Feedback
Table Of Contents
Configuring Client Posture Policies
Understanding the Posture Service
Posture and Client Provisioning Services
Posture and Client Provisioning Policies Flow
Licenses for the Posture Service
Configuring the Posture Service in Cisco ISE
Posture Administration Settings in Cisco ISE
Initiating and Requesting a PRA
Identity Group (Role) Assignment
PRA Report Tracking and Enforcement
PRA Enforcement During Distributed System Failure
Configuring Client Posture Periodic Reassessments
Configuring Acceptable Use Policies
Client Posture Assessments in Cisco ISE
Client Posture Assessment Policies
Creating, Duplicating, and Deleting Client Posture Policies
Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type
Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type
Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type
Configuring Registry Conditions
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type
Configuring Application Conditions
Viewing Application Conditions
Creating, Duplicating, Editing, and Deleting an Application Condition
Filtering Application Conditions
Configuring Service Conditions
Creating, Duplicating, Editing, and Deleting a Service Condition
Configuring Compound Conditions
Creating, Duplicating, Editing, and Deleting a Compound Condition
Antivirus and Antispyware Compound Conditions
Configuring Antivirus Compound Conditions
Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition
Filtering Antivirus Compound Conditions
Antispyware Compound Condition
Configuring Antispyware Compound Conditions
Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition
Filtering Antispyware Compound Conditions
Configuring Dictionary Simple Conditions
Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition
Filtering Dictionary Simple Conditions
Configuring Dictionary Compound Conditions
Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition
Filtering Dictionary Compound Conditions
Custom Posture Remediation Actions
Configuring Custom Posture Remediation Actions
Viewing, Adding, and Deleting a File Remediation
Adding, Duplicating, Editing, and Deleting a Link Remediation
Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation
Filtering Antivirus or Antispyware Remediations
Adding, Duplicating, Editing, and Deleting a Launch Program Remediation
Filtering Launch Program Remediations
Adding, Duplicating, Editing, and Deleting a Windows Update Remediation
Filtering Windows Update Remediations
Windows Server Update Services Remediation
Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation
Filtering Windows Server Update Services Remediations
Client Posture Assessment Requirements
Creating, Duplicating, and Deleting Client Posture Requirements
Creating a New Posture Requirement
Duplicating a Posture Requirement
Deleting a Posture Requirement
Custom Authorization Policies for Posture
Standard Authorization Policies for a Posture
Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture
Custom Permissions for Posture
Configuring a Standard Authorization Profile
Configuring Client Posture Policies
This chapter describes the posture service in the Cisco Identity Services Engine (Cisco ISE) appliance that allows you to check the state (posture) for all the endpoints that are connecting to your Cisco ISE enabled network with your corporate security policies for compliance before clients access protected areas of your network.
This chapter guides you through the features of the Cisco ISE posture service in detail.
–
Understanding the Posture Service
•
–
•
–
•
–
–
•
•
Posture Service
The Network Admission Control (NAC) Agents that are installed on the clients interact with the posture service to enforce security policies on all the endpoints that attempt to gain access to your protected network. At the same time, the NAC Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network. They assist you in evaluating clients against posture policies, and as well as enforce clients to meet requirements that are required for compliance with your organization's security policies.
The posture service checks the state (posture) of the clients for compliance with your corporate security policies before the client gains the privileged network access. The Client Provisioning service ensures that the clients are setup with appropriate Agents that provide posture assessment and remediation for the clients.
For information on the posture service in detail, see the "Understanding the Posture Service" section.
For information on Posture Compliance dashlet, see the "Posture Compliance Dashlet" section.
For information on posture reports, see the "Viewing Posture Reports" section.
SWISS Protocol
The SWISS protocol is a stateless request response protocol that allows NAC Agents which are running on managed clients to discover the Cisco ISE server, and retrieve configuration and operational information. The NAC Agent connects to the Cisco ISE server by sending SWISS unicast discovery packets out on User Datagram Protocol (UDP) port 8905 until a Cisco ISE node that assumes the Policy Service persona sends a response to the client. The SWISS protocol uses TCP transport for all the messages and UDP transport for periodical requests. The NAC Agent tunnels all the SWISS requests over HTTPS and pings the Cisco ISE SWISS UDP server for changes to its authentication and posture state.
The SWISS request message that comes from the client machine includes information pertaining to resource types for the following items:
•
•
•
In addition to answering the above request items, the SWISS response from the Cisco ISE server can also contain prompts to update the current Agent and URL or URLs that are required to perform posture assessment and remediation on the client machine.
For descriptions of the various types of agents availalbe in Cisco ISE, see Cisco ISE Agents, page 18-1.
Understanding the Posture Service
Cisco ISE posture service primarily includes the posture administration services and the posture run-time services. If you do not have the advanced license package installed on your Cisco ISE deployment, then the posture administration services user interface will not be available for you to use in Cisco ISE.
Posture Administration Services
The administration services provide the back-end support for posture specific custom conditions, and remediation actions that are associated to the requirements and authorization policies that are configured for posture service on your Cisco ISE deployment.
Posture Run-time Services
The posture run-time services encapsulates the SWISS protocol services, and all the interactions that happen between the NAC Agents and the Cisco ISE server for posture assessment and remediation of clients.
Validating a Posture Requirement Request
Once the client (an endpoint) is authenticated on the network, the client can be granted limited access on the network. For example, the client can access remediation-only resources on the network. The NAC Agent that is installed on the client validates the requirements for an endpoint and the endpoint is moved to a compliant state upon successful validation of the requirements. If the endpoint satisfies the requirement, a compliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a Change of Authorization (CoA) for the posture compliant status. If the endpoint fails to satisfy the requirement, a noncompliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a CoA for the posture noncompliant status.
Now, the Agent gets its session ID from the redirect URL and sends it along with its MAC address and IP address in a SWISS request. The posture run-time services looks up in the session cache using the session ID first, MAC address, and then the IP address, if required. If the posture run-time services finds the same session using the session ID in the session cache, then it queries the posture policies in Cisco ISE and tries to match the posture policies. Once matched, it generates the specified XML format that contains the matched requirements and sends to the NAC Agents. The NAC Agents send the posture report to the posture run-time services.
Generating a Posture Requirement
The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions. Once the posture policy is retrieved for the endpoint, the posture run-time services communicate the requirement to the NAC Agent in a specified XML format.
Processing the Posture Report from the Cisco NAC Agent
The NAC Agent validates the endpoint for compliance based on the requirements that are sent from the Cisco ISE server and determines the posture of the endpoint. If the endpoint is not compliant with the requirement, then the NAC Agent prompts to remediate the endpoint for compliance. Any failures during posture evaluation results in the noncompliance of the endpoint. The NAC Agent sends the appropriate compliance report to the Cisco ISE server once postured compliant or noncompliant.
Issuing a CoA Based on the Posture Report Evaluation
Upon evaluating the posture report received from the NAC Agent, an endpoint may be identified as compliant or noncompliant. If the endpoint is compliant or noncompliant, then the posture run-time services triggers a CoA for that endpoint session. Based on the profile configured for compliant or noncompliant, the end user gets the appropriate level of access privileges to the network.
Logging
Upon processing the posture request and report, the run-time services sends audit log messages to the Cisco ISE node that assumes the Monitoring persona.
For information on how posture and client provisioning session services work in Cisco ISE, see the "Posture and Client Provisioning Services" section.
For information on licenses for the posture service, see the "Licenses for the Posture Service" section.
For information on how to deploy the posture service in detail, see the "Deploying the Posture Service" section.
Posture and Client Provisioning Services
Prerequisites:
Before you begin, you should have an understanding of the available client provisioning resources in Cisco ISE that you can configure for the clients.
For information on how to configure client provisioning resource policies, see the "Configuring Client Provisioning Resource Policies" section on page 18-23.
Before you begin, you should have an understanding of the Client Provisioning session service in Cisco ISE. Cisco ISE manage client provisioning resources for your clients and uses the client provisioning resource policies to ensure that the client systems are set up with an appropriate Agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles.
For information on the Client Provisioning session service, see Chapter 18, "Configuring Client Provisioning Policies."
For information on the NAC Agent that is installed on the client and the client operating system compatibility, see Cisco Identity Services Engine Network Component Compatibility.
Posture and Client Provisioning Policies Flow
Figure 19-1 shows the flow of posture and client provisioning policies in Cisco ISE posture service.
Figure 19-1 Posture and Client Provisioning Policies Workflow in CIsco ISE
Licenses for the Posture Service
Prerequisites:
Before you begin, you should have an understanding on how licenses restrict the usage of Cisco ISE posture service with both the base and advanced license packages.
For more information on Cisco ISE license packages, refer to the Performing Post Installation Tasks chapter in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.
Cisco ISE allows you to configure the posture service to run on multiple Cisco ISE nodes in a distributed deployment. You can also configure the posture service on a single node in a standalone Cisco ISE deployment.
Cisco ISE deployment provides you with two main types of licenses, namely the base license and advanced license. You also have an evaluation license which, if further use is desired, needs to be upgraded to the appropriate base or advanced license once the evaluation license period is over.
In addition, if you do not have the advanced license installed on your primary administration node, then the SWISS server does not get initialized during run time. If the SWISS server does not initialize, then the posture requests will not be served in Cisco ISE. If the advanced license is not installed in Cisco ISE, then the posture service menus on the Cisco ISE administration user interface will be removed except the default posture status configuration for unsupported operating system on the Administration > System > Settings > Posture > General Settings configuration page. The posture run-time services takes appropriate action when you add or remove any advanced license file to your Cisco ISE deployment. During run time, the SWISS server initializes when you add the advanced license, and it stops when you remove the advanced license, or when the advanced license expires.
Deploying the Posture Service
Prerequisites:
Before you begin, you should have an understanding of the centralized configuration and management of Cisco ISE nodes in the distributed deployment.
For information on Cisco ISE distributed deployment, Chapter 9, "Setting Up Cisco ISE in a Distributed Environment"
You can deploy Cisco ISE either in a standalone environment (on a single node), or in a distributed environment (on multiple nodes). Depending on the type of your deployment and the license you have installed, the posture service of Cisco ISE can run on a single node or on multiple nodes. You need to install either the base license to take advantage of the basic services or the advanced license to take advantage of all the services of Cisco ISE.
In a standalone Cisco ISE deployment, you can configure a single node for all the administration services, the monitoring and trouble shooting services, and the policy run-time services. You cannot configure a node as an node in a standalone deployment.
In a distributed Cisco ISE deployment, you can configure each node as a Cisco ISE node for administration services, monitoring and troubleshooting services, and policy run-time services, or as an inline posture node as needed. A node that runs the administration services is the primary node in that Cisco ISE deployment. The other nodes that run other services are the secondary nodes which can be configured for backup services for one another.
Configuring the Posture Service in Cisco ISE
From the Administration menu, you can choose Deployment to manage the ISE deployment on a single node or multiple nodes. You can use the Deployment Nodes page to configure the posture service for your Cisco ISE deployment.
To manage the Cisco ISE deployment, complete the following steps:
Step 1
The Deployment menu window appears on the left pane of the user interface. You can use the Table view button or the List view button to display the nodes in your Cisco ISE deployment.
Step 2
Step 3
The Table view displays all the nodes that are registered in a row format on the right pane of the user interface.
Note
From the Deployment menu, you can run the posture service on any Cisco ISE node that assumes the Policy Service persona in a distributed deployment.
To deploy the posture session service, complete the following steps:
Step 1
The Deployment menu window appears. You can use the Table view or the List view button to display the nodes on your deployment.
Step 2
Step 3
The Table view displays all the nodes that are registered in a row format on the Deployment Nodes page of the user interface. The Deployment Nodes page displays the Cisco ISE nodes that you have registered, along with their names, personas, roles, and the replication status for the secondary nodes in your deployment.
Step 4
Note
Step 5
The Edit Node page appears. This page contains the General settings tab that is used to configure the Cisco ISE deployment. This page also features the Profiling Configuration tab, which is used to configure the probes on each node. If you have the Policy Service persona disabled, or if enabled but the Enable Profiler services option is not selected, then the Cisco ISE administrator user interface does not display the Profiling Configuration tab. If you have the Policy Service disabled on any node, ISE displays only the General settings tab and does not display the Profiling Configuration tab that prevents you from configuring the probes on the node.
Step 6
If you have the Policy Service check box unchecked, both the session services and the Profiler service check boxes are disabled.
Step 7
Note
Step 8
Posture Compliance Dashlet
The Posture Compliance dashlet summarizes the posture compliance in percentage, and Mean Time To Remediate (MTTR) data for the last 24 hour period, as well as 60 minutes from the current system time. It refreshes data every minute and displays it on the dashlet. You can invoke the Posture Detail Assessment report from the tool tips that are displayed on the 24 hour and 60 minutes spark lines for a specific period. The stack bars display the posture noncompliance distribution of endpoints by operating systems and the reason for failures of the requirements.
The MAC address is used as a key to calculate MTTR.
The dashlet provides you the following distribution details for the last 24 hour period, as well as 60 minutes from the current system time.
Table 19-1 describes the details, which are shown in the Posture Compliance dashlet on Cisco ISE.
Viewing Posture Reports
Cisco ISE provides you with various reports on posture, and troubleshooting tools that you can use to efficiently manage your network. You can generate reports for historical as well as current data. You may be able to drill down on a part of the report to look into more details. You can also schedule reports (specially for large reports) and download it in various formats.
For more information on how to generate reports and work with the interactive viewer, see Chapter 23, "Reporting."
For more information on posture reports see the "Standard Reports" section.
Standard Reports
For your convenience, the standard reports present a common set of predefined report definitions. You can click on the Report Name link to run the report for today. You can query the output by using various parameters, which are predefined in the system. You can enter specific values for these parameters.
You can use the Run button to run the report for a specific period, and as well as use the Query and Run option. The Query and Run option allows you to query the output by using various parameters. The Add to Favorite button allows you to add your reports that you use frequently to the Monitor > Reports > Favorites location. The Reset Reports button allows you to reset your reports in this catalog to factory defaults.
You can run the reports on posture from the following location:
Monitor > Reports > Catalog > Posture.
The following are the standard reports for posture:
•
•
Posture Administration Settings in Cisco ISE
After you deploy Cisco ISE on your network, you can globally configure Cisco ISE to download updates automatically through web to the Cisco ISE server, or updates that can be done offline later.
For information on posture updates, see the "Posture Updates" section.
In addition, the NAC Agents and Web Agents, which are installed on the clients provide posture assessment, and remediation services to clients. The NAC Agents and Web Agents periodically update the compliance status of clients to Cisco ISE. After login and successful requirement assessment for posture, the NAC Agents and Web Agents on Windows display a dialog with a link that requires end users to comply with terms and conditions of network usage. You can use this link to define network usage information for your enterprise network that end users accept before they can gain access to your network.
For information on posture periodic assessment of clients for compliance that NAC Agents and Web Agents do, see the "Posture Reassessments" section.
For information on accepting network usage policies for your network, see the "Posture Acceptable Use Policy" section.
This section describes the configuration settings that you define for clients to remediate on Cisco ISE, periodic reassessments of clients for compliance that NAC and Web Agents check periodically and report to Cisco ISE. It describes the configuration settings that you define for Cisco ISE updates with Cisco rules, checks, antivirus and antispyware charts, and operating system support. It also provides information on the configuration settings that end users must comply with network usage policies for using your network resources.
This section provides procedures that describe the following topics:
–
–
•
Posture General Settings
The posture general settings for agents on Windows clients and Macintosh clients can be configured in client provisioning resources. Here, you can configure agent profiles in client provisioning by setting the timers used for remediation and transition of clients posture state on your network, and also setting the timer to close the login success screens automatically on agents without end users intervention.
You can configure all these timers for agents on Windows clients and Macintosh clients in client provisioning resources in the following location:
Policy > Policy Elements > Results > Client Provisioning > Resources > Add > New Profile.
For more information on creating agent profiles and setting agent profile parameters, see the "Agent Profile Parameters and Applicable Values" section on page 18-12.
Cisco recommends configuring agent profiles with remediation timers, network transition delay timers and the timer used to control the login success screen on client machines so that these settings are policy based. However, when there are no agent profiles configured match the client provisioning policies, you can use the settings in the Administration > System > Settings > Posture > General Settings configuration page to accomplish the same goal.
Remediation Timer
Here, you can configure the timer for clients to remediate themselves within the time specified in the timer after failing to meet all the requirements defined in the posture policies for compliance. When clients fail to satisfy configured posture policies during an initial assessment, the NAC Agents wait for the clients to remediate within the time configured in the remediation timer. If the client fails to remediate within this specified time, then the NAC Agents and Web Agents send a report to the posture run-time services after which the clients are moved to the noncompliance state. The remediation timer default value is four minutes.
Network Transition Delay Timer
Here, you can configure the timer for clients to transit from one state to the other state within a specified time as specified in the network transition delay timer, which is required for Change of Authorization (CoA) to complete for clients to move from one state to the other state. This timer is used for clients in both successful and failure of posture. It may require a longer delay time when clients need time to get a new VLAN IP address during successful and failure of posture. Upon successfully postured, Cisco ISE allows clients to transit from pending to compliant mode within the time specified in the network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transit from pending to noncompliant mode within the time specified in the timer.
Default Posture Status
Here, you can configure the posture status of endpoints to compliant, or noncompliant for endpoints that run on Linux, iDevices like Ipad, Ipod (non-agent devices). The same settings also apply to endpoints that run on Windows and Macintosh operating systems when there is no client provisioning policy matching found during posture run-time.
Successful Login Screen
After login and successful posture assessment, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a network usage term and conditions link for end users to accept the network usage policies that you define for your network. If end users reject network usage policies from the temporary network access screen, then they are denied to access your network. If they accept the network usage policies, then the agents display the login success screen and permit network access.
This section describes the following posture general settings that you configure for clients in posture:
•
•
•
•
You can use the posture General Settings page to configure the timers for remediation, network transition, and closing the login success screen on Windows clients.
Step 1
The Settings menu window appears.
Step 2
Step 3
Step 4
The Posture General Settings page appears.
Tip
Step 5
The default value is 4 minutes. You can configure the remediation timer, which the information icon displays the valid range between 1-300 minutes.
Step 6
The minimum default value is 3 seconds. You can configure the network transition delay timer, which the information icon displays the valid range between 2-30 seconds.
Step 7
Here, you can configure the posture status of endpoints to compliant, or noncompliant where the information icon displays with the following message: "Provides posture status for non-agent devices (i.e. Linux based operating systems), and endpoints for which no agent installation policy applies."
The following are the options:
•
•
Step 8
Step 9
Once checked the check box, and configured the time in seconds, the NAC Agents and Web Agents display the login success screen till the time out occurs. This setting allows clients to login into your network failing which the login success screen is closed automatically. You can configure the timer to close the login screen automatically between 0-300 seconds. If the time is set to zero seconds, then the NAC Agents and Web Agents do not display the login success screen.
Tip
Step 10
To reset the posture general settings, complete the following steps:
Step 1
Enter a time value (current input data) in the Remediation Timer field in minutes.
or
Step 2
Enter a time value (current input data) in the Network Transition Delay field in seconds.
or
Step 3
The following options appear: Compliant (default), NonCompliant
or
Step 4
Step 5
Posture Reassessments
This section describes the periodic reassessment (PRA) configurations for clients that are successfully postured already for compliance on your network. PRA cannot occur if clients are not compliant on your network.
For more information on initiating and requesting a PRA, see the Initiating and Requesting a PRA.
For more information on PRA failure action configuration, see the PRA Failure Actions.
For more information on PRA and identity group (role) assignment, see the Identity Group (Role) Assignment.
For more information on PRA report tracking and enforcement, see the PRA Report Tracking and Enforcement
For more information on PRA enforcements when Cisco ISE distributed deployment failures, see the PRA Enforcement During Distributed System Failure
Initiating and Requesting a PRA
The NAC Agent sends a compliance report to the policy service node once the client is postured successfully compliant on your network. A PRA is valid and applicable only if endpoints are in compliant state. Then the policy service node checks the relevant policies, and compiles the requirements depending on the client role that is defined in the configuration to enforce a PRA. If PRA configuration match is found, the policy service node responds to the NAC Agent with the PRA attributes that are defined in the PRA configuration for the client before issuing a change of authorization request. The NAC Agent periodically sends the PRA requests based on the interval specified in the configuration. Here, the client remains in the compliant state, if the PRA succeeds, or the action configured in the PRA configuration is to continue. If the client fails to meet PRA, then the client is moved from the compliant state to the noncompliant state.
Note
PRA Failure Actions
If the client is not compliant, the policy service node activates a PRA failure action. The PRA failure action that will be taken either to continue so that the client continues to access your network, or to log off from your network, or to remediate itself.
If you associate an user to different roles and each associated role is configured with different PRA failure actions, then the logoff action is applied on the endpoint.
If the PRA failure action that is configured for the client is not the continue action but, rather, the logoff or remediate action, then the policy service node updates the client posture status accordingly.
The following enforcement types apply to PRA failure actions:
•
•
•
PRA Failure Action to Continue
In this scenario, the client is not compliant, and the configured PRA failure action is to continue. This failure action to continue does not allow the user to remediate the client and the NAC Agent does not show the user the need to remediate the client for compliance. Instead, the user continues to have the privileged access without any user intervention to remediate the client irrespective of the posture requirement, which is set to mandatory or optional.
PRA Failure Action to Logoff
In this scenario, the client is not compliant, and the configured PRA failure action is to force the client to log off from your network. The Agent sends a logoff request to the policy service node, and the client logs off. The client logs in again, and its compliance status is pending for the current session.
PRA Failure Action to Remediate
In this scenario, the client is not compliant, and the configured PRA failure action is to remediate. The agent waits for a specified time for the remediation to occur. After the client has remediated, the agent sends the PRA report to the policy service node. If the remediation is ignored on the client, then the Agent sends a logoff request to the policy service node to force the client to log off from your network and log in again to remediate for compliance.
If the posture requirement is set to mandatory, then the RADIUS session will be cleared as a result of the PRA failure action and a new RADIUS session has to start for the client to be postured again.
If the posture requirement is set to optional, then the NAC Agent allows the user to click the continue option from the Agent. The user can continue to stay in the current network without any restriction.
Identity Group (Role) Assignment
You can configure each PRA to an identity group (a role) that is defined in the system. If you configure a PRA with a role Any then only the configuration with the role Any exists, and no other configurations can exist in the system.
The following section summarizes the PRA configuration to a role:
1.
Note
2.
3.
a.
or
b.
Note
PRA Report Tracking and Enforcement
You can keep track of the PRA reports from the NAC Agent and enforce PRA on the clients that are already successfully postured on your network.
Upon successful compliance for posture, the NAC Agent validates the client for compliance and sends the compliance reports to the policy service node. The NAC Agent periodically sends the PRA requests for reassessment based on the interval that is specified in the configuration.
If the policy service node does not receive the PRA report within the maximum wait interval period, then the policy service node assigns the client to the pending status and the client needs to be checked again for posture compliance. The maximum wait interval is an interval between two consecutive compliance (PRA) reports from the NAC Agent sent to the policy service node before the execution of a PRA failure action for noncompliance and the end of the client session.
Note
PRA Enforcement During Distributed System Failure
The PRA is not supported in cases where policy service nodes fail in the distributed environment.
You cannot enforce a PRA on your clients, and the clients stay connected on your network regardless of their compliance in case there is a failure in the distributed environment. The Agents stop sending the PRA requests to the policy service nodes.
Configuring Client Posture Periodic Reassessments
Upon successful compliance for posture, the NAC Agents validate the compliance of clients, and periodically send the compliance reports to the Cisco ISE policy service node. The Cisco ISE policy service nodes check the relevant policies and compiles requirements depending on the client roles that are defined in the configuration to enforce a periodic reassessment. The Cisco ISE policy service nodes then respond to the NAC Agents with PRA attributes defined in the PRA configurations. As you associate an user to more than one identity group (roles), the PRA configurations are applied according to the most restricted attributes on the relevant role's related configurations.
The following are the most restricted configuration definitions for the PRA attributes:
•
•
•
•
You can use the Reassessment configurations list page to display and manage the periodic reassessments for a posture.
This section provides the procedures to configure the periodic reassessment configurations:
•
•
Creating, Duplicating, Editing, and Deleting a Client Posture Periodic Reassessment
This section describes the periodic reassessment configuration that you can create in Cisco ISE for your clients after they are successfully postured.
The Reassessment configurations list page displays existing configurations that are configured to roles along with their names, description, and the action enforced on the clients in case the clients fail posture assessment. You can create, duplicate, edit, delete, or filter a PRA from the Reassessment configurations list page. Once created and saved, you can see existing PRA configurations, and the roles to which the PRA configurations apply on the configurations list page.
To create a periodic reassessment, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Reassessment configurations list page appears, which lists all the PRAs that you have already created.
Step 5
Step 6
Here, you can create to add a new PRA on the Reassessment configurations list page.
Step 7
Click Cancel to return to the Reassessment configurations list page from the New Reassessment configuration page when you do not want to add a new PRA on this page.
To duplicate a PRA, complete the following steps:
Step 1
Step 2
Step 3
The Reassessment configurations list page appears, which lists all the PRAs that you have already created. PRA configurations display the roles to which existing PRAs are configured on the Reassessment configurations list.
Step 4
Step 5
Here, you can create a copy of the PRA.
Step 6
Click Cancel to return to the Reassessment configurations list page from the edit page when you do not want to create a copy of the PRA on the edit page.
To edit a PRA, complete the following steps:
Step 1
Step 2
Step 3
The Reassessment configurations list page appears, which lists all the PRAs that you have already created.
Step 4
Step 5
Here, you can edit a PRA
Step 6
The PRA will appear on the Reassessment configurations list page after editing on the edit page, as well as appear on the PRA configurations that displays the roles to which existing PRAs are configured on the configurations list.
Step 7
To delete a PRA, complete the following steps:
Step 1
Step 2
Step 3
The Reassessment configurations list page appears, which lists all the PRAs that you have already created.
Step 4
Step 5
A confirmation dialog appears with the following message: "Are you sure you want to delete?".
Step 6
Here, you can delete a PRA. Click Cancel to return to the Reassessment configurations list page without deleting a PRA.
Table 19-2 describes the fields on the New Assessment configuration page that allow you to create, duplicate a PRA, and edit a PRA on its edit page:
Filtering Client Posture Periodic Reassessments
A quick filter is a simple and quick filter that can be used to filter periodic reassessments on the Reassessment configurations list page. It filters periodic reassessments based on the field description such as the name of the periodic reassessment, description, action enforced on the clients when clients fail posture assessment, roles to which periodic reassessments are configured, and periodic reassessments that are enabled or disabled on the Reassessment configurations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Reassessment configurations list page. It filters periodic reassessments based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Reassessment configurations list page.
To filter periodic reassessments, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Reassessment configurations list page appears, which lists all the PRAs that you have already created.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-3.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Reassessment configurations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters periodic reassessments based on each field description on the Reassessment configurations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Reassessment configurations list page. If you clear the field, it displays the list of all the periodic reassessments on the Reassessment configurations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter periodic reassessments by using variables that are more complex. It contains one or more filters, which filter periodic reassessments based on the values that match the field description. A filter on a single row filters periodic reassessments based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter periodic reassessments by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-3 describes the fields that allow you to filter the PRAs:
Posture Updates
Prerequisite
If the default Update Feed URL is not reachable, you must configure the proxy settings in the Administration > System > Settings > Proxy.
For more information on proxy settings, see Specifying Proxy Settings in Cisco ISE, page 18-7.
Updates for posture includes a set of predefined checks, rules, antivirus and antispyware support charts for both Windows and Macintosh operating systems, and operating systems information that are supported by Cisco. You can download posture updates from Cisco to your Cisco ISE deployment through the web dynamically, and as well as configure updates to occur automatically after allowing a time delay within a maximum of 24 hours in hh:mm:ss format. Thereafter, Cisco ISE checks and downloads updates at specified intervals from the initial updates automatically. You can also update Cisco ISE offline from a file on your local system, which contains the latest archives of updates.
When you deploy Cisco ISE on your network for the first time, you can download initially posture updates from the web that usually takes around 20 minutes of time. Thereafter, you can configure to check and download incremental updates to occur automatically on Cisco ISE without your intervention. Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.
This section provides procedures that describe dynamic, and offline update configurations for posture:
Related Topics
Dynamic Posture Updates
You can use the Posture Update page to download updates dynamically from the web, and configure updates to occur automatically after allowing a time delay from the initial updates. Thereafter you can check and download updates at regular intervals without your intervention.
To download updates dynamically from the web, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Posture Updates page appears.
Step 5
Step 6
For example, the default Update Feed URL is https://www.cisco.com/web/secure/pmbu/posture-update.xml.
Note
Step 7
Step 8
Cisco ISE displays an information dialog with the following message:
"The update might take up to 20 minutes to finish. Navigating to other pages will not stop the updating and you can check the result on this page later."
Step 9
Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.
Note
After an initial update, you can configure to check for updates and download updates to your Cisco ISE deployment automatically on the Posture Updates page. Cisco ISE downloads updates at specified intervals from the web automatically after an allowed initial delay from the first time updates.
To continue to check for updates automatically and download at a specified interval from the initial updates, complete the following steps:
Step 1
Step 2
Cisco ISE starts checking for updates after the initial delay time is over.
Step 3
Cisco ISE downloads updates to your deployment thereafter at specified intervals from the initial delay time.
Step 4
Step 5
Table 19-4 describes the fields that allow you to download updates dynamically from the web, or offline.
Offline Posture Updates
For details on performing offline posture package updates in Cisco ISE, see the "Cisco ISE Offline Updates" section of the Release Notes for the Cisco Identity Services Engine, Release 1.0.
Posture Acceptable Use Policy
After login and successful posture assessment of clients, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a link on the temporary network access screen for end users to click on the link. This link redirects end users to a page, where you can define your network usage terms and conditions that end users must read, and accept the network usage policies here.
Each AUP configuration must have a unique role, or a unique combination of roles. Even though a user can be associated to multiple roles in Cisco ISE, and there are different AUP configurations for a unique role, or a unique combination of roles, Cisco ISE looks for the roles and the associated AUP configuration for the roles. Cisco ISE finds the AUP for the first matched role, and then it communicates to the NAC Agent and Web Agent to display the AUP of the first matched role. The user can click the link to accept the network usage policies here after which the user gets access privileges to your network.
Authorization Profile Configuration Guidance for Posture Clients Quarantine State
This section guides you through the configuration details when clients are moved into quarantine state due to end users deny to comply with your network usage policies, or when clients fail to meet the mandatory requirements.
Without accepting the network usage terms and conditions even though clients meet all the mandatory requirements that are defined in the posture assessment policies, they are denied network access to your network, and moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again depending on your configuration, and then agree to the network usage policies of your network.
You can choose an authorization profile and configure it using the Policy > Policy Elements > Results > Authorization > Authorization Profiles page.
For more information on authorization policies and profiles, see Chapter 16, "Managing Authorization Policies and Profiles."
Here, you can choose the Access-Accept option from the Access Type field, and configure information for re-authentication under Common Tasks, or under Advanced Attributes Settings for an authorization profile.
For example, you can configure the value of RADIUS: Termination-Action attribute to Default, and the RADIUS: Session-Timeout attribute to a time value under Common Tasks > Re-authentication, or under Advanced Attributes Settings. If the value of RADIUS: Termination-Action attribute is set to RADIUS-Request, the NAS sends a new Access-Request to the RADIUS server, including the state attribute, if any upon termination of the specified service. This configuration allows you to set a timeout value for a quarantine state. After the time out, a new RADIUS session can be started and the client can reauthenticate again and check for posture.
•
•
In addition to the above, you have to enter the following additional commands for your network device:
•
This CLI command shows how to enable periodic re-authentication on a port.
Switch(config-if)# authentication periodic•
This CLI command shows how to set the re-authentication timer where reauthenticate specifies time in seconds after which an automatic re-authentication attempt should start, and server specifies an interval in seconds after which an attempt can be made to authenticate an unauthorized port.
authentication timer—interface configuration command
reauthenticate—specifies time in seconds after which an automatic re-authentication attempt starts. It is set to one hour.
server—specifies interval in seconds after which an attempt is made to authenticate an unauthorized port
Switch(config-if)# authentication timer reauthenticate serverConfiguring Acceptable Use Policies
You can view, create, delete, or filter acceptable use policies (AUPs) on the Acceptable use policy configurations list page. It displays all the AUPs with their names, description, type, the name of the zipped file, or the URL that contains the network usage policies depending on the type of the AUPs, and the roles to which they are configured.
This section covers the following procedures:
•
•
Viewing, Adding, and Deleting an Acceptable Use Policy
You can use the Acceptable use policy configurations list page to view, create, or delete acceptable use policies, which allow network access to your network to clients on acceptance of the network usage policies.
To view an acceptable use policy, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.
Step 5
Step 6
Here, you can view the acceptable use policy.
Step 7
Click Cancel to return to the Acceptable use policy configuration list page. A confirmation dialog appears with the following message: "Are you sure you want to cancel?. You will lose all the changes you have made." Click Yes to return to the Acceptable use policy configuration list page. If you click No, you are retained on the same view page.
To create an acceptable use policy, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.
Step 5
Step 6
Here, you can configure a new AUP for a role on the Acceptable use policy configurations list page.
Step 7
Step 8
To delete an acceptable use policy, complete the following steps:
Step 1
Step 2
Step 3
The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.
Step 4
Step 5
A confirmation dialog appears with the following message: "Are you sure you want to delete?".
Step 6
Here, you can delete an AUP.
Step 7
Table 19-5 describes the fields that allow to create an AUP configuration on the Acceptable use policy configurations page.
Filtering Acceptable Use Policies
A quick filter is a simple and quick filter that can be used to filter acceptable use policies on the Acceptable use policy configurations list page. It filters acceptable use policies based on the field description such as the name of the acceptable use policy, description, URL of the acceptable use policy, roles to which acceptable use policies are configured, acceptable use policies that are enabled, or disabled on the Acceptable use policy configurations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Acceptable use policy configurations list page. It filters acceptable use policies based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Acceptable use policy configurations list page.
To filter acceptable use policies, complete the following steps:
Step 1
Step 2
Step 3
Step 4
The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-6.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Acceptable use policy configurations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters acceptable use policies based on each field description on the Acceptable use policy configurations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Acceptable use policy configurations list page. If you clear the field, it displays the list of all the acceptable use policies on the Acceptable use policy configurations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter acceptable use policies by using variables that are more complex. It contains one or more filters, which filter acceptable use policies based on the values that match the field description. A filter on a single row filters acceptable use policies based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter acceptable use policies by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Table 19-6 describes the fields that allow you to filter the AVPs:
Client Posture Assessments in Cisco ISE
The posture service assists in determining the compliance of endpoints that are accessing your Cisco ISE-enabled network by using posture policies based on posture requirements, which are associated to posture policies. It evaluates the configured posture policies for all the endpoints that are connecting to your network, which are associated to one or more identity groups to which the users belong, and the operating systems that are installed on the clients. The NAC Agents that are installed on your clients interact with the Cisco ISE posture service, and evaluate the posture policies which are configured for your clients.
In addition, you should have an understanding on how Cisco ISE provides support for operating systems that are installed on the clients for posture.
Support for Hierarchical Operating Systems
Cisco ISE provides support to all the Windows and Macintosh operating systems, which are structured in a hierarchical group. You can also select an individual operating system from the hierarchy. A parent group includes the operating system versions for the group, and each version of the group includes the underlying operating system versions. When you select a parent group of an operating system from the hierarchy, you implicitly select all the underlying operating systems of the parent group. The posture conditions apply to all the underlying versions of the operating systems when you select the parent group or the group.
For example, when you choose Windows All from the Operating Systems field while creating a posture policy for posture in Cisco ISE, a condition that you define in the posture policy applies to all Microsoft Windows operating systems and their underlying operating systems, which includes Microsoft Windows 7 (All), Microsoft Windows Vista (All), Microsoft Windows XP (All), and their underlying operating systems for Windows All.
Filtering by Operating System
The selection of an operating system within the hierarchy implements the filtering of conditions, compound conditions and requirements that overrides a parent operating system Group associated to a simple condition. This implementation filters conditions, compound conditions and requirements by using the operating system that is associated with the compound condition. If you have a simple condition that is associated with a parent operating system group and a compound condition that is associated with the underlying version from the parent operating system group, then the filtering is based only on the underlying version of the operating system that is associated in the compound condition.
For example, you might have a simple condition that is associated with the Windows Vista parent operating system group. And you might also have a compound condition that is associated with the underlying version of Windows Vista from the operating system group. However, the filtering is done using only the underlying version of the operating system that is associated in the compound condition.
Dynamic Support for Operating System Version
You can configure the posture policies for an endpoint that is associated with the role to which you belong, as well as the operating system on the client. The posture configurations that you save apply only at the group level of an operating system that is not at the operating system level. This level of application allows you to map multiple versions of an operating system that is structured in the hierarchical groups.
For example, when you choose the Windows All option from the operating system group, you are choosing the hierarchical structure of all of the Windows 7, Windows Vista, and Windows XP groups that contain each of their underlying versions.
Cisco ISE dynamically supports new versions of client operating systems and Agents, including both the Windows and Macintosh NAC agents and NAC Web agent. Located on the ISE server, the osgroups.xml file is automatically updated by Cisco to reflect the latest version support information. If an Agent sends the Cisco ISE server an operating system version that is not listed in the osgroups.xml file, then you cannot continue to work with the posture service through the Agents.
Related Topics
•
•
Troubleshooting Topics
•
Client Posture Assessment Policies
A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. The Dictionary Attributes are optional conditions in conjunction with the identity groups, and the operating systems that allow you to define different policies for the clients.
Here, posture requirements are associated to the posture policies and also optional dictionary attributes where you can use dictionary simple and compound conditions from the library or create new dictionary simple and compound conditions.
Prerequisite:
You must have an understanding of acceptable use policy (AUP) and posture reassessments (PRA) as you create posture policies with respect to posture compliance.
For more information on AUP, see Posture Acceptable Use Policy and on PRA, see Posture Reassessments.
In addition, see the following:
•
•
You can use the Posture Policies page to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy.
Table 19-7 describes the fields on the Posture Policies page that allow you to insert a new posture policy, or duplicate an existing policy. or delete an existing posture policy.
For information on how to manage posture policies, see the "Creating, Duplicating, and Deleting Client Posture Policies" section.
Creating, Duplicating, and Deleting Client Posture Policies
This section describes the following procedures on how to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy on the Posture Policies page.
•
Creating a New Posture Policy
You can create a new posture policy on the Posture Policies page.
To create a new posture policy, complete the following steps:
Step 1
The Posture Policies page appears.
Step 2
You can enforce a posture policy to be one of the following types:
•
•
Step 3
Step 4
The identity group anchored overlay appears.
To choose a role, complete the following steps:
a.
The identity group anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
b.
The Roles widget appears.
c.
d.
e.
Step 5
The operating system anchored overlay appears.
To choose an operating system, complete the following steps:
a.
The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
b.
The Operating System Groups widget appears.
c.
Here, click the Quick Picker (right arrow) icon to view the operating system groups.
d.
The parent groups for the operating system appears.
e.
•
•
f.
g.
Each Windows group contains its own underlying versions.
h.
i.
Step 6
The conditions anchored overlay appears, which allows you an option to add new one or more dictionary attributes, and save them as simple, and compound conditions to a dictionary (a library). You can use an AND, or OR operator to form a dictionary compound condition, and then save them to the dictionaries. From the Other Conditions field, you can choose dictionary simple, and compound conditions from the library for validation during posture policies evaluation.
To choose a condition, complete the following steps:
a.
b.
The Dictionaries widget appears, which lists the dictionary simple conditions and dictionary compound conditions.
c.
d.
e.
Here, you can do the following:
–
–
–
f.
To choose a dictionary attribute (optional), complete the following steps:
a.
The conditions anchored overlay appears. It allows you to create a new dictionary simple condition or dictionary compound condition (an expression). Click the minus [-] sign, or click outside the anchored overlay to close it.
b.
The Dictionaries widget appears that lists the available dictionaries.
c.
The dictionary attributes appear for the dictionary.
d.
e.
f.
To save, click the icon, or click the icon to clear.
g.
h.
i.
Here, you can do the following:
–
–
–
–
–
Step 7
The requirements anchored overlay appears.
To choose a requirement, complete the following steps:
a.
b.
The Requirements widget appears.
c.
You can enforce a posture requirement to be one of the following items types:
Mandatory—This option enforces the client to meet the posture requirement. The user cannot proceed or have access to the network unless the client meets the posture requirement.
Optional—This option does not enforce the client to meet the posture requirement. The client can bypass the requirement, if required. The client does not require to meet the requirement for the user to proceed or have network access.
Audit—This option checks the client for the posture requirement without notifying the user. It does not affect user network access.
d.
e.
Step 8
Click Cancel to revert to the Posture Policies page without creating a new policy on the Posture Policies page.
Troubleshooting Topics
•
Duplicating a Posture Policy
You can create a copy of the posture policy that you want to duplicate on the Posture Policies page.
To duplicate a policy, complete the following steps:
Step 1
Step 2
Here, you can create a copy of the policy that you want to duplicate on the Posture Policies page.
Troubleshooting Topics
•
Deleting a Posture Policy
You can also delete a posture policy from the Posture Policies page.
To delete a policy, complete the following steps:
Step 1
Step 2
A confirmation dialog appears with the following message: "Are you sure you want to delete Policy(s)?".
Step 3
Here, you can delete a posture policy from the Posture Policies page.
Step 4
Custom Conditions for Posture
A posture condition can be any one of the following simple conditions: a file, a registry, an application, a service, or a dictionary condition. One or more conditions from these simple conditions form a compound condition, which can be associated to a posture requirement.
You can use the Posture menu to manage the following posture simple conditions:
•
•
•
•
•
Note
Note
You can use the Posture menu to manage the following posture compound conditions:
•
•
•
•
Note
Note
File Condition
A file condition is a simple (single) condition that checks for a file by its existence on the client, or its date when created, or modified on the client, or its version that exists on the client. You can create FileExistence, FileDate, and FileVersion types of file conditions to check the compliance of the file on the client. The FileExistence type checks the existence of a file on the client. The FileDate type checks the file based on its file-created date, or file-modified date on the client. The FileVersion type checks for the specific version of the file that you define in the file condition. When you create a file condition on the File condition list page, you can see the fields change to provide details according to your input.
The File conditions list page displays file conditions along with their names and description on the File conditions list. It also displays the names of the files to be checked for each of the file condition type.
Note
This section provides the procedures that you can use to configure file conditions.
Configuring File Conditions
You can create any one of the following types of a file condition on the File conditions list page: FileExistence, FileDate, and FileVersion. You can also duplicate, edit, delete, or filter file conditions from the File conditions list page.
This section covers the following procedures:
•
•
•
Viewing File Conditions
You can use the File conditions list page to view file conditions.
To view file conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.
Step 5
Step 6
Here, you can choose a file condition to view the details.
Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type
You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileExistence type, which allows you to check that a file exists on the client, or does not exist on the client.
To create a file condition of FileExistence type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add a file condition of FileExistence type, which appears on the File conditions list page.
Step 7
To duplicate a file condition of FileExistence type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the file condition of FileExistence type.
Step 4
To edit a file condition of FileExistence type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can edit a file condition of FileExistence type.
Step 4
The file condition of FileExistence type will be available on the File conditions list page after editing on the edit page.
Step 5
To delete a file condition of FileExistence type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of FileExistence type.
Warning
Table 19-8 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileExistence type condition.
Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type
You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileDate type by using file-created, or file-modified date.
To create a File Condition of FileDate type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.
Step 5
Warning
Step 6
Here, you can create a file condition of FileDate type with file-created date or file-modified date.
Step 7
To duplicate a file condition of FileDate type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the file condition of FileDate type.
Step 4
To edit a file condition of FileDate type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can edit a file condition of FileDate type.
Step 4
The file condition of FileDate type will be available on the File conditions list page after editing on the edit page.
Step 5
To delete a file condition of FileDate type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of FileDate type.
Warning
Table 19-9 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileDate type condition.
Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type
You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileVersion type that has more than one version.
To create a file condition of FileVersion type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.
Step 5
Warning
Step 6
Here, you can create a file condition of FileVersion type, where the file has more than one version.
Step 7
To duplicate a file condition of FileVersion type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the file condition of FileVersion type.
Step 4
To edit a file condition of FileVersion type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can edit a file condition of FileVersion type.
Step 4
A file condition of FileVersion type will be available on the File conditions list page after editing on the edit page.
Step 5
To delete a file condition of FileVersion type, complete the following steps:
Step 1
The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of FileVersion type.
Warning
Table 19-10 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileVersion type condition.
Filtering File Conditions
A quick filter is a simple and quick filter that can be used to filter file conditions on the File conditions list page. It filters file conditions based on the field description such as the name of the file condition, description, and the file to be checked on the File conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File conditions list page. It filters file conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the File conditions list page.
To filter file conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The File conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-11.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the File conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters file conditions based on each field description on the File conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File conditions list page. If you clear the field, it displays the list of all the file conditions on the File conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter file conditions by using variables that are more complex. It contains one or more filters, which filter file conditions based on the values that match the field description. A filter on a single row filters file conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-11 describes the fields that allow you to filter file conditions on the File conditions list page.
Registry Condition
A registry condition is a simple (single) condition that checks a registry key or the value of the registry on the client. You can create RegistryKey, RegistryKeyValue, and RegistryValueDefault types of registry conditions to check the compliance of the client on a registry. The RegistryKey type checks the existence of a registry on the client, and the RegistryKeyValue type checks the data of the registry key on the client. The RegistryValueDefault is the same as the RegistryKeyValue except that the former checks for the default value. When you create a registry condition on the Registry list page, you can see the fields change to provide details according to your input.
The Registry conditions list page displays registry conditions along with their names, description on the Registry conditions list, and the type of registry conditions.
Note
This section provides the procedure that you can use to configure registry conditions.
Configuring Registry Conditions
Configuring Registry Conditions
You can create any one of the following types of a registry condition on the Registry conditions page: RegistryKey, RegistryKeyValue, and RegistryValueDefault types. You can also duplicate, edit, delete, or filter the registry conditions from the Registry conditions list page.
This section covers the following procedures:
•
•
•
•
Viewing Registry Conditions
You can use the Registry conditions list page to view registry conditions.
To view registry conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.
Step 5
Step 6
Here, you can choose a registry condition to view the details.
Step 7
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type
You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryKey type, which allows you to check the existence of a registry on the client.
To create a registry condition of RegistryKey type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add a registry condition of RegistryKey type, which appears on the Registry conditions list page.
Step 7
To duplicate a registry condition of RegistryKey type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the registry condition of RegistryKey type.
Step 4
To edit a registry condition of RegistryKey type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.
Step 2
Step 3
Here, you can edit a registry condition of RegistryKey type.
Step 4
A registry condition of RegistryKey type will appear on the Registry conditions list page after editing on the edit page.
Step 5
To delete a registry condition of RegistryKey type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of RegistryKey type.
Warning
Table 19-12 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryKey type condition.
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type
You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryValue type.
To create a registry condition of RegistryValue type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Registry conditions list page appears, which lists all the registry conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add a Registry Condition of RegistryValue type, which appears on the Registry conditions list page.
Step 7
To duplicate a registry condition of RegistryValue type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the registry condition of RegistryValue type.
Step 4
To edit a registry condition of RegistryValue type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can edit a registry condition of RegistryValue type.
Step 4
A registry condition of RegistryValue type appears on the Registry conditions list page after editing on the edit page.
Step 5
To delete a registry condition of RegistryValue type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of RegistryValue type.
Warning
Table 19-13 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryValue type condition.
Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type
You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryValueDefault type.
To create a registry condition of RegistryValueDefault type, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Registry conditions list page appears, which lists all the registry conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add a Registry Condition of RegistryValueDefault type, which appears on the Registry conditions list page.
Step 7
To duplicate a registry condition of RegistryValueDefault type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the registry condition of RegistryValueDefault type.
Step 4
To edit a registry condition of RegistryValueDefault type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can edit a registry condition of RegistryValueDefault type.
Step 4
A registry condition of RegistryValueDefault type appears on the Registry conditions list page after editing on the edit page.
Step 5
To delete a registry condition of RegistryValueDefault type, complete the following steps:
Step 1
The Registry conditions list page appears, which lists all the registry conditions that you have already created.
Step 2
Step 3
Here, you can delete a file condition of RegistryValueDefault type.
Warning
Table 19-14 describes the fields on the New Registry Condition page that allow you to create, or edit a registry condition on its edit page of RegistryValueDefault type condition.
Filtering Registry Conditions
A quick filter is a simple and quick filter that can be used to filter registry conditions on the Registry conditions list page. It filters registry conditions based on the field description such as the name of the registry condition, description, and the type of registry conditions on the Registry conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Registry conditions list page. It filters registry conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Registry conditions list page.
To filter registry conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Registry conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-15.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Registry conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters registry conditions based on each field description on the Registry conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Registry conditions list page. If you clear the field, it displays the list of all the registry conditions on the Registry conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter registry conditions by using variables that are more complex. It contains one or more filters, which filter registry conditions based on the values that match the field description. A filter on a single row filters registry conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter registry conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-15 describes the fields that allow you to filter registry conditions on the Registry conditions list page.
Application Condition
An application condition is a simple (single) condition, which checks applications that are running, and are not running on the client. The application condition can check for various application processes that are typically viewable under Windows Task Manager.
The Application conditions list page displays application conditions along with their names, description, and as well as of the applications that are running and are not running on the client. It also shows the status of applications whether they are running, or are not running on the client.
Note
This section provides the procedure that you can use to configure application conditions.
Configuring Application Conditions
Configuring Application Conditions
You can create an application condition to check that an application is running, or not running on the client. You can also duplicate, edit, delete, or filter application conditions from the Application conditions list page.
This section covers the following procedures:
•
•
•
Viewing Application Conditions
You can use the Application conditions list page to view application conditions.
To view application conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you create.
Step 5
Step 6
Here, you can choose an application condition to view the details.
Step 7
Creating, Duplicating, Editing, and Deleting an Application Condition
You can use the Application conditions list page to create, duplicate, edit, or delete an application condition, which allows you to check various application processes that are running, or are not running on the client.
To create an application condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add an application condition, which appears on the Application conditions list page.
Step 7
To duplicate an application condition, complete the following steps:
Step 1
The Applications conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the application condition.
Step 4
To edit an application condition, complete the following steps:
Step 1
The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.
Step 2
Step 3
Here, you can edit an application condition.
Step 4
The application condition will appear on the Application conditions list page after editing on the edit page.
Step 5
To delete an application condition, complete the following steps:
Step 1
The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.
Step 2
Step 3
Here, you can delete an application condition.
Warning
Table 19-16 describes the fields on the New Application Condition list page that allow you to create, duplicate, or edit an application condition on its edit page.
Filtering Application Conditions
A quick filter is a simple and quick filter that can be used to filter application conditions on the Application conditions list page. It filters application conditions based on the field description such as the name of the file condition, description, and that shows the status whether applications are running, or not running on the client on the Application conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Application conditions list page. It filters application conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Application conditions list page.
To filter application conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Application conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-17.
Step 6
Step 7
Step 8
The preset filter displays the filtered results on the Application conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters application conditions based on each field description on the Application conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Application conditions list page. If you clear the field, it displays the list of all the application conditions on the Application conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter application conditions by using variables that are more complex. It contains one or more filters, which filter application conditions based on the values that match the field description. A filter on a single row filters application conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter application conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-17 describes the fields that allow you to filter application conditions on the Application conditions list page.
Service Condition
A service condition is a simple (single) condition, which checks services that are running, and are not running on the client. The service condition can check for various services such as security, or application agents that are typically viewable from the Windows Services console.
The Service conditions list page displays service conditions along with their names and description of the service conditions. It also shows the status of the services whether they are, or are not running on the client.
Cisco Predefined Checks
The Service conditions list page displays predefined Cisco checks as well as service conditions that you create on the Service Condition page. The predefined Cisco checks are downloaded on your Cisco ISE deployment as a result of dynamic posture updates. The pc_AutoUpdateCheck is one of the predefined Cisco checks, which is downloaded to the service conditions list (simple conditions).
For information on downloading Posture updates through the web, see the "Dynamic Posture Updates" section.
pc_AutoUpdateCheck
The pc_AutoUpdateCheck is a single (simple) condition, which can be used in a compound condition. The pr_AutoUpdateCheck_Rule is a compound condition that uses the pc_AutoUpdateCheck simple condition.
For information on how the pr_AutoUpdateCheck_Rule is used in a Windows Updates remediation, see the "pr_AutoUpdateCheck_Rule" section.
Note
This section provides the procedure that you can use to configure service conditions.
Configuring Service Conditions
Configuring Service Conditions
You can create a service condition to check that a service is running, or not running on the client. You can also duplicate, edit, delete, or filter service conditions from the Services conditions list page.
This section covers the following procedures:
•
Viewing Service Conditions
You can use the Service conditions list page to view service conditions.
To view service conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you create.
Step 5
Step 6
Here, you can choose a service condition to view the details.
Step 7
Creating, Duplicating, Editing, and Deleting a Service Condition
You can use the Service conditions list page to create, duplicate, edit, or delete a service condition, which allows you to check various services that are running or not running on the client.
To create a service condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you create.
Step 5
Warning
Step 6
Here, you can create to add a service condition, which appears on the Service conditions list page.
Step 7
To duplicate a service condition, complete the following steps:
Step 1
The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the service condition.
Step 4
To edit a service condition, complete the following steps:
Step 1
The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.
Step 2
Step 3
Here, you can edit a service condition.
Step 4
The service condition will appear on the Service conditions list page after editing on the edit page.
Step 5
To delete a service condition, complete the following steps:
Step 1
The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.
Step 2
Step 3
Here, you can delete a service condition.
Warning
Table 19-18 describes the fields on the New Service Condition page that allow you to create, duplicate, or edit a service condition on its edit page.
Filtering Service Conditions
A quick filter is a simple and quick filter that can be used to filter service conditions on the Service conditions list page. It filters service conditions based on the field description such as the name of the file condition, description, and that checks for services that are running, or not running on the client on the Service conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Service conditions list page. It filters service conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Service conditions list page.
To filter service conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Service conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-19.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To view compound conditions, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Service conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters service conditions based on each field description on the Service conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Service conditions list page. If you clear the field, it displays the list of all the service conditions on the Service conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter service conditions by using variables that are more complex. It contains one or more filters, which filter service conditions based on the values that match the field description. A filter on a single row filters service conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter service conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-19 describes the fields that allow you to filter service conditions on the Service conditions list page.
Compound Condition
A compound condition includes one or more simple conditions, or compound conditions of the type file, registry, application, service, or dictionary conditions. You can combine one or more conditions using an AND (ampersand [ & ]), an OR (horizontal bar [ | ]), or a NOT (exclamation point [ ! ]) operator to create a compound condition.
Cisco Predefined Rules
The Compound condition list page displays predefined Cisco rules, as well as compound conditions that you create on the Compound condition list page. The predefined Cisco rules are downloaded on your Cisco ISE deployment as a result of dynamic posture updates through the web.
For information on downloading Posture updates through the web, see the "Dynamic Posture Updates" section.
pr_AutoUpdateCheck_Rule
The pr_AutoUpdateCheck_Rule is a predefined Cisco Rule, which is downloaded to the Compound conditions list page. It contains only the pc_AutoUpdateCheck, a single (simple) condition.
When used in a posture requirement, the pr_AutoUpdateCheck_Rule compound condition allows you to check whether Windows clients are enabled with the automatic updates feature. If the Windows clients fail to meet the requirement, then the NAC Agents enforce Windows clients to be enabled (remediate) with the automatic updates feature, and upon which the clients are postured compliant. The Windows updates remediation that you associate in the posture requirement overrides the Windows administrator setting, if the automatic updates feature is not enabled on Windows clients.
The Compound conditions list page displays compound conditions along with their names and description according to their operating systems. The compound conditions list page allows you to filter the conditions based on the operating systems, as every condition is associated with one or more operating systems. The filtering options allow you to quickly pick the right set of conditions for a specific operating system.
Note
This section provides the procedure that you can use to configure compound conditions.
Configuring Compound Conditions
Configuring Compound Conditions
You can create, duplicate, edit, delete, or filter compound conditions from the Compound conditions list page.
This section covers the following procedures:
•
•
Viewing Compound Conditions
You can use the Compound conditions list page to view compound conditions.
To view compound conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Compound conditions list page appears, which lists predefined Cisco compound conditions and all the service conditions that you create.
Step 5
Step 6
Here, you can choose a compound condition to view the details.
Step 7
Creating, Duplicating, Editing, and Deleting a Compound Condition
You can use the Compound conditions list page to create, duplicate, edit, or delete a compound condition.
To add a compound condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you create.
Step 5
Warning
Step 6
Here, you can create an expression by using logical operators to form a compound condition by combining simple conditions. You can use the Condition list (an object selector) to choose one or more simple conditions.
a.
b.
c.
Step 7
Step 8
To duplicate a compound condition, complete the following steps:
Step 1
The Compound conditions list page appears, which lists predefined Cisco ISE compound conditions and compound conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the compound condition.
Step 4
To edit a compound condition, complete the following steps:
Step 1
The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.
Step 2
Step 3
Here, you can edit a compound condition, which you have already created, and saved on the Compound conditions list page. The predefined Cisco rules are not editable.
Step 4
The compound condition will appear on the Compound conditions list page after editing on the edit page.
Step 5
To delete a compound condition, complete the following steps:
Step 1
The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.
Step 2
Step 3
Here, you can delete a compound condition.
Warning
Table 19-20 describes the fields on the New Compound Condition page that allow you to create, duplicate, or edit a compound condition on its edit page.
Filtering Compound Conditions
A quick filter is a simple and quick filter that can be used to filter compound conditions on the Compound conditions list page. It filters compound conditions based on the field description such as the name and description of the compound condition on the Compound conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Compound conditions list page. It filters compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Compound conditions list page.
To filter compound conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Compound conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-21.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Compound conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters compound conditions based on each field description on the Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the compound conditions on the Compound conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter compound conditions by using variables that are more complex. It contains one or more filters, which filter compound conditions based on the values that match the field description. A filter on a single row filters compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-21 describes the fields that allow you to filter compound conditions on the Compound conditions list page.
Antivirus and Antispyware Compound Conditions
Prerequisites:
Before you begin, you should read and understand the following antivirus and antispyware topics:
•
•
An Antivirus Compound Condition
Cisco ISE loads preconfigured antivirus compound conditions on the AV Compound conditions list, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antivirus compound conditions can check for antivirus products for their existence on all the clients. You can also create new antivirus compound conditions on the New AV Compound Condition page.
The New AV Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.
An Antispyware Compound Condition
Cisco ISE loads preconfigured antispyware compound conditions on the AS Compound conditions list, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antispyware compound conditions can check for antispyware products for their existence on all the clients. You can also create new antispyware compound conditions on the New AS Compound Condition page.
The New AS Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.
Antivirus and Antispyware Support Charts
Cisco ISE uses an antivirus and antispyware support chart, which provides the latest version and date on the definition files for each vendor product. Users need to frequently poll antivirus and antispyware support charts for updates. The antivirus and antispyware vendors frequently update antivirus and antispyware definition files, and the antivirus and antispyware chart provides them the latest version and date on the definition files for each vendor product.
Each time the antivirus and antispyware support chart is updated to reflect support for new antivirus and antispyware vendors, products, and their releases, the NAC Agents receive a new antivirus and antispyware library. It helps NAC Agents to support newer additions. Once the NAC Agents retrieve this support information, they check the latest definition information from the periodically updated se-checks.xml file (which is published along with the se-rules.xml file in the se-templates.tar.gz archive), and determine whether clients are compliant with the posture policies. Depending upon what is supported by the antivirus and antispyware library for a particular antivirus, or antispyware product, the appropriate requirements will be sent to the NAC Agents for validating their existence, and the status of particular antivirus and antispyware products on the clients during posture validation.
Antivirus and Antispyware Definition Updates
The New AV Compound Condition and New AS Compound Condition configuration pages allow you to use the information from the av-chart archive files, which display the list of vendors, supported products, and their releases to configure client remediations on the AVAS remediations list page.
In the New AV Compound Condition and New AS Compound Condition configuration pages, you have an option to check for antivirus and antispyware definition file date, or version on all the clients for the following: a particular vendor product, or any product from a vendor, or for any vendor any product. In addition, you also have an option to specify that the definition files can be older than a specified certain number of days. It gives users a certain amount of time to enforce security policies with respect to how old the definition files can be on their system.
Antivirus and antispyware compound conditions allow you to verify that the virus definition files for a specified vendor are up-to-date on your clients. You can optionally configure antivirus and antispyware definition files of antivirus and antispyware compound conditions to be older by a number of days than the definition files, which are updated in the Cisco ISE servers. Even if the definition files have not been updated by the vendor, this option allows you to configure antivirus and antispyware compound conditions so that clients are validated for compliance with older versions by a few days.
For antivirus definition file updates, you can specify the number of days either from the latest antivirus definition file updates for a specified vendor, or from the current system date on Cisco ISE. For antispyware definition file updates, you must specify the number of days from the current system date. You do not have the option to specify the number of days from the latest antispyware definition file updates. The default number of days is zero (0), indicating that the antivirus and antispyware file definition date cannot predate the latest file or current system date.
You can also associate antivirus and antispyware compound conditions to the AVAS remediation actions. If your clients fail to meet antivirus and antispyware compound conditions, then the NAC Agents that are installed on your clients communicate directly with the installed antivirus and antispyware software on the clients. The NAC Agents display a dialog with an update, or remediate button on it for end users to use them to remediate clients automatically with the latest antivirus and antispyware definition files.
Related Topics
Antispyware Compound Condition
Antivirus Compound Condition
An antivirus compound condition contains one or more antivirus conditions (simple conditions), or antivirus compound conditions. An antivirus compound condition checks an antivirus installation, or checks for an antivirus signature definition version/date on a client. You can create an antivirus compound condition to check for an antivirus installation, or definition updates on the client for any vendor.
This section provides the procedure that you can use to configure antivirus compound conditions.
Configuring Antivirus Compound Conditions
Configuring Antivirus Compound Conditions
The AV Compound conditions list page displays antivirus compound conditions along with their names and description.
You can create an AV compound condition to check that an antivirus installation exists on your clients, or check that the latest antivirus signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter AV compound conditions from the AV Compound conditions list page.
This section covers the following procedures:
•
•
Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition
You can use the AV Compound conditions list page to create, duplicate, edit, or delete an AV compound condition.
To create an antivirus compound condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you create on the New Anti-virus Compound Condition page.
Step 5
Warning
Step 6
Here, you can create an antivirus compound condition to check the installation of an antivirus program, or check that an antivirus definition file is up-to-date.
Note
Step 7
To duplicate an antivirus compound condition, complete the following steps:
Step 1
The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the antivirus compound condition.
Step 4
To edit an antivirus compound condition, complete the following steps:
Step 1
The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.
Step 2
Step 3
Here, you can edit an antivirus compound condition, which you have already created and saved on the AV Compound conditions list page. The predefined Cisco rules are not editable.
Step 4
The antivirus compound condition will appear on the AV Compound conditions list page after editing on the edit page.
Step 5
To delete an antivirus compound condition, complete the following steps:
Step 1
The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also AV compound conditions that you have already created.
Step 2
Step 3
Here, you can delete an antivirus compound condition.
Warning
Table 19-22 describes the fields on the AV Compound conditions list page that allow you to create, duplicate, or edit an antivirus compound condition.
Filtering Antivirus Compound Conditions
A quick filter is a simple and quick filter that can be used to filter antivirus compound conditions on the AV Compound conditions list page. It filters antivirus compound conditions based on the field description such as the name and description of the antivirus compound condition on the AV Compound conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AV Compound conditions list page. It filters antivirus compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AV Compound conditions list page.
To filter antivirus compound conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The AV Compound conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-23.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the AV Compound conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters antivirus compound conditions based on each field description on the AV Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the antivirus compound conditions on the AV Compound conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter antivirus compound conditions by using variables that are more complex. It contains one or more filters, which filter antivirus compound conditions based on the values that match the field description. A filter on a single row filters antivirus compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus compound conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-23 describes the fields that allow you to filter antivirus compound conditions on the AV Compound conditions list page.
Antispyware Compound Condition
An antispyware compound condition contains one or more antispyware conditions (simple conditions), or antispyware compound conditions. An antispyware compound condition checks an antispyware installation, or checks for an antispyware signature definition version/date on a client against the current system date. You can create an antispyware compound condition to check for an antivirus installation, or definition updates on the client for any vendor.
When you create an antispyware definition file update condition, the antispyware definition file date can be older than the current system date by the number of days that you specify for checking the definition file date on the client. The default value is zero (0) days.
Here, you must enable (check) the Allow virus definition file to be check box to check that the latest antispyware definition file date on the client. It can be older than the current system date by the number of days, which you define in the days older than field.
This section provides the procedure that you can use to configure antispyware compound conditions.
Configuring Antispyware Compound Conditions
Configuring Antispyware Compound Conditions
The AS Compound conditions list page displays antispyware compound conditions along with their names and description.
You can create an antispyware compound condition to check that an antispyware installation exists on your clients, or check that the latest antispyware signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter antispyware compound conditions from the AS Compound conditions list page.
This section covers the following procedures:
•
•
Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition
You can use the AS Compound conditions list page to create, duplicate, edit, or delete an antispyware compound condition.
To create an antispyware compound condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you create on the New Anti-spyware Compound Condition page.
Step 5
Warning
Step 6
Here, you can create an antispyware compound condition to check the installation of an antispyware program, or check that an antispyware definition file is up-to-date.
Note
Step 7
To duplicate an antispyware compound condition, complete the following steps:
Step 1
The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the antispyware compound condition.
Step 4
To edit an antispyware compound condition, complete the following steps:
Step 1
The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.
Step 2
Step 3
Here, you can edit an antispyware compound condition, which you have already created and saved on the AS Compound conditions list page. The predefined Cisco rules are not editable.
Step 4
The antispyware compound condition will appear on the AS Compound conditions list page after editing on the edit page.
Step 5
To delete an antispyware compound condition, complete the following steps:
Step 1
The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also AS compound conditions that you have already created.
Step 2
Step 3
Here, you can delete an antispyware compound condition.
Warning
Table 19-24 describes the fields on the AS Compound conditions list page that allow you to create, duplicate, or edit an antispyware compound condition.
Filtering Antispyware Compound Conditions
A quick filter is a simple and quick filter that can be used to filter antispyware compound conditions on the AS Compound conditions list page. It filters antispyware compound conditions based on the field description such as the name and description of the antispyware compound condition on the AS Compound conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AS Compound conditions list page. It filters antispyware compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AS Compound conditions list page.
To filter antispyware compound conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The AS Compound conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-25.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the AV Compound conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters antispyware compound conditions based on each field description on the AS Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the antispyware compound conditions on the AS Compound conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter antispyware compound conditions by using variables that are more complex. It contains one or more filters, which filter antispyware compound conditions based on the values that match the field description. A filter on a single row filters antispyware compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antispyware compound conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-25 describes the fields that allow you to filter antispyware compound conditions on the AS Compound conditions list page.
Dictionary Simple Condition
A Dictionary simple condition is a simple (single) condition, where you can associate a value to a dictionary attribute. Once created and saved, the dictionary simple conditions are added to a library. You can use these dictionary simple conditions to form a dictionary compound condition on the Dictionary Compound Conditions page.
This section provides the procedure that you can use to configure dictionary simple conditions.
Configuring Dictionary Simple Conditions
Configuring Dictionary Simple Conditions
You can create a dictionary simple condition to check the value of an attribute that you associate to the dictionary attribute in the dictionary simple condition. You can also duplicate, edit, delete, or filter dictionary simple conditions from the Dictionary Simple Conditions list page.
The Dictionary Simple Conditions list page displays dictionary simple conditions along with their names and description, as well as the conditions in detail that you define in the dictionary simple conditions.
This section covers the following procedures:
•
•
Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition
You can use the Dictionary Simple Conditions list page to create, duplicate, edit, or delete a dictionary simple condition.
To create a dictionary simple condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Dictionary Simple Conditions list page appears.
Step 5
Warning
Step 6
Here, you can create a dictionary simple condition where you can associate a value to a dictionary attribute.
Step 7
To duplicate a dictionary simple condition, complete the following steps:
Step 1
The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the dictionary simple condition.
Step 4
To edit a dictionary simple condition, complete the following steps:
Step 1
The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.
Step 2
Step 3
Here, you can edit a dictionary simple condition.
Step 4
The dictionary simple condition will appear on the Dictionary Simple Conditions list page after editing on the edit page.
Step 5
You cannot delete a dictionary simple condition, which is associated to a dictionary compound condition. To delete, you must first remove the association from the dictionary compound condition, and then delete it.
To delete a dictionary simple condition, complete the following steps:
Step 1
The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.
Step 2
Step 3
Here, you can delete a dictionary simple condition.
Table 19-26 describes the fields on the Dictionary Simple Conditions list page that allow you to create, duplicate a dictionary simple condition, or edit a dictionary simple condition on its edit page.
Filtering Dictionary Simple Conditions
A quick filter is a simple and quick filter that can be used to filter dictionary simple conditions on the Dictionary Simple Conditions list page. It filters dictionary simple conditions based on the field description such as the name of the dictionary simple condition, condition that you define in the dictionary simple condition, and description on the Dictionary Simple Conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Simple Conditions list page. It filters dictionary simple conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Dictionary Simple Conditions list page.
To filter dictionary simple conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Dictionary Simple Conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-27.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Dictionary Simple Conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters dictionary simple conditions based on each field description on the Dictionary Simple Conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Simple Conditions list page. If you clear the field, it displays the list of all the dictionary simple conditions on the Dictionary Simple Conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter dictionary simple conditions by using variables that are more complex. It contains one or more filters, which filter dictionary simple conditions based on the values that match the field description. A filter on a single row filters dictionary simple conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-27 describes the fields on the Dictionary Simple Conditions list page that allow you to filter dictionary simple conditions.
Dictionary Compound Condition
A dictionary compound condition is a logical combination of more than one dictionary simple condition (a dictionary attribute that is associated with a value). It is a set of dictionary simple conditions (dictionary attributes that are associated with values) that are logically combined with an AND, or an OR operator. You can save a dictionary compound condition, only when you define more than one dictionary simple condition, and then combine them on the Dictionary Compound Conditions page. One or more dictionary simple conditions that you create on the Dictionary Compound Conditions page must be saved to a library first, which can be added later from the library to form a dictionary compound condition.
This section provides the procedure that you can use to configure dictionary compound conditions.
Configuring Dictionary Compound Conditions
Configuring Dictionary Compound Conditions
The Dictionary Compound Conditions page displays the list of dictionary compound conditions along with their names and description, as well as dictionary simple conditions that are logically combined.
This section covers the following procedure:
•
•
Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition
You can create, duplicate, edit, or delete a dictionary compound condition from the Dictionary Compound Conditions page.
To create a dictionary compound condition, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Dictionary Compound Conditions list page appears.
Step 5
Warning
Step 6
Here, you can create a dictionary compound condition where you can logically combine more than one dictionary simple conditions.
Step 7
To duplicate a dictionary compound condition, complete the following steps:
Step 1
The Dictionary compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.
Step 2
Step 3
Here, you can create a copy of the dictionary compound condition.
Step 4
To edit a dictionary compound condition, complete the following steps:
Step 1
The Dictionary Compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.
Step 2
Step 3
Here, you can edit a dictionary compound condition.
Step 4
The dictionary compound condition will appear on the Dictionary Compound Conditions list page after editing on the edit page.
Step 5
To delete a dictionary compound condition, complete the following steps:
Step 1
The Dictionary Compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.
Step 2
Step 3
Here, you can delete a dictionary compound condition.
Table 19-28 describes the fields on the Dictionary Compound Conditions page that allow you to create, duplicate a dictionary compound condition, or edit a dictionary compound condition on its edit page.
Filtering Dictionary Compound Conditions
A quick filter is a simple and quick filter that can be used to filter dictionary compound conditions on the Dictionary Compound Conditions list page. It filters dictionary compound conditions based on the field description such as the name of the dictionary compound condition, conditions that you define in the dictionary compound condition, and description on the Dictionary Compound Conditions list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Compound Conditions list page. It filters dictionary compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Dictionary Compound Conditions list page.
To filter compound conditions, complete the following steps:
Step 1
Step 2
Step 3
The Posture menu appears, which lists all the posture condition types.
Step 4
The Dictionary Compound Conditions list page appears.
Step 5
The Quick Filter and Advanced Filter options appear. See Table 19-29.
Step 6
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 7
The preset filter displays the filtered results on the Dictionary Compound Conditions list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters dictionary compound conditions based on each field description on the Dictionary Compound Conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Compound Conditions list page. If you clear the field, it displays the list of all the compound conditions on the Dictionary Compound Conditions list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter dictionary compound conditions by using variables that are more complex. It contains one or more filters, which filter dictionary compound conditions based on the values that match the field description. A filter on a single row filters dictionary compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-29 describes the fields on the Dictionary Compound Conditions list page that allow you to filter dictionary compound conditions.
Posture Results
Posture results are associated mandatory requirements to posture policies that all clients must meet their requirements during posture evaluation, and associated remediation actions to requirements that are required by clients to remediate themselves to meet failed requirements in order to become compliant on your network.
Posture results in posture requirements which all clients must meet for compliance with your organization security policies during policy evaluation of endpoints, The posture requirements can be set to mandatory, optional or audit types in posture policies during posture evaluation of endpoints.
Mandatory Requirements
If clients fail to meet mandatory requirements as defined in posture policies, then they are provided with remediation options in order for clients to meet them during policy evaluation. When clients fail to meet mandatory requirements during policy evaluation, it results in remediation actions that are associated to requirements, and end users are given remediation time within minutes specified in the remediation timer settings to remediate failed requirements.
If a client machine is unable to remediate a mandatory requirement, the session posture status changes to "non-compliant" and the agent session is quarantined. The only way to get the client machine past this "non-compliant" state is by initiating a new RADIUS or posture session where the agent starts posture assessment on the client machine again.
You can restart posture assessment on the client machine by doing one of the following:
•
Alternatively, wired users can get out of the quarantine state once they disconnect and reconnect to the network. In a wireless environment, the user must disconnect from the WLC and wait until the user idle timeout period has expired before attempting to reconnect to the network.
•
Optional Requirements
If client machines fail to meet optional requirements during policy evaluation, then the agents prompt end users with an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.
Audit Requirements
Audit requirements are not shown to end users even though they pass, or fail during policy evaluation.
Related Topics
•
•
•
Troubleshooting Topics
•
Custom Posture Remediation Actions
A custom posture remediation action can take the form of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types. Here, you also have a text box for all the remediation types that can be used to communicate to the Agent users. In addition to remediation actions, you can also communicate to Agent users of non compliance of clients only with messages. Here, the NAC Agent does not trigger any remediation action.
When you create a posture requirement on the Requirements page, you can associate any one of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types to the requirement.
Message Text Only
The Message Text Only option informs Agent users about noncompliance of clients. It also provides optional instructions to the user to contact the Help desk for more information, or to remediate the client manually.
You can use the Posture Remediation Actions menu to manage the following remediations for a posture in Cisco ISE:
•
•
•
•
•
•
To manage the posture remediation actions, complete the following steps:
Step 1
Step 2
Step 3
The following results appear:
•
•
Step 4
The following remediation types appear:
•
Step 5
Configuring Custom Posture Remediation Actions
This section describes the custom remediation types that you can define in Cisco ISE.
This section covers the following procedures for managing remediation actions for a posture:
•
•
•
–
•
–
•
–
•
–
Troubleshooting Topics
•
File Remediation
A file remediation allows clients to download the required file version for compliance. You are only allowed to create a file remediation, where the NAC Agent and Web Agent can remediate an endpoint with a file that is required by the client for compliance. You can also view, duplicate, or delete file remediations on the File remediations list page, but not edit file remediations as you are allowed to edit other remediation types.
The File remediations list page displays all the file remediations along with their names, description, and as well as the files that are required for remediation.
This section describes the following procedures to configure and filter file remediations.
•
Viewing, Adding, and Deleting a File Remediation
This section describes the procedures to view, add, duplicate, or delete file remediations from the File remediations list page.
To view a file remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The File remediations list page appears, which lists all the file remediations on the File remediations list page.
Step 7
Step 8
Here, you can view a file remediation.
Step 9
To add a file remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The File remediations list page appears, which lists all the file remediations on the File remediations list page.
Step 7
The New File Remediation page appears. Here, you can create to add a new file remediation.
Warning
Step 8
Step 9
The new file remediation appears on the File remediations list page.
To delete a file remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The File remediations list page appears, which lists all the file remediations on the File remediations list page.
Step 7
Step 8
Here, you can delete a file remediation from the File remediations list page.
Table 19-30 describes the fields that allow you to create a file remediation on the New File Remediation page.
Filtering File Remediations
A quick filter is a simple and quick filter that can be used to filter file remediations on the File remediations list page. It filters file remediations based on the field description such as the name of the file remediation, description, and the file to be uploaded that is required for remediation on the File remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File remediations list page. It filters file remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the File remediations list page.
To filter file remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
Step 7
The Quick Filter and Advanced Filter options appear. See Table 19-30.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the File remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters file remediations based on each field description on the File remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File remediations list page. If you clear the field, it displays the list of all the file remediations on the File remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter file remediations by using variables that are more complex. It contains one or more filters, which filter file remediations based on the values that match the field description. A filter on a single row filters file remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-31 describes the fields that allow you to filter file remediations.
Link Remediation
A link remediation allows clients to click a URL link for access to a remediation page, or resource. You can create a link remediation, where the NAC Agents and Web Agents open a browser with a link for clients to access a remediation page or resource, and remediate themselves for compliance. You can also duplicate, edit, or delete link remediations on the Link remediations list page.
The Link remediations list page displays all the link remediations along with their names, description, and as well as their modes of remediation.
This section describes the procedures to configure and filter link remediations.
•
Adding, Duplicating, Editing, and Deleting a Link Remediation
This section describes the procedures to add, duplicate, edit, or delete link remediations from the Link remediations list page.
To add a link remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.
Step 7
The New Link Remediation page appears. Here, you can create to add a new link remediation.
Warning
Step 8
Step 9
The new link remediation appears on the Link remediations list page.
Step 10
To duplicate a link remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.
Step 7
Step 8
Here, you can duplicate a link remediation on the Link remediations list page.
Step 9
A copy of the link remediation appears on the Link remediations list page. You cannot duplicate a link remediation with the same name.
Step 10
To edit a link remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.
Step 7
Step 8
Here, you can edit a link remediation on the edit page.
Step 9
The link remediation will be available on the Link remediations list after editing on the edit page.
Step 10
To delete a link remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.
Step 7
Step 8
Here, you can delete a link remediation from the Link remediations list page.
Table 19-32 describes the fields that allow you to create a link remediation on the New Link remediation page.
Filtering Link Remediations
A quick filter is a simple and quick filter that can be used to filter link remediations on the Link remediations list page. It filters link remediations based on the field description such as the name of the link remediation, description, and the mode of remediation on the Link remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Link remediations list page. It filters link remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Link remediations list page.
To filter link remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
Step 7
The Quick Filter and Advanced Filter options appear. See Table 19-32.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the Link remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters link remediations based on each field description on the Link remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Link remediations list page. If you clear the field, it displays the list of all the link remediations on the Link remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter link remediations by using variables that are more complex. It contains one or more filters, which filter link remediations based on the values that match the field description. A filter on a single row filters link remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter link remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-33 describes the fields that allow you to filter link remediations.
AVAS Remediation
An antivirus, or antispyware remediation (AV or AS remediation) updates clients with antivirus, or antispyware signature definitions for compliance. You can create an antivirus, or antispyware remediation, which updates clients with up-to-date file definitions for compliance after remediation. You can also duplicate, edit, or delete antivirus, or antispyware remediations on the AVAS remediations list page.
The AVAS remediations list page displays all the antivirus, or antispyware remediations along with their names, description, and as well as their modes of remediation.
This section describes the following procedures to add, duplicate, edit, or delete an antivirus, or antispyware remediations.
•
•
Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation
This section describes the procedures to add, duplicate, edit, or delete antivirus, or antispyware remediations from the AVAS remediations list page.
To add an antivirus or antispyware remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.
Step 7
The New AVAS Remediation page appears. Here, you can create to add a new antivirus, or antispyware remediation.
Warning
Step 8
Step 9
The new antivirus, or antispyware remediation appears on the AVAS remediations list page.
To duplicate an antivirus or antispyware remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.
Step 7
Step 8
Here, you can duplicate an antivirus, or antispyware remediation on the AVAS remediations list page.
Step 9
A copy of an antivirus, or antispyware remediation appears on the AVAS remediations list page. You cannot duplicate an antivirus, or antispyware remediation with the same name.
To edit an antivirus or antispyware remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.
Step 7
Step 8
Here, you can edit an antivirus, or antispyware remediation on the edit page.
Step 9
The antivirus, or antispyware remediation will be available on the AVAS remediations list after editing on the edit page.
Step 10
To delete an antivirus or antispyware remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.
Step 7
Step 8
Here, you can delete an antivirus, or antispyware remediation from the AVAS remediations list page.
Table 19-34 describes the fields that allow you to create an antivirus, or antispyware remediation:
Filtering Antivirus or Antispyware Remediations
A quick filter is a simple and quick filter that can be used to filter antivirus, or antispyware remediations on the AVAS remediations list page. It filters antivirus, or antispyware remediations based on the field description such as the name of the antivirus, or antispyware remediation, description, and as well as the mode of remediation on the AVAS remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AVAS remediations list page. It filters antivirus, or antispyware remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AVAS remediations list page.
To filter antivirus or antispyware remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
Step 7
The Quick Filter and Advanced Filter options appear Table 19-35.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the AVAS remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters antivirus, or antispyware remediations based on each field description on the AVAS remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the AVAS remediations list page. If you clear the field, it displays the list of all the antivirus, or antispyware remediations on the AVAS remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter antivirus, or antispyware remediations by using variables that are more complex. It contains one or more filters, which filter antivirus, or antispyware remediations based on the values that match the field description. A filter on a single row filters antivirus, or antispyware remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus, or antispyware remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-35 describes the fields that allow you to filter antivirus, or antispyware remediations.
Launch Program Remediation
A launch program remediation launches one, or more programs on clients for compliance. You can create a launch program remediation, where the NAC Agents and Web Agents remediate clients by launching one, or more applications on clients for compliance. You can also duplicate, edit, or delete launch program remediations on the Launch Program remediations list page.
The Launch Program remediations list page displays all the launch program remediations along with their names, description, and as well as their modes of remediation.
This section describes the following procedures to configure and filter launch program remediations.
•
•
Adding, Duplicating, Editing, and Deleting a Launch Program Remediation
This section describes the procedures to add, duplicate, edit, delete launch program remediations from the Launch Program remediations list page.
To add a launch program remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.
Step 7
The New Launch program Remediation page appears. Here, you can create to add a new launch program remediation.
Warning
Step 8
Step 9
The new launch program remediation appears on the Launch Program remediations list page.
To duplicate a launch program remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.
Step 7
Step 8
Here, you can duplicate a launch program remediation on the Launch Program remediations list page.
Step 9
A copy of the launch program remediation appears on the Launch Program remediations list page. You cannot duplicate a launch program remediation with the same name.
Step 10
To edit a launch program remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.
Step 7
Step 8
Here, you can edit a launch program remediation on the edit page.
Step 9
The launch program remediation will be available on the Launch Program remediations list after editing on the edit page.
Step 10
To delete a launch program remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.
Step 7
Step 8
Here, you can delete a launch program remediation from the Launch Program remediations list page.
Table 19-36 describes the fields that allow you to create a launch program remediation.
Filtering Launch Program Remediations
A quick filter is a simple and quick filter that can be used to filter launch program remediations on the Launch Program remediations list page. It filters launch program remediations based on the field description such as the name of the launch program remediation, description, and as well as the mode of remediation on the Launch Program remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Launch Program remediations list page. It filters launch program remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Launch Program remediations list page.
To filter launch program remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Step 6
The Launch Program remediations list page appears.
Step 7
The Quick Filter and Advanced Filter options appear. Table 19-37.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the Launch Program remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters launch program remediations based on each field description on the Launch Program remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Launch Program remediations list page. If you clear the field, it displays the list of all the launch program remediations on the Launch Program remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter launch program remediations by using variables that are more complex. It contains one or more filters, which filter launch program remediations based on the values that match the field description. A filter on a single row filters launch program remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter launch program remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-37 describes the fields that allow you to filter launch program remediations.
Windows Update Remediation
A Windows update remediation ensures that Automatic Updates configuration is turned on Windows clients per your security policy, and helps you to ensure that Automatic Updates remediates Windows clients to result in successful posture assessments for compliance.
Windows Automatic Updates
The Windows administrators have an option to turn on or turn off Automatic Updates on Windows clients. The Microsoft Windows uses this feature to regularly check for important updates and install them on your clients. If the Automatic Updates feature is turned on, then the Windows automatically updates Windows-recommended updates before any other updates.
Windows XP provides the following settings for configuring Automatic Updates:
•
•
•
•
Note
You can create a Windows update remediation to check for the Windows updates service (wuaserv) whether the service is started or stopped in any Windows client by using the pr_AutoUpdateCheck_Rule. It is a predefined Cisco rule, which can be used to create a posture requirement. If the posture requirement fails, the remediation action (Windows update remediation) that you associate to the requirement enforces the Windows client to remediate by using one of the automatic updates options.
Override User's Windows Update Setting With Administrator's Option in Windows Update Remediations
You can enable the "Override User's Windows Update setting with administrator's" option to override the user's with remediation settings, or else you can disable the option.
Note
If "Override User's Windows update setting with administrator's" option is disabled, Windows update remediations will not be enforced except for "Turn Off Automatic Updates" settings on Windows clients.
Windows update remediations will fail when you want to change the Windows Automatic Updates setting:
•
•
•
This section describes the following procedures to configure and filter Windows update remediations.
•
•
Adding, Duplicating, Editing, and Deleting a Windows Update Remediation
The Windows updates remediations list page displays all the Windows update remediations along with their names, description, and as well as their modes of remediation. You can add, duplicate, edit, or delete Windows updates remediations from the Windows updates remediation list page.
This section describes the procedures to add, duplicate, edit, or delete Windows update remediation from the Windows updates remediations list page.
To add a Windows updates remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.
Step 7
The New Windows update Remediation page appears. Here, you can create to add a new Windows updates remediation.
Warning
Step 8
Step 9
The new Windows updates remediation appears on the Windows updates remediations list page.
To duplicate a Windows updates remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.
Step 7
Step 8
Here, you can duplicate a Windows updates remediation on the Windows updates remediations list page.
Step 9
A copy of the Windows updates remediation appears on the Windows updates remediations list page. You cannot duplicate a Windows updates remediation with the same name.
Step 10
To edit a Windows updates remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.
Step 7
Step 8
Here, you can edit a Windows updates remediation on the edit page.
Step 9
The Windows updates remediation will be available on the Windows updates remediations list after editing on the edit page.
Step 10
To delete a Windows updates remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.
Step 7
Step 8
Here, you can delete a Windows updates remediation from the Windows updates remediations list page.
Table 19-38 describes the fields that allow you to create a Windows updates remediation:
Filtering Windows Update Remediations
A quick filter is a simple and quick filter that can be used to filter Windows updates remediations on the Windows updates remediations list page. It filters Windows updates remediations based on the field description such as the name of the Windows updates remediation, description, and as well as the mode of remediation on the Windows updates remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows updates remediations list page. It filters Windows updates remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Windows updates remediations list page.
To filter Windows updates remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Step 6
The Windows updates remediations list page appears.
Step 7
The Quick Filter and Advanced Filter options appear. See Table 19-39.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the Windows updates remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters Windows updates remediations based on each field description on the Windows updates remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows updates remediations list page. If you clear the field, it displays the list of all the Windows updates remediations on the Windows updates remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter Windows updates remediations by using variables that are more complex. It contains one or more filters, which filter Windows updates remediations based on the values that match the field description. A filter on a single row filters Windows updates remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter Windows updates remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-39 describes the fields that allow you to filter Windows updates remediations:
Windows Server Update Services Remediation
A Windows Server Update Services (WSUS) remediation remediates Windows clients from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest Windows service packs, hotfixes, and patches (WSUS updates) for compliance. You can create a WSUS remediation where a NAC Agent integrates with the local WSUS Agent to check whether the endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete WSUS remediations from the remediations list.
You can configure Windows clients to receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally administered WSUS server for compliance.
The Windows server update services (WSUS) remediations list page displays all the WSUS remediations along with their names, description, and as well as their modes of remediation.
Note
This section describes the following procedures to configure and filter WSUS remediations.
•
•
Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation
This section describes the procedures to add, duplicate, edit, or delete WSUS remediations from the Windows server update services remediations list page.
To add a Windows server update services remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.
Step 7
The New Windows Server Update Services Remediation page appears. Here, you can create to add a new WSUS remediation.
Warning
Step 8
Step 9
The new WSUS remediation appears on the Windows server update services remediations list page.
To duplicate a Windows server update services remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.
Step 7
Step 8
Here, you can duplicate a WSUS remediation on the Windows server update services remediations list page.
Step 9
A copy of the WSUS remediation appears on the Windows server update services remediations list page. You cannot duplicate a WSUS remediation with the same name.
Step 10
To edit a Windows server update services remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.
Step 7
Step 8
Here, you can edit a WSUS remediation on the edit page.
Step 9
The WSUS remediation will be available on the Windows server update services remediations list after editing on the edit page.
Step 10
To delete a Windows server update services remediation, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Remediation Actions menu window displays the choices for remediation actions.
Step 6
The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.
Step 7
Step 8
Here, you can delete a WSUS remediation from the Windows server update services remediations list page.
Table 19-40 describes the fields that allow you to create a WSUS remediation.
Filtering Windows Server Update Services Remediations
A quick filter is a simple and quick filter that can be used to filter WSUS remediations on the Windows server update services remediations list page. It filters WSUS remediations based on the field description such as the name of the WSUS remediation, description, and as well as the mode of remediation on the Windows server update services remediations list page.
An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows server update services remediations list page. It filters WSUS remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Windows server update services remediations list page.
To filter WSUS remediations, complete the following steps:
Step 1
Step 2
Step 3
Remediation Actions and Requirements appear for posture result types.
Step 4
Step 5
Step 6
The Windows server update services remediations list page appears.
Step 7
The Quick Filter and Advanced Filter options appear. See Table 19-41.
Step 8
For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.
Step 9
The preset filter displays the filtered results on the Windows updates remediations list page.
Note
To filter using the Quick Filter option, complete the following steps:
A quick filter filters WSUS remediations based on each field description on the Windows server update services remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows server update services remediations list page. If you clear the field, it displays the list of all the WSUS remediations on the Windows server update services remediations list page.
Step 1
Step 2
To filter using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter WSUS remediations by using variables that are more complex. It contains one or more filters, which filter WSUS remediations based on the values that match the field description. A filter on a single row filters WSUS remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter WSUS remediations by using any one or all the filters within a single advanced filter.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.
Table 19-41 describes the fields that allow you to filter WSUS remediations.
Client Posture Assessment Requirements
Prerequisite
You must have an understanding of Acceptable Use Policy (AUP) for a posture as you create posture requirements. Refer to the following location on AUP with respect to posture compliance:
Administration > System > Settings > Posture > Acceptable Use policy.
For more information on AUP, see Posture Acceptable Use Policy.
A posture requirement is a set of compound conditions with an associated remediation action that can be linked with a role in conjunction with an operating system. All the clients that are connecting to your network must meet mandatory requirements during posture policies evaluation, which are associated to posture policies in order to become compliant on your network. If requirements are optional and clients fail these requirements, then the clients have an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.
If clients fail to meet mandatory requirements during posture policies evaluation, then they are denied network access to your network, and they are moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again in order to meet mandatory requirements for compliance.
For information on configuration guidance of posture clients quarantine state, see "Authorization Profile Configuration Guidance for Posture Clients Quarantine State" section.
pr_WSUSRule
The pr_WSUSRule is a dummy compound condition, which is used in a posture requirement with a Windows Server Update Services (WSUS) remediation associated to it. The associated WSUS remediation action must be configured to validate Windows updates by using the severity level option. When this requirement fails, the NAC Agent that is installed on the Windows client enforces the WSUS remediation action based on the severity level that you define in the WSUS remediation.
Note
You can use the Posture Requirements page to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement.
Table 19-42 describes the fields on the Posture Requirements page that allow you to insert a new posture requirement, or duplicate an existing requirement or delete an existing posture requirement.
Table 19-42 Posture Requirement
Name
From the Name field, enter the name of the requirement that you want to create.
Operating Systems
From the Operating Systems field, choose an operating system. It allows you to select all, or specific Windows, or Macintosh operating systems to which the posture requirement is applied.
Conditions
From the Conditions field, choose one or more dictionary simple conditions, and dictionary compound conditions to which the posture requirement should apply.
If more than one condition is selected, then all the conditions must be met (a logical AND operation) to form a compound condition. The system uses "&" as the AND operator.
Remediation Actions
The remediation action defines the action to be taken when the posture requirement fails on the client.
The remediation actions are defined in the following location:
Policy > Policy Elements > Results > Posture > Remediation Actions.
For information on the posture remediation actions, see the Custom Posture Remediation Actions
For more information on how to manage posture requirements, see the "Creating, Duplicating, and Deleting Client Posture Requirements" section
Related Topics
Client Posture Assessment Policies
Custom Posture Remediation Actions
Creating, Duplicating, and Deleting Client Posture Requirements
This section describes the following procedures on how to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement on the Posture Requirements page.
•
•
•
Creating a New Posture Requirement
You can create a new posture requirement on the Requirements page.
To insert a new requirement, complete the following steps:
Step 1
Step 2
The Posture Requirements page appears.
Step 3
Warning
Step 4
The operating system anchored overlay appears.
To choose an operating system, complete the following steps:
a.
The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
b.
The Operating System Groups widget appears.
c.
Here, click the Quick Picker (right arrow) icon to view the operating system groups.
d.
The parent groups for the operating system appears.
e.
•
•
f.
g.
Each Windows group contains its own underlying versions.
h.
i.
Step 5
The conditions anchored overlay appears.
To choose a simple condition, complete the following steps:
a.
The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
b.
The Conditions widget appears that lists the simple conditions and the compound conditions.
c.
The Table view button shows the list of simple conditions in a row format in the right pane of the widget. The Tree view button shows the list of simple conditions in a tree format under the simple conditions.
d.
Here, you can choose one of the following simple conditions:
–
–
–
–
e.
Here, you can choose a simple condition from the list.
To choose a compound condition, complete the following steps:
a.
The Table view button shows the list of compound conditions in a row format in the right pane of the widget. The Tree view button shows the list of compound conditions in a tree format under the compound conditions.
b.
Here, you can choose one of the following compound conditions:
–
c.
The conditions use the logical operators to form a compound condition.
d.
Step 6
The select remediations anchored overlay appears.
To choose a remediation, complete the following steps:
a.
b.
The Remediations widget appears.
c.
Step 7
Duplicating a Posture Requirement
You can create a copy of a posture requirement that you want to duplicate on the Requirements page.
To duplicate a requirement, complete the following steps:
Step 1
Step 2
Here, you can create a copy of the requirement that you want to duplicate on the Requirements page.
Deleting a Posture Requirement
You can also delete a posture requirement from the Requirements page.
To delete a requirement, complete the following steps:
Step 1
Step 2
Here, you can delete a requirement from the Requirements page.
Custom Authorization Policies for Posture
This section describes the authorization policies that you define for posture in the Cisco ISE appliance.
The authorization policies that you define on the Authorization page are two types, namely the standard authorization policies and the exceptions authorization policies. The standard authorization policies that are specific to posture on the Authorization page are used to make policy decisions (enforce policies) based on the compliance status. The standard authorization profiles (permissions) that you define on the Authorization Profiles page set access privileges based on the matching compliance status.
First Matched Rule Applies
With this option selected, one or more authorization profiles (permissions) that are defined in the authorization policy set the access privileges (authorization) for an end user based on the first matching authorization policy during evaluation.
The selection of First Matched Rule Applies option allows you to configure authorization profiles for an end user by applying the first matching authorization policy from the standard authorization policies that are enabled on the Authorization page. The Cisco ISE evaluates the standard authorization policies that are enabled on the Authorization page and then determines the authorization profile, or authorization profiles that are associated in the standard authorization policies. Once the first matching authorization policy is found, the Cisco ISE stops evaluating the rest of the standard authorization policies on the Authorization page.
Multiple Matched Rule Applies
With this option selected, one or more authorization profiles that are defined in the authorization policies determine the access privileges for an end user based on multiple matching authorization policies during evaluation.
The selection of Multiple Matched Rule Applies option allows you to configure authorization for an end user by applying multiple matching authorization policies from the standard authorization policies that are enabled on the Authorization page. The Cisco ISE evaluates all the standard authorization policies that are enabled on the Authorization page and finds all the matching authorization policies on the Authorization page. Once multiple matching authorization policies are found, the Cisco ISE determines the authorization profile or profiles for the end user.
Prerequisites:
Before you begin, you should have an understanding of authorization policies in Cisco ISE.
For information on the authorization policies, see Chapter 16, "Managing Authorization Policies and Profiles."
This section covers the following procedures:
•
•
Standard Authorization Policies for a Posture
This section describes the basic operations that allow you to manage the standard authorization policies that are specific to posture service.
The Authorization page displays the list of exceptions authorization policies and the standard authorization policies. The Authorization page allows you to configure the standard authorization policies that can be applied to the first matching rule (authorization policy) or multiple matching rules (authorization policies) on the Authorization page.
Once created and saved, you can also prioritize the standard authorization policies by moving the standard authorization policy widgets up and down on the Authorization page. If the policies are set to be enabled within the standard authorization policy widget, then the standard authorization policies enforce policies based on the compliance status of the endpoints. If they are set to be disabled, then the standard authorization policies do not enforce policies on the endpoints. You can also configure the standard authorization policies that can be set to monitor policies based on the compliance status.
To create a standard authorization policy, complete the following steps:
Step 1
The Authorization page appears. This page displays the list of authorization policies for standard and exceptions types.
Step 2
Step 3
The first matched rule applies option sets access privileges (standard authorization profiles) with a single authorization policy that is first matched during evaluation from the list of standard authorization policies.
The multiple matched rule applies option sets access privileges (standard authorization profiles) with multiple authorization policies that are matched during evaluation from the list of all the standard authorization policies.
Step 4
Here, you can do the following:
–
–
–
–
–
Step 5
The standard authorization policy appears on the Authorization page.
Step 6
A confirmation dialog appears with the following message:
"Are you sure you want to reset the data? (current input data will be lost)"
Step 7
Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture
You can create a new authorization policy, duplicate an existing authorization policy or delete an existing authorization policy on the Authorization page. Exceptions and Standard items on the Authorization page display the authorization policy widgets.
To create (insert) a standard authorization policy for posture, complete the following steps:
Step 1
Here, you can find the list of authorization policies displayed for standard and exceptions types on the Authorization page. The Exceptions page displays the list of exceptions authorization policies and the Standard page displays the list of standard authorization policies.
Step 2
The standard authorization policy widget appears on the Authorization page. Click Standard to close the Standard page.
Step 3
Here, you can choose one of the following options to enforce the policies based on the compliance status. The following are the options available:
–
–
–
Step 4
Step 5
To choose an identity group, complete the following steps:
Step 6
The identity groups anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
a.
The Identity Groups widget appears.
b.
c.
To choose a condition, complete the following steps:
Step 7
The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
a.
The Dictionaries widget appears that lists the time and date conditions, dictionary simple conditions, and dictionary compound conditions.
b.
c.
d.
Here, you can do the following:
–
–
–
To choose an attribute, complete the following steps:
Step 8
The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
Step 9
For information on selecting an existing condition, see the "To select an existing condition from the library, choose Select Existing Condition from Library:" section.
For information on creating a new condition, see the "To create a new condition, choose Create new Condition (Advance Option)." section.
To choose a permission (standard authorization profile), complete the following steps:
Step 10
The authzprofile(s) anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.
a.
The Profiles widget appears. From the Profiles widget, click the navigation arrow to view the authorization profiles in each category. The Profiles widget displays the following authorization profile categories:
–
–
–
b.
c.
d.
e.
Step 11
The standard authorization policy appears on the Authorization page.
To select an existing condition from the library, choose Select Existing Condition from Library:
Here, you can choose a condition from the library that is already saved.
Step 1
The Dictionaries widget appears that lists the available dictionaries.
Step 2
The following options appear:
•
•
•
Step 3
Step 4
Step 5
To create a new condition, choose Create new Condition (Advance Option).
Here, you can create new conditions. You can use the Save icon to add all the new conditions to the library.
Step 1
The Dictionaries widget appears that lists the available dictionaries.
Step 2
The dictionary attributes appear for the dictionary.
Step 3
For the posture status, you can use the PostureStatus attribute, an operator, and the values such as Pending, Compliant and Noncompliant.
Step 4
Step 5
Here, you can do the following:
•
•
•
•
Here, you can save new conditions that you create. You can choose a condition that is already saved by using the Add Condition from Library option.
•
You can create a copy of a standard authorization policy on the Authorization page above or below the current policy selection.
To duplicate a standard authorization policy, complete the following steps:
Step 1
Step 2
Step 3
You can also delete a standard authorization policy on the Authorization page.
To delete a standard authorization policy, complete the following steps:
Step 1
Step 2
Custom Permissions for Posture
A custom permission is an authorization profile (standard authorization profile) that you define in the Cisco ISE appliance. The standard authorization profiles set access privileges based on the matching compliance status of the endpoints. The posture service broadly classifies the posture into pending, compliant, and noncompliant profiles. The posture policies and the posture requirements determine the compliance status of the endpoint.
This section describes the standard authorization profiles that you define in the Cisco ISE appliance.
Prerequisites:
Before you begin, you should have an understanding of the states for a posture.
Review the following states:
Pending Profile
If no matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint may be set to pending. A posture compliance status of pending can also apply to an endpoint where a matching posture policy is enabled, but posture assessment has not yet occurred for that endpoint, and therefore no compliance report has been provided to Cisco ISE by a NAC Agent. For an endpoint to have privileged network access on your network, the compliant status of the endpoint should be compliant.
Compliant Profile
If a matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint is set to compliant. When the posture assessment occurs, the endpoint meets all the mandatory requirements that are defined in the matching posture policy. For an endpoint that is postured compliant, it can be granted privileged network access on your network.
Noncompliant Profile
The posture compliance status of an endpoint is set to noncompliant when a matching posture policy is defined for that endpoint, but the endpoint fails to meet all the mandatory requirements that are defined in the matching posture policy during posture assessment. An endpoint that is postured noncompliant matches a posture requirement with a remediation action and it should be granted limited network access to remediation resources in order to remediate itself to be compliant.
This section provides the procedure that you can use to configure the standard authorization policies for a posture.
Configuring a Standard Authorization Profile
Configuring a Standard Authorization Profile
This section describes the basic operations that allow you to manage the authorization profiles that are specific to the Cisco ISE posture service. The standard authorization profiles help you to enforce the compliance of the endpoints. The posture policies determine the compliance status and the authorization policies enforce the posture based on the compliance status of the endpoints. Those endpoints that are postured complaint after initial authentication, are permitted access. Those endpoints that are postured pending or noncompliant, must remediate and posture again.
You can use the Standard Authorization Profiles page to display, add, edit, or delete the standard authorization profiles for a posture.
Table 19-43 describes the fields in the Standard Authorization Profile page that allow you to create a standard authorization profile.
Table 19-43 Create Standard Profile
Name
The name of the standard profile that you want to create.
Description
The description of the standard profile that you want to create.
Access Type
From the Access Type field, you can choose the type of access (authorization) that you grant an end user after authentication.
Click the drop-down arrow to view the predefined settings:
•
•
Common Tasks
For more information, see the "Configuring Permissions for Authorization Profiles" section on page 16-26.
Advanced Attribute Settings
For more information, see the"Configuring Permissions for Authorization Profiles" section on page 16-26.
Attribute Details
For more information, see the "Configuring Permissions for Authorization Profiles" section on page 16-26.
