profiles) with multiple authorization policies that are matched during evaluation from the list of all the standard authorization policies.

Step 4 Click the Action Icon button to insert a new authorization policy, duplicate an existing authorization policy, or delete an existing authorization policy.

Here, you can do the following:

Insert New Rule Above

Insert New Rule Below

Duplicate Above

Duplicate Below

Delete

Step 5 Click Save to create a new standard authorization policy.

The standard authorization policy appears on the Authorization Policy page.

Step 6 Click Reset without saving the current input data.

A confirmation dialog appears with the following message:

“Are you sure you want to reset? You will lose all the changes you have made.”

Step 7 Click Yes to discard the current input data, or click No to continue.


 

Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture

You can create a new authorization policy, duplicate an existing authorization policy, or delete an existing authorization policy on the Authorization Policy page. Exceptions and Standard items on the Authorization Policy page display the authorization policy widgets.

To create (insert) a standard authorization policy for posture, complete the following steps:


Step 1 Choose Policy > Authorization .

Here, you can find the list of authorization policies displayed for standard and exceptions types on the Authorization Policy page. The Exceptions page displays the list of exceptions authorization policies, and the Standard page displays the list of standard authorization policies.

Step 2 From the Authorization Policy page, click Standard to display the Standard page.

The standard authorization policy widget appears on the Authorization Policy page. Click Standard to close the Standard page.

Step 3 From the standard authorization policy widget, click the drop-down arrow to view the predefined settings to enforce policies.

Here, you can choose one of the following options to enforce the policies based on the compliance status. The following are the options available:

Enabled—The standard authorization policies enforce policies based on the compliance status of the endpoints

Disabled—The standard authorization policies do not enforce policies

Monitor—The standard authorization policies monitor enforced policies on endpoints

Step 4 Choose Enabled , or Disabled , or Monitor .

Step 5 Enter the rule (standard authorization policy) name.

To choose an identity group, complete the following steps:

Step 6 From the Identity Groups field, click the plus [+] sign to expand the anchored overlay.

The identity groups anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. From the identity groups anchored overlay, click the Quick Picker (down arrow) icon.

The Identity Groups widget appears.

b. From the Identity Groups widget, choose an identity group.

c. Click the plus [+] sign to associate more than one identity group.

To choose a condition, complete the following steps:

Step 7 From the Conditions field, click the plus [+] sign to expand the anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. Click the Select Conditions Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the time and date conditions, dictionary simple conditions, and dictionary compound conditions.

b. Choose the condition.

c. Choose an AND operator or an OR operator from the drop-down list.

d. Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Delete

To choose an attribute, complete the following steps:

Step 8 From the Conditions field, click the plus [+] sign to expand the conditions anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

Step 9 Choose Select Existing Condition from Library or Create new Condition (Advance Option) .

For information on selecting an existing condition, see the “To select an existing condition from the library, choose Select Existing Condition from Library:” section.

For information on creating a new condition, see the “To create a new condition, choose Create New Condition (Advance Option).” section.

To choose a permission (standard authorization profile), complete the following steps:

Step 10 From the Permissions field, click the plus [+] sign to expand the authzprofile(s) anchored overlay.

The authzprofile(s) anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. From the authzprofile(s) field, click the Quick Picker (down arrow) icon.

The Profiles widget appears. From the Profiles widget, click the navigation arrow to view the authorization profiles in each category. The Profiles widget displays the following authorization profile categories:

Inline Posture Node

Security Group

Standard

b. Choose Standard .

c. Click the navigation arrow to view the authorization profiles in the standard authorization profile category.

d. Choose an authorization profile from the standard category.

e. Click the plus [+] sign to associate more than one authorization profile from the standard category

Step 11 Click Save to create a new standard authorization policy.

The standard authorization policy appears on the Authorization Policy page.


 

To select an existing condition from the library, choose Select Existing Condition from Library:

Here, you can choose a condition from the library that is already saved.


Step 1 From the Conditions field, click the Select Condition Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the available dictionaries.

Step 2 From the Dictionaries widget, click the navigation arrow to view the available dictionary conditions.

The following options appear:

    • Simple Conditions
    • Compound Conditions
    • Time and Date Conditions

Step 3 Choose a condition.

Step 4 Choose an AND operator, or an OR operator from the drop-down list.

Step 5 Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, or delete existing conditions or dictionary attributes.


 

To create a new condition, choose Create New Condition (Advance Option) .

Here, you can create new conditions. You can use the Save icon to add all the new conditions to the library.


Step 1 From the Attribute field, click the Select Attribute Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the available dictionaries.

Step 2 From the Dictionaries widget, click the navigation arrow to view the available dictionary attributes.

The dictionary attributes appear for the dictionary.

Step 3 Choose the dictionary attribute, an operator and a value for the attribute.

For the posture status, you can use the Session:PostureStatus attribute, an operator, and the values such as Unknown, Compliant, and Noncompliant.

Step 4 Choose an AND operator, or an OR operator from the drop-down list.

Step 5 Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, duplicate a condition, add a condition to the library, or delete existing conditions or dictionary attributes.

Here, you can do the following:

    • Add Attribute/Value
    • Add Condition from Library
    • Duplicate
    • Add Condition to Library

Here, you can save new conditions that you create. You can choose a condition that is already saved by using the Add Condition from Library option.

    • Delete


 

You can create a copy of a standard authorization policy on the Authorization Policy page above or below the current policy selection.

To duplicate a standard authorization policy, complete the following steps:


Step 1 Click the Action Icon button to create a copy (duplicate) of a standard authorization policy.

Step 2 Choose Duplicate Above to duplicate a standard authorization policy above the current policy, or choose Duplicate Below to duplicate a standard authorization policy below the current policy.

Step 3 Click Save to create a copy of the standard authorization policy.


 

You can also delete a standard authorization policy on the Authorization Policy page.

To delete a standard authorization policy, complete the following steps:


Step 1 Click the Action Icon button to delete a standard authorization policy.

Step 2 Choose Delete .


 

Custom Permissions for Posture

A custom permission is an authorization profile (standard authorization profile) that you define in the Cisco ISE appliance. The standard authorization profiles set access privileges based on the matching compliance status of the endpoints. The posture service broadly classifies the posture into unknown, compliant, and noncompliant profiles. The posture policies and the posture requirements determine the compliance status of the endpoint.

You must create three different authorization profiles for an unknown, compliant, and noncompliant posture status of endpoints that can have different set of VLANs, DACLs and other attribute value pairs and then associate them to three different authorization policies. To differentiate these authorization policies, you can use the Session:PostureStatus attribute along with other conditions.

This section describes the standard authorization profiles that you can define in the Cisco ISE appliance.

Prerequisites:

Before you begin, you should have an understanding of the states for a posture.

Review the following states:

Unknown Profile

If no matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint may be set to unknown. A posture compliance status of unknown can also apply to an endpoint where a matching posture policy is enabled, but posture assessment has not yet occurred for that endpoint, and therefore no compliance report has been provided to Cisco ISE by a NAC Agent. For an endpoint to have privileged network access on your network, the compliant status of the endpoint should be compliant.

Compliant Profile

If a matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint is set to compliant. When the posture assessment occurs, the endpoint meets all the mandatory requirements that are defined in the matching posture policy. For an endpoint that is postured compliant, it can be granted privileged network access on your network.

Noncompliant Profile

The posture compliance status of an endpoint is set to noncompliant when a matching posture policy is defined for that endpoint, but the endpoint fails to meet all the mandatory requirements that are defined in the matching posture policy during posture assessment. An endpoint that is postured noncompliant matches a posture requirement with a remediation action and it should be granted limited network access to remediation resources in order to remediate itself to be compliant.