Policy User Interface Reference

Policy Set Settings

This section describes how to configure rule-based policy sets that include authentication, authorization and exception policies.

Policy Set Configuration Settings

The following table describes the fields in the Policy Sets window, from which you can configure policy sets, including authentication, exception and authorization policies. Choose Work Centers > Network Access > Policy Sets for network access policies.Choose Work Centers > Device Administration > Device Admin Policy Sets for device administration policies.

Table 1. Policy Set Configuration Settings
Field Name	Usage Guidelines
Status	Choose the status of this policy. It can be one of the following: Enabled: This policy condition is active. Disabled: This policy condition is inactive and will not be evaluated. Monitor Only: This policy condition will not be evaluated.
Policy Set Name	Enter a unique name for this policy set.
Conditions	From a new policy row, click the plus (+) icon or from an existing policy row, click the Edit icon to open the Conditions Studio.
Description	Enter a unique description for the policy.
Allowed Protocols or Server Sequence	Choose an allowed protocol that you have already created, or click the (+) sign to Create a New Allowed Protocol , to Create a New Radius Sequence, or to Create a TACACS Sequence.
Conditions	From a new exceptions row, click the plus (+) icon or from an existing exception row, click the Edit icon to open the Conditions Studio.
Hits	Hits are a diagnostic tool indicating the number of times the conditions have matched. Hover over the icon to view when this was last updated, reset to zero and to view the frequency of updates.
Actions	Click the cog icon from the Actions column to view and select different actions: Insert new row above: Insert a new policy above the policy from which you opened the Actions menu. Insert new row below: Insert a new policy below the policy from which you opened the Actions menu. Duplicate above: Insert a duplicate policy above the policy from which you opened the Actions menu, above the original set. Duplicate below: Insert a duplicate policy below the policy from which you opened the Actions menu, below the original set. Delete: Delete the policy set.
View	Click the arrow icon to open the Set view of the specific policy set and view its authentication, exception, and authorization sub-policies.

Authentication Policy Configuration Settings

The following table describes the fields in the Authentication Policy section of the Policy Sets window, from which you can configure authentication subpolicies as part of your policy sets. For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets. From the Policy Sets page, choose View > Authentication Policy

Table 2. Authentication Policy Configuration Settings
Field Name	Usage Guidelines
Status	Choose the status of this policy. It can be one of the following: Enabled: This policy condition is active. Disabled: This policy condition is inactive and will not be evaluated. Monitor Only: This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results.
Rule Name	Enter a name for this authentication policy.
Conditions	From a new policy row, click the plus (+) icon or from an existing policy row, click the Edit icon to open the Conditions Studio.
Use	Choose the identity source that you want to use for authentication. You can also choose an identity source sequence if you have configured it. You can edit the default identity source that you want Cisco ISE to use in case none of the identity sources defined in this rule match the request.
Options	Define a further course of action for authentication failure, user not found, or process failure events. You can choose one of the following options: Reject: A reject response is sent. Drop: No response is sent. Continue: Cisco ISE proceeds with the authorization policy.
Hits	Hits are a diagnostic tool indicating the number of times the conditions have matched.
Actions	Click the cog icon from the Actions column to view and select different actions: Insert new row above: Insert a new authentication policy above the policy from which you opened the Actions menu. Insert new row below: Insert a new authentication policy below the policy from which you opened the Actions menu. Duplicate above: Insert a duplicate authentication policy above the policy from which you opened the Actions menu, above the original set. Duplicate below: Insert a duplicate authentication policy below the policy from which you opened the Actions menu, below the original set. Delete: Delete the policy set.

Local and Global Exceptions Configuration Settings

For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets. From the Policy Sets window, choose View > Local Exceptions Policy or Global Exceptions Policy.

Authorization exception settings are identical to the Authorization policy settings and are as described in Authorization Policy Settings.

Authorization Policy Settings

The following table describes the fields in the Authorization Policy section of the Policy Sets window, from which you can configure authorization policies as part of your policy sets. For network access policies, choose Work Centers > Network Access > Policy Sets. For device administration policies, choose Work Centers > Device Administration > Device Admin Policy Sets. From the Policy Sets page, choose View > Authorization Policy.

Table 3. Authorization Policy Configuration Settings
Field Name	Usage Guidelines
Status	Choose the status of this policy. It can be one of the following: Enabled: This policy condition is active. Disabled: This policy condition is inactive and will not be evaluated. Monitor Only: This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results.
Rule Name	Enter a unique name for this policy.
Conditions	From a new policy row, click the plus (+) icon or from an existing policy row, click the Edit icon to open the Conditions Studio.
Results or Profiles	Select the relevant authorization profile, which determines the different levels of permissions offered to the configured security group. If you have not yet configured the relevant authorization profile, you can do so inline.
Results or Security Groups	Select the relevant security group, which determines the groups of users relevant to the specific rule. If you have not yet configured the relevant security group, you can do so inline.
Results or Command Sets	Command sets enforce the specified list of commands that can be executed by a device administrator. When a device administrator issues operational commands on a network device, ISE is queried to determine whether the administrator is authorized to issue these commands. This is also referred to as command authorization.
Results or Shell Profiles	TACACS+ shell profiles control the initial login session of the device administrator.
Hits	Hits are a diagnostic tool indicating the number of times the conditions have matched.
Actions	Click the cog icon from the Actions column to view and select different actions: Insert new row above: Insert a new authorization rule above the rule from which you opened the Actions menu. Insert new row below: Insert a new authorization rule below the rule from which you opened the Actions menu. Duplicate above: Insert a duplicate authorization rule above the rule from which you opened the Actions menu, above the original set. Duplicate below: Insert a duplicate authorization rule below the rule from which you opened the Actions menu, below the original set. Delete: Delete the rule.

Endpoint Profiling Policies Settings

Table 4. Endpoint Profiling Policies Settings
Field Name	Usage Guidelines
Name	Enter the name of the endpoint profiling policy that you want to create.
Description	Enter the description of the endpoint profiling policy that you want to create.
Policy Enabled	By default, the Policy Enabled check box is checked to associate a matching profiling policy when you profile an endpoint. When unchecked, the endpoint profiling policy is excluded when you profile an endpoint.
Minimum Certainty Factor	Enter the minimum value that you want to associate with the profiling policy. The default value is 10.
Exception Action	Choose an exception action, which you want to associate with the conditions when defining a rule in the profiling policy. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Exception Actions.
Network Scan (NMAP) Action	Choose a network scan action from the list, which you want to associate with the conditions when defining a rule in the profiling policy, if required. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Network Scan (NMAP) Actions.
Create an Identity Group for the policy	Check one of the following options to create an endpoint identity group: Yes, create matching Identity Group No, use existing Identity Group hierarchy
Yes, create matching Identity Group	Choose this option to use an existing profiling policy. This option creates a matching identity group for those endpoints and the identity group will be the child of the Profiled endpoint identity group when an endpoint profile matches an existing profiling policy. For example, the Xerox-Device endpoint identity group is created in the Endpoints Identity Groups page when endpoints discovered on your network match the Xerox-Device profile.
No, use existing Identity Group hierarchy	Check this check box to assign endpoints to the matching parent endpoint identity group using hierarchical construction of profiling policies and identity groups. This option allows you to make use of the endpoint profiling policies hierarchy to assign endpoints to one of the matching parent endpoint identity groups, as well as to the associated endpoint identity groups to the parent identity group. For example, endpoints that match an existing profile are grouped under the appropriate parent endpoint identity group. Here, endpoints that match the Unknown profile are grouped under Unknown, and endpoints that match an existing profile are grouped under the Profiled endpoint identity group. For example, If endpoints match the Cisco-IP-Phone profile, then they are grouped under the Cisco-IP-Phone endpoint identity group. If endpoints match the Workstation profile, then they are grouped under the Workstation endpoint identity group. The Cisco-IP-Phone and Workstation endpoint identity groups are associated to the Profiled endpoint identity group in the system.
Parent Policy	Choose a parent profiling policy that are defined in the system to which you want to associate the new endpoint profiling policy. You can choose a parent profiling policy from which you can inherit rules and conditions to its child.
Associated CoA Type	Choose one of the following CoA types that you want to associate with the endpoint profiling policy: No CoA Port Bounce Reauth Global Settings that is applied from the profiler configuration set in Administration > System > Settings > Profiling
Rules	One or more rules that are defined in endpoint profiling policies determine the matching profiling policy for endpoints, which allows you to group endpoints according to their profiles. One or more profiling conditions from the policy elements library are used in rules for validating endpoint attributes and their values for the overall classification.
Conditions	Click the plus [+] sign to expand the Conditions anchored overlay, and click the minus [-] sign, or click outside the anchored overlay to close it. Click Select Existing Condition from Library or Create New Condition (Advanced Option) . Select Existing Condition from Library: You can define an expression by selecting Cisco predefined conditions from the policy elements library. Create New Condition (Advanced Option): You can define an expression by selecting attributes from various system or user-defined dictionaries. You can associate one of the following with the profiling conditions: An integer value for the certainty factor for each condition Either an exception action or a network scan action for that condition Choose one of the following predefined settings to associate with the profiling condition: Certainty Factor Increases: Enter the certainty value for each rule, which can be added for all the matching rules with respect to the overall classification. Take Exception Action: Triggers an exception action that is configured in the Exception Action field for this endpoint profiling policy. Take Network Scan Action: Triggers a network scan action that is configured in the Network Scan (NMAP) Action field for this endpoint profiling policy.
Select Existing Condition from Library	You can do the following: You can choose Cisco predefined conditions that are available in the policy elements library, and then use an AND or OR operator to add multiple conditions. Click the Action icon to do the following in the subsequent steps: Add Attribute or Value: You can add ad-hoc attribute or value pairs Add Condition from Library: You can add Cisco predefined conditions Duplicate: Create a copy of the selected condition Add Condition to Library: You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete: Delete the selected condition.
Create New Condition (Advance Option)	You can do the following: You can add ad-hoc attribute/value pairs to your expression, and then use an AND or OR operator to add multiple conditions. Click the Action icon to do the following in the subsequent steps: Add Attribute or Value: You can add ad-hoc attribute or value pairs Add Condition from Library: You can add Cisco predefined conditions Duplicate: Create a copy of the selected condition Add Condition to Library: You can save ad-hoc attribute/value pairs that you create to the policy elements library Delete: Delete the selected condition. You can use the AND or OR operator

Endpoint Context Visibility Using UDID Attribute

The Unique Identifier (UDID) is an endpoint attribute that identifies MAC addresses of a particular endpoint. An endpoint can have multiple MAC addresses. For example, one MAC address for the wired interface and another for the wireless interface. The AnyConnect agent generates a UDID for that endpoint, and saves it as an endpoint attribute. The UDID remains constant for an endpoint; the UDID does not change with the AnyConnect installation or uninstallation. When using UDID, Context Visibility window (Context Visibility > Endpoints > Compliance) displays one entry instead of multiple entries for endpoints with multiple NICs. You can ensure posture control on a specific endpoint rather than on a Mac address.

Note

The endpoint must have AnyConnect 4.7 or higher to create the UDID.

RADIUS Vendor Dictionary Attribute Settings

This section describes RADIUS vendor dictionaries used in Cisco ISE.

The following table describes the fields in the Dictionary window for RADIUS vendors, which allows you to configure dictionary attributes for the RADIUS vendors. The navigation path for this window is Policy > Policy Elements > Dictionaries > System > RADIUS > RADIUS Vendors.

Table 5. RADIUS Vendor Dictionary Attribute Settings
Field Name	Usage Guidelines
Attribute Name	Enter the vendor specific attribute name for the selected RADIUS vendor.
Description	Enter an optional description for the vendor specific attribute.
Internal Name	Enter the name for the vendor specific attribute that refers to it internally in the database.
Data Type	Choose one of the following data types for the vendor specific attribute: STRING OCTET_STRING UNIT32 UNIT64 IPV4 IPV6
Enable MAC option	Check this check box to enable the comparison of RADIUS attribute as MAC address. By default, for the RADIUS attribute calling-station-id this option is marked as enabled and you cannot disable it. For other dictionary attributes (of string types) within the RADIUS vendor dictionary, you can enable or disable this option. Once you enable this option, while setting the authentication and authorization conditions, you can define whether the comparison is clear string by selecting the Text option or whether it is MAC address by selecting the MAC address option.
Direction	Choose one of the options that applies to RADIUS messages:
ID	Enter the vendor attribute ID. The valid range is 0 to 255.
Allow Tagging	Check this check box to mark the attribute as being permitted to have a tag, as defined in RFC2868. The purpose of the tag is to allow grouping of attributes for tunnelled users. See RFC2868 for more details. The tagged attributes support ensures that all attributes pertaining to a given tunnel contain the same value in their respective tag fields, and that each set includes an appropriately-valued instance of the Tunnel-Preference attribute. This conforms to the tunnel attributes that are to be used in a multi-vendor network environment, thereby eliminating interoperability issues among Network Access Servers (NASs) manufactured by different vendors.
Allow Multiple Instances of this Attribute in a Profile	Check this check box when you want multiple instances of this RADIUS vendor specific attribute in profiles.

Special Conditions

This section describes policy conditions used for profiling endpoints, posture clients, and to limit or extend permission to access to Cisco ISE system resources.

Profiler Condition Settings

The following table describes the fields in the Profiler Condition window. The navigation path for this window is Policy > Policy Elements > Conditions > Profiling.

Table 6. Profiler Condition Settings
Field Name	Usage Guidelines
Name	Name of the profiler condition.
Description	Description of the profiler condition.
Type	Choose any one of the predefined types.
Attribute Name	Choose an attribute on which to base the profiler condition.
Operator	Choose an operator.
Attribute Value	Enter the value for the attribute that you have chosen. For Attribute Names that contain pre-defined Attribute Values, this option displays a drop-down list with the pre-defined values, and you can choose a value.
System Type	Profiling conditions can be any one of the following types: Cisco Provided: Profiling conditions that are provided by Cisco ISE when deployed are identified as Cisco Provided. You cannot edit or delete them from the system. Administrator Created: Profiling conditions that you create as an administrator of Cisco ISE are identified as Administrator Created.

Posture Condition Settings

This section describes simple and compound conditions used for posture.

File Condition Settings

The following table describes the fields in the File Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > File Condition.

Table 7. File Condition Settings
Field Name	Usage Guidelines for Windows OS	Usage Guidelines for Mac OSX
Name	Enter the name of the file condition.	Enter the name of the file condition.
Description	Enter a description for the file condition.	Enter a description for the file condition.
Operating System	Select any Windows operating system to which the file condition should be applied.	Select any Mac OSX to which the file condition should be applied.
File Type	Choose one of the predefined settings: FileDate: Checks whether a file with a particular file-created or file-modified date exists in the system. FileExistence: Checks whether a file exists in the system. FileVersion: Checks whether a particular version of a file exists in the system. CRC32: Checks the data integrity of a file using the checksum function. SHA-256: Checks the data integrity of a file using the hash function.	Choose one of the predefined settings: FileDate: Checks whether a file with a particular file-created or file-modified date exists in the system. FileExistence: Checks whether a file exists in the system. CRC32: Checks the data integrity of a file using the checksum function. SHA-256: Checks the data integrity of a file using the hash function. PropertyList: Checks the property value in a plist file, such as loginwindow.plist.
Data Type and Operator	NA	(Available only if you select PropertyList as the File Type) Choose the data type or value of the key to be searched in the plist files. Each data type contains a set of operators. Unspecified: Checks the existence of the specified key. Enter an Operator (Exists, DoesNotExist). Number: Checks for the specified key of number data type. Enter an Operator (equals, does not equal, greater than, less than, greater than or equal to, less than or equal to) and a Value. String: Checks for the specified key of string data type. Enter an Operator (equals, does not equal, equals (ignore case), starts with, does not start with, contains, does not contain, ends with, does not end with) and a Value. Version: Checks for the value of the specified key as a version string. Enter an Operator (earlier than, later than, same as) and a Value.
Property Name	NA	(Available only if you select PropertyList as the File Type) Enter a name of the key, for example, BuildVersionStampAsNumber
File Path	Choose one of the predefined settings: ABSOLUTE_PATH: Checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name. SYSTEM_32: Checks the file in the C:\WINDOWS\system32 directory. Enter the file name. SYSTEM_DRIVE: Checks the file in the C:\ drive. Enter the file name. SYSTEM_PROGRAMS: Checks the file in the C:\Program Files. Enter the file name. SYSTEM_ROOT: Checks the file in the root path for Windows system. Enter the file name. USER_DESKTOP: Checks if the specified file is present on the Windows user's desktop. Enter the file name. USER_PROFILE: Checks if the file is present in the Windows user's local profile directory. Enter the file path.	Choose one of the predefined settings: Root: Checks the file in the root (/) directory. Enter the file path. Home: Checks the file in the home (~) directory. Enter the file path.
File Date Type	(Available only if you select FileDate as the File Type) Choose Creation Date or Modification Date.	(Available only if you select FileDate as the File Type) Choose Creation Date or Modification Date.
File Operator	The File Operator options change according to the settings you select in the File Type. Choose the settings appropriately: FileDate EarlierThan LaterThan EqualTo FileExistence Exists DoesNotExist FileVersion EarlierThan LaterThan EqualTo	The File Operator options change according to the settings you select in the File Type. Choose the settings appropriately: FileDate EarlierThan LaterThan EqualTo FileExistence Exists DoesNotExist
File CRC Data	(Available only if you select CRC32 as the File Type) You can enter a checksum value, for example, 0x3c37fec3 to check file integrity. The checksum value should start with 0x, a hexadecimal integer.	(Available only if you select CRC32 as the File Type) You can enter a checksum value, for example, 0x3c37fec3 to check file integrity. The checksum value should start with 0x, a hexadecimal integer.
File SHA-256 Data	(Available only if you select SHA-256 as the File Type) You can enter a 64-byte hexadecimal hash value to check file integrity.	(Available only if you select SHA-256 as the File Type) You can enter a 64-byte hexadecimal hash value to check file integrity.
Date and Time	(Available only if you select FileDate as the File Type) Enter the date and time of the client system in mm/dd/yyyy and hh:mm:ss format.	(Available only if you select FileDate as the File Type) Enter the date and time of the client system in mm/dd/yyyy and hh:mm:ss format.

Firewall Condition Settings

The Firewall condition checks if a specific Firewall product is running on an endpoint. The list of supported Firewall products is based on the OPSWAT support charts. You can enforce policies during initial posture and Periodic Reassessment (PRA).

Cisco ISE provides default Firewall conditions for Windows and Mac OS. These conditions are disabled by default.


Field Name	Usage Guidelines
Name	Enter the name of the Firewall condition.
Description	Enter a description for the Firewall condition.
Compliance Module	Choose the required compliance module. 4.x or later 3.x or later Any Version
Operating System	Checks If the required Firewall product is installed on an endpoint. You can select the Windows OS or Mac OSX.
Vendor	Choose a vendor name from the drop-down list. The Firewall products of a vendor and their check type are retrieved and displayed in the Products for Selected Vendor table. The list in the table changes according to the selected operating system.
Check Type	Enabled: To check if a specific Firewall is running on an endpoint. Verify if the vendor's product supports the chosen check type by referring to the Products for Selected Vendor list.

Registry Condition Settings

The following table describes the fields in the Registry Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Registry Condition.

Table 8. Registry Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the registry condition.
Description	Enter a description for the registry condition.
Registry Type	Choose one of the predefined settings as the registry type.
Registry Root Key	Choose one of the predefined settings as the registry root key.
Sub Key	Enter the sub key without the backslash (“\”) to check the registry key in the path specified in the Registry Root Key. For example, SOFTWARE\Symantec\Norton AntiVirus\version will check the key in the following path: HKLM\SOFTWARE\Symantec\NortonAntiVirus\version
Value Name	(Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Enter the name of the registry key value to be checked for RegistryValue. This is the default field for RegistryValueDefault.
Value Data Type	(Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Choose one of the following settings: Unspecified: Checks whether the registry key value exists or not. This option is available only for RegistryValue. Number: Checks the specified number in the registry key value String: Checks the string in the registry key value Version: Checks the version in the registry key value
Value Operator	Choose the settings appropriately.
Value Data	(Available only if you select RegistryValue or RegistryValueDefault as the Registry Type) Enter the value of the registry key according to the data type you have selected in Value Data Type.
Operating System	Select the operating system to which the registry condition should be applied.

Application Condition Settings

The following table describes the fields in the Application Conditions window. The navigation path for this window is: Policy > Policy Elements > Conditions > Posture > Application Condition.

Table 9. Application Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the application condition.
Description	Enter a description of the application condition.
Operating System	Select the Windows OS or the MAC OSX to which the application condition should be applied.
Process Name	Enter the name of the application to be checked.
Application Operator	Choose the status to be checked.

Continuous Endpoint Attribute Monitoring

You can use the AnyConnect agent to continuously monitor different endpoint attributes to ensure that dynamic changes are observed during posture assessment. This improves the overall visibility of an endpoint and helps you create posture policies based on their behavior. The AnyConnect agent monitors applications that are installed and running on an endpoint. You can turn on and off the feature and configure how often the data should be monitored. By default, data is collected every 5 minutes and is stored in the database. During initial posture, AnyConnect reports a complete list of running and installed applications. After initial posture, the AnyConnect agent scans the applications every X minute and sends the differences from the last scan to the server. The server displays the complete list of running and installed applications.

Application Condition Settings

The application condition queries for applications that are installed on an endpoint. This helps you to get an aggregate visibility of the software distributed on your endpoints.

Field Name

Usage Guidelines

Name

Enter the name of the application condition.

Description

Enter the description for the application condition.

Operating System

Select the Windows OS or MAC OSX to which the application condition should be applied.

Compliance Module

Choose one of the following options:

4.x or later
3.x or earlier
Any Version

Check By

Choose one of the following options:

Process: Choose this option to check if a process is running on an endpoint.
Application: Choose this option to check if an application is running on an endpoint.

Process Name

(Available only when you select Process as the Check By option) Enter the required process name.

Application Operator

(Available only when you select Process as the Check By option) Choose one of the following options:

Running: Choose this option to check if an application is running on an endpoint.
Not Running: Choose this option to check whether an application is not running on an endpoint.

Application State

(Available only when you select Application as the Check By option) Choose one of the following options:

Installed: Choose this option to check whether the clients have malicious applications installed. If a malicious application is found, the remediation action is triggered.
Running: Choose this option to check if an application is running on an endpoint.

Provision By

(Available only when you select Application as the Check By option) Choose one of the following options:

Everything: You can select all listed categories such as Browser, Patch Management, and so on.
Name: You should select at least one category. For example, if you choose the Browser category, it displays the corresponding vendors in the Vendor drop-down list.
Category: You can check one or more categories such as Anti-Malware, Backup, Browser, or Data Storage.

Note

Categories are dynamically updated from the OPSWAT library.

You can view the number of installed and running applications for each endpoint in the Context Visibility > Endpoints > Compliance window.

The Home > Summary > Compliance window displays the percentage of endpoints that are subject to posture assessment and are compliant.

Service Condition Settings

The following table describes the fields in the Service Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Service Condition.

Table 10. Service Conditions Settings
Field Name	Usage Guidelines
Name	Enter a name for the service condition.
Description	Enter a description of the service condition.
Operating Systems	Select the operating system to which the service condition should be applied. You can select different versions of the Windows OS or Mac OSX.
Service Name	Enter the name of the Daemon or User Agent service, for example, com.apple.geod, running as root. The AnyConnect agent uses the command sudo launchctl list to validate the service condition.
Service Type	Choose the type of service that AnyConnect should check for to ensure client compliance: Daemon: Checks if a specified service, such as scanning a client device for malware, is present in the specified list of Daemon services in the client. User Agent: Checks if a specified service, such as a service that runs when malware is detected, is present in the specified list of User services in the client. Daemon or User Agent: Checks if the specified services are present either in the Daemon or User Agent services list.
Service Operator	Choose the service status that you want to check in the client: Windows OS: To check if a service is Running or Not Running. Mac OSX: To check if a service is Loaded, Not Loaded, Loaded and Running, Loaded with Exit Code, and Loaded and running or with Exit code.

Posture Compound Condition Settings

The following table describes the fields in the Compound Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Compound Condition.

Table 11. Posture Compound Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the compound condition that you want to create.
Description	Enter the description of the compound condition that you want to create.
Operating System	Select one or more Windows operating systems. This allows you to associate Windows operating systems to which the condition is applied.
Parentheses ( )	Click the parentheses to combine two simple conditions from the following simple condition types: file, registry, application, and service conditions.
( & ): AND operator (use “&” for an AND operator, without the quotes)	You can use the AND operator (ampersand [ & ]) in a compound condition. For example, enter Condition1 & Condition2.
( \| ): OR operator (use “\|” for an OR operator, without the quotes)	You can use the OR operator (horizontal bar [ \| ]) in a compound condition. For example, enter Condition1 & Condition2.
( ! ): NOT operator (use “!” for a NOT operator, without the quotes)	You can use the NOT operator (exclamation point [ ! ]) in a compound conditions. For example, enter Condition1 & Condition2.
Simple Conditions	Choose from a list of simple conditions of the following types: file, registry, application, and service conditions. You can also create simple conditions of file, registry, application, and service conditions from the object selector. Click the quick picker (down arrow) on the Action button to create simple conditions of file, registry, application, and service conditions.

AntiVirus Condition Settings

The following table describes the fields in the Anti-Virus Condition window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Anti-Virus Condition.

Table 12. AntiVirus Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the antivirus condition that you want to create.
Description	Enter the description of the antivirus condition that you want to create.
Operating System	Select an operating system to check the installation of an antivirus programs on your client, or check the latest antivirus definition file updates to which the condition is applied.
Vendor	Choose a vendor from the drop-down list. The selection of Vendor retrieves their antivirus products and versions, which are displayed in the Products for Selected Vendor table.
Check Type	Choose whether to check an installation or check the latest definition file update on the client.
Installation	Choose to check only the installation of an antivirus program on the client.
Definition	Choose to check only the latest definition file update of an antivirus product on the client.
Check against latest AV definition file version, if available	(Available only when you choose Definition check type) Choose to check the antivirus definition file version on the client against the latest antivirus definition file version, if available as a result of posture updates in Cisco ISE. Otherwise, this option allows you to check the definition file date on the client against the latest definition file date in Cisco ISE.
Allow virus definition file to be (Enabled)	(Available only when you choose Definition check type) Choose to check the antivirus definition file version and the latest antivirus definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the latest antivirus definition file date of the product or the current system date. If unchecked, Cisco ISE allows you to check only the version of the antivirus definition file using the Check against latest AV definition file version, if available option.
Days Older than	Define the number of days that the latest antivirus definition file date on the client can be older from the latest antivirus definition file date of the product or the current system date. The default value is zero (0).
Latest File Date	Choose to check the antivirus definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the latest antivirus definition file date of the product.
Current System Date	Choose to check the antivirus definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the current system date.
Products for Selected Vendor	Choose an antivirus product from the table. Based on the vendor that you select in the New Anti-virus Condition page, the table retrieves information on their antivirus products and their version, remediation support that they provide, latest definition file date and its version. The selection of a product from the table allows you to check for the installation of an antivirus program, or check for the latest antivirus definition file date, and its latest version.

Antispyware Compound Condition Settings

The following table describes the fields in the AS Compound Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > AS Compound Condition.

Table 13. Antispyware Compound Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the antispyware compound condition that you want to create.
Description	Enter the description of the antispyware compound condition that you want to create.
Operating System	Selecting an operating system allows you to check the installation of an antispyware program on your client, or check the latest antispyware definition file updates to which the condition is applied.
Vendor	Choose a vendor from the drop-down list. The selection of Vendor retrieves their antispyware products and versions, which are displayed in the Products for Selected Vendor table.
Check Type	Choose if you want to choose a type whether to check an installation, or check the latest definition file update on the client.
Installation	Choose if you want to check only the installation of an antispyware program on the client.
Definition	Choose if you want to check only the latest definition file update of an antispyware product on the client.
Allow Virus Definition File to be (Enabled)	Check this check box when you are creating antispyware definition check types, and disabled when creating antispyware installation check types. If checked, the selection allows you to check antispyware definition file version and the latest antispyware definition file date on the client. The latest definition file date cannot be older than that you define in the days older than field from the current system date. If unchecked, the selection allows you to check only the version of the antispyware definition file as the Allow virus definition file to be check box is not checked.
Days Older than	Define the number of days that the latest antispyware definition file date on the client can be older from the current system date. The default value is zero (0).
Current System Date	Choose to check the antispyware definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antispyware definition file date on the client should not be older than the current system date.
Products for Selected Vendor	Choose an antispyware product from the table. Based on the vendor that you select in the New Anti-spyware Compound Condition page, the table retrieves information on their antispyware products and their version, remediation support that they provide, latest definition file date and its version. The selection of a product from the table allows you to check for the installation of an antispyware program, or check for the latest antispyware definition file date, and its latest version.

Antimalware Condition Settings

The antimalware condition is a combination of the antispyware and antivirus conditions and is supported by OESIS version 4.x or later compliance module.

The following table describes the fields in the Antimalware Conditions window. The navigation path is Work Centers > Posture > Posture Elements > Conditions > Antimalware. You can also access the option in the Policy > Policy Elements > Conditions > Posture > Antimalware Condition window.

Note

It is recommended that you manually update the installed Antimalware products to have the latest definitions at least once. Otherwise, the posture checks using AnyConnect for Antimalware definitions might fail.

Table 14. Antimalware Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the antimalware condition.
Description	Enter a description of the antimalware condition.
Compliance Module	Support for OESIS version 4.x or later.
Operating System	Select an operating system to check the installation of antimalware programs on your client, or check the latest antimalware definition file updates to which the condition is applied. It supports both MAC and Windows OS.
Vendor	Choose a vendor from the drop-down list. The selected vendor's antimalware products, versions, latest definition dates, latest definition versions, and the minimum compliance module versions, are displayed in the Products for Selected Vendor table.
Check Type	Choose whether to check an installation or check the latest definition file update on the client.
Installation	Choose this option to check if an antimalware program is installed on the client.
Definition	Choose this option to check the latest definition file update of an antimalware product on the client.
Check Against Latest AV Definition File Version, if Available	(Available only when you choose Definition check type) Choose to check the antimalware definition file version on the client against the latest antimalware definition file version, if available as a result of posture updates in Cisco ISE. Otherwise, this option allows you to check the definition file date on the client against the latest definition file date in Cisco ISE. This check will only work if there is a value listed in Cisco ISE for the Latest Definition Date or Latest Definition Version field for the selected product. Otherwise, the Current System Date field must be used.
Allow Virus Definition File to be (Enabled)	(Available only when you choose Definition check type) Choose to check the antimalware definition file version and the latest antimalware definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the latest antimalware definition file date of the product or the current system date. If unchecked, Cisco ISE allows you to check only the version of the antimalware definition file using the Check against latest AV definition file version, if available option.
Days Older Than	Define the number of days that the latest antimalware definition file date on the client can be older from the latest antimalware definition file date of the product or the current system date. The default value is zero (0).
Latest File Date	Choose to check the antimalware definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antimalware definition file date on the client should not be older than the latest antimalware definition file date of the product. This check works only if there is a value listed in Cisco ISE for the Latest Definition Date field for the selected product. Otherwise, the Current System Date field must be used.
Current System Date	Choose to check the antimalware definition file date on the client, which can be older by the number of days that you define in the days older than field. If you set the number of days to the default value (0), then the antimalware definition file date on the client should not be older than the current system date.
Products for Selected Vendor	Choose an antimalware product from the table. Based on the vendor that you select in the New Antimalware Condition page, the table retrieves information on their antimalware products and their version, remediation support that they provide, latest definition file date and its version. The selection of a product from the table allows you to check for the installation of an antimalware program, or check for the latest antimalware definition file date, and its latest version.

Dictionary Simple Condition Settings

The following table describes the fields in the Dictionary Simple Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Dictionary Simple Condition.

Table 15. Dictionary Simple Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the dictionary simple condition that you want to create.
Description	Enter the description of the dictionary simple condition that you want to create.
Attribute	Choose an attribute from the dictionary.
Operator	Choose an operator to associate a value to the attribute that you have selected.
Value	Enter a value that you want to associate to the dictionary attribute, or choose a predefined value from the drop-down list.

Dictionary Compound Condition Settings

The following table describes the fields in the Dictionary Compound Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Posture > Dictionary Compound Condition.

Table 16. Dictionary Compound Condition Settings
Field Name	Usage Guidelines
Name	Enter the name of the dictionary compound condition that you want to create.
Description	Enter the description of the dictionary compound condition that you want to create.
Select Existing Condition from Library	Define an expression by selecting pre-defined conditions from the policy elements library or add ad-hoc attribute/value pairs to your expression in the subsequent steps.
Condition Name	Choose dictionary simple conditions that you have already created from the policy elements library.
Expression	The Expression is updated based on your selection from the Condition Name drop-down list.
AND or OR operator	Choose an AND, or an OR operator to logically combine dictionary simple conditions, which can be added from the library. Click the Action icon to do the following: Add Attribute/Value Add Condition from Library Delete
Create New Condition (Advance Option)	Select attributes from various system or user-defined dictionaries. You can also add predefined conditions from the policy elements library in the subsequent steps.
Condition Name	Choose a dictionary simple condition that you have already created.
Expression	From the Expression drop-down list, you can create a dictionary simple condition.
Operator	Choose an operator to associate a value to an attribute.
Value	Enter a value that you want to associate to the dictionary attribute, or choose a value from the drop-down list.

Patch Management Condition Settings

The following table describes the fields in the Patch Management Conditions window. The navigation path isTo view this window, click the Menu icon () and choose Policy > Policy Elements > Conditions > Posture > Patch Management Condition.

Table 17. Patch Management Condition

Field Name

Usage Guidelines

Name

Enter the name of the patch management condition.

Description

Enter a description for the patch management condition.

Operating System

Choose an operating system to check the installation of a patch management software on the endpoint, or check the latest patch management definition file updates to which the condition is applied. You can select the Windows OS or Mac OSX. You can also select more than one version of an operating system to create the patch management condition.

Vendor Name

Choose a vendor from the Vendor Name drop-down list. Based on your selection, the patch management products and their supported versions, check type, and minimum compliant module support details are displayed in the Products for Selected Vendor table. The list in the table changes according to the selected operating system.

Check Type

Choose one of the following options:

Installation: To check if the selected product is installed on the endpoint. This check type is supported by all vendors.

Note

For the Cisco Temporal Agent, you can only view the Patch Management conditions containing the Installation check type in the Requirements window.

Enabled: To check if the selected product is enabled on the endpoint. Verify if the vendor's product supports the chosen check type by referring to the Products for Selected Vendor list.
Up to Date: To check if the selected product does not have missing patches. Verify if the vendor's product supports the chosen check type by referring to the Products for Selected Vendor list.

Click the Products for Selected Vendor drop-down list to view the list of products that the vendor you have specified in the Vendor Name field supports. For example, if you have selected Vendor A that has two products, namely Product 1 and Product 2. Product 1 may support the Enabled option, whereas Product 2 might not. Or, if Product 1 does not support any of the check types, it is grayed out.

Note

(Applicable for Cisco ISE 2.3 and above, and AnyConnect 4.5 and above) If you select the Up to Date Check Type in the Patch Management condition with SCCM, then Cisco ISE:

Uses the Microsoft API to check the current security patch for the specified severity level.
Triggers the Patch Management remediation for that missing security patch.

Check Patches Installed

(Available only when you select the Up To Date check type) You can configure severity levels for missing patches, which are then deployed based on the severity. Choose one of the following options:

Critical Only: To check if critical software patches are installed on the endpoints in your deployment.
Important and Critical: To check if important and critical software patches are installed on the endpoints in your deployment.
Moderate, Important, and Critical: To check if moderate, important, and critical software patches are installed on the endpoints in your deployment.
Low To Critical: To check if low, moderate, important, and critical software patches are installed on the endpoints in your deployment.
All: To install the missing patches for all severity levels.

Disk Encryption Condition Settings

The following table describes the fields in the Disk Encryption Condition window. The navigation path is Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition.

Table 18. Disk Encryption Condition Settings

Field Name

Usage Guidelines

Name

Enter the name of the disk encryption condition that you want to create.

Description

Enter a description for the disk encryption condition.

Operating System

Select an operating system of the end point, whose disk is to be checked for encryption. You can select the Windows OS or Mac OSX. You can also select more than one version of an operating system to create the disk encryption condition.

Vendor Name

Choose a vendor name from the drop-down list. The data encryption products of a vendor, and their supported version, the encryption state check, and the minimum compliant module support are retrieved and displayed in the Products for Selected Vendor table. The list in the table changes according to the selected operating system.

Location

Enabled only when an option is checked in the Products for Selected Vendor section. Select any one of the following options:

Specific Location: To check if the specified disk drive is encrypted in the end point, (for example, C: for Windows OS) or a specified volume label is encrypted, (for example, Mackintosh HD for Mac OSX).
System Location: To check if the default Windows OS system drive or Mac OSX hard drive is encrypted in the end point.

Encryption State

The Encryption State checkbox is disabled when the selected product does not support encryption state check. The repeater is displayed only when the checkbox is checked. You can select the Fully Encrypted option to check if the client's disk drive is wholly encrypted.

If you create a condition, for example for TrendMicro, and select two vendors—one with the Encryption State "Yes" and another with the Encryption State "No", then the Encryption State will be disabled because one of the Vendor Encryption States is "No".

Note

You can click the repeater to add more Locations and the relationship between each location is the logical AND operator.

USB Condition Settings

The following table describes the fields in the USB Condition window. The navigation path is Work Centers > Posture > Policy Elements > USB. You can also navigate to the Policy > Policy Elements > Conditions > Posture > USB Condition window.

The USB check is a predefined condition and supports only Windows OS.

Table 19. USB Condition Settings
Field Name	Usage Guidelines
Name	USB_Check
Description	Cisco predefined check
Operating System	Windows
Compliance Module	A display-only field for ISE posture compliance module support for version 4.x (and later).

Hardware Attributes Condition Settings

Choose Policy > Policy Elements > Hardware Attributes Condition to access the Hardware Attributes Condition window. The following table describes the fields in the Hardware Attributes Condition window.


Field Name	Usage Guidelines
Name	Hardware_Attributes_Check: The default name assigned to the condition.
Description	Cisco predefined check that collects hardware attributes from clients.
Operating System	Windows All or Mac OS
Compliance Module	4.x or later

Time and Date Condition Settings

The following table describes the fields in the Time and Date Conditions window. The navigation path for this window is Policy > Policy Elements > Conditions > Common > Time and Date.

Table 20. Time and Date Condition Settings
Field Name	Usage Guidelines
Condition Name	Enter the name of the time and date condition.
Description	Enter a description of the time and date condition.
Standard Settings
All Day	(Default) Set for the entire day.
Specific Hours	Configure hours, minutes, and AM/PM to set a to-and-from time range.
Every Day	(Default) Set for every day.
Specific Days	Configure one or more specific days of the week.
No Start and End Dates	(Default) Set with no start or end date.
Specific Date Range	Configure the month, day, and year to set a to-and-from date range.
Specific Date	Configure a specific month, day, and year.
Exceptions
Time Range	Configure the hours, minutes, and AM/PM to set a to-and-from time range.
Week Days	Configure one or more specific days of the week.
Date Range	Choose on the following two options: Specific Date Range: Provides drop-down lists you can use to configure a specific to-and-from date range by month, day, and year. Specific Date: Provides drop-down lists you can use to configure a specific month, day, and year.

Results

This section describes requirements for Cisco ISE services.

Allowed Protocols

The following table describes the fields in the Allowed Protocols window, which allows you to configure the protocols to be used during authentication. The navigation path is Policy > Policy Elements > Results > Authentication > Allowed Protocols.

Table 21. Allowed Protocols

Field Name

Usage Guidelines

Allowed Protocols > Authentication Bypass

Process Host Lookup

Check this check box if you want Cisco ISE to process the Host Lookup request. The Host Lookup request is processed for PAP/CHAP protocol when the RADIUS Service-Type equals 10 (Call-Check) and the username is equal to Calling-Station-ID. The Host Lookup request is processed for EAP-MD5 protocol when the Service-Type equals 1 (Framed) and the username is equal to Calling-Station-ID. Uncheck this check box if you want Cisco ISE to ignore the Host Lookup request and use the original value of the system username attribute for authentication. When unchecked, message processing is done according to the protocol (for example, PAP).

Note

Disabling this option could result in the failure of existing MAB authentications.

Allowed Protocols > Authentication Protocols

Allow PAP/ASCII

This option enables PAP/ASCII. PAP uses cleartext passwords (that is, unencrypted passwords) and is the least secure authentication protocol.

Allow CHAP

This option enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with Microsoft Active Directory.

Allow MS-CHAPv1

Check this check box to enable MS-CHAPv1.

Allow MS-CHAPv2

Check this check box to enable MS-CHAPv2.

Allow EAP-MD5

Check this check box to enable EAP-based MD5 password hashed authentication.

Allow EAP-TLS

Check this check box to enable EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how Cisco ISE will verify the user identity as presented in the EAP identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between Cisco ISE and the end-user client.

Note

EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates.

Allow authentication of expired certificates to allow certificate renewal in Authorization Policy: Check this check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further.
Enable Stateless Session Resume: Check this check box to allow EAP-TLS session resumption without requiring the session state to be stored at the server. Cisco ISE supports session ticket extension as described in RFC 5077. Cisco ISE creates a ticket and sends it to an EAP-TLS client. The client presents the ticket to ISE to resume a session.
Proactive Session Ticket update: Enter the value as a percentage to indicate how much of the Time To Live (TTL) must elapse before the session ticket is updated. For example, if you enter the value 60, the session ticket is updated after 60 percent of the TTL has expired.
Session ticket Time to Live: Enter the time after which the session ticket expires. This value determines the duration that a session ticket remains active. You can enter the value in seconds, minutes, hours, days, or weeks.

Allow LEAP

Check this check box to enable Lightweight Extensible Authentication Protocol (LEAP) authentication.

Allow PEAP

Check this check box to enable PEAP authentication protocol and PEAP settings. The default inner method is MS-CHAPv2.

When you check the Allow PEAP check box, you can configure the following PEAP inner methods:

Allow EAP-MS-CHAPv2: Check this check box to use EAP-MS-CHAPv2 as the inner method.
- Allow Password Change: Check this check box for Cisco ISE to support password changes.
- Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0 to 3.
Allow EAP-GTC: Check this check box to use EAP-GTC as the inner method.
- Allow Password Change: Check this check box for Cisco ISE to support password changes.
- Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. The valid range is from 0 to 3.
Allow EAP-TLS: Check this check box to use EAP-TLS as the inner method.

Check the Allow authentication of expired certificates to allow certificate renewal in Authorization Policy check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further.
Require Cryptobinding TLV: Check this check box if you want both the EAP peer and the EAP server to participate in the inner and outer EAP authentications of the PEAP authentication.
Allow PEAPv0 Only for Legacy Clients: Check this check box to allow PEAP supplicants to negotiate using PEAPv0. Some legacy clients do not conform to the PEAPv1 protocol standards. To ensure that such PEAP conversations are not dropped, check this check box.

Allow EAP-FAST

Check this check box to enable EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MS-CHAPv2.

When you check the Allow EAP-FAST check box, you can configure EAP-FAST as the inner method:

Allow EAP-MS-CHAPv2
- Allow Password Change: Check this check box for Cisco ISE to support password changes.
- Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0-3.
Allow EAP-GTC

Allow Password Change: Check this check box for Cisco ISE to support password changes.

Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0-3.
Use PACs: Choose this option to configure Cisco ISE to provision authorization Protected Access Credentials (PAC) for EAP-FAST clients. Additional PAC options appear.
Don't Use PACs: Choose this option to configure Cisco ISE to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and Cisco ISE responds with a Success-TLV without a PAC.

When you choose this option, you can configure Cisco ISE to perform machine authentication.
Allow EAP-TLS: Check this check box to use EAP-TLS as the inner method.

Check the Allow authentication of expired certificates to allow certificate renewal in Authorization Policy check box, if you want to allow users to renew certificates. If you check this check box, ensure that you configure appropriate authorization policy rules to check if the certificate has been renewed before processing the request any further.
Enable EAP Chaining: Check this check box to enable EAP chaining.

EAP chaining allows Cisco ISE to correlate the results of user and machine authentication and apply the appropriate authorization policy using the EAPChainingResult attribute.

EAP chaining requires a supplicant that supports EAP chaining on the client device. Choose the User and Machine Authentication option in the supplicant.

EAP chaining is available when you choose the EAP-FAST protocol (both in PAC based and PAC less mode).

For PAC-based authentication, you can use user authorization PAC or machine authorization PAC, or both to skip the inner method.

For certificate-based authentication, if you enable the Accept Client Certificate for Provisioning option for the EAP-FAST protocol (in the Allowed Protocol service), and if the endpoint (AnyConnect) is configured to send the user certificate inside the tunnel, then during tunnel establishment, ISE authenticates the user using the certificate (the inner method is skipped), and machine authentication is done through the inner method. If these options are not configured, EAP-TLS is used as the inner method for user authentication.

After you enable EAP chaining, update your authorization policy and add a condition using the NetworkAccess:EapChainingResult attribute and assign appropriate permissions.

Allow EAP-TTLS

Check this check box to enable EAP-TTLS protocol.

You can configure the following inner methods:

Allow PAP/ASCII: Check this check box to use PAP/ASCII as the inner method. You can use EAP-TTLS PAP for token and OTP-based authentications.
Allow CHAP: Check this check box to use CHAP as the inner method. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with Microsoft Active Directory.
Allow MS-CHAPv1: Check this check box to use MS-CHAPv1 as the inner method.
Allow MS-CHAPv2: Check this check box to use MS-CHAPv2 as the inner method.
Allow EAP-MD5: Check this check box to use EAP-MD5 as the inner method.
Allow EAP-MS-CHAPv2: Check this check box to use EAP-MS-CHAPv2 as the inner method.
- Allow Password Change: Check this check box for Cisco ISE to support password changes.
- Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0 to 3.

Preferred EAP Protocol

Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, EAP-TTLS, and EAP-MD5. If you do not specify the preferred protocol, EAP-TLS is used by default.

EAP-TLS L-bit

Check this check box to support legacy EAP supplicants that expect length-included flag (L-bit flag) by default in TLS Change Cipher Spec message and Encrypted Handshake message from ISE.

Allow Weak Ciphers for EAP

If this option is enabled, legacy clients are allowed to negotiate using weak ciphers (such as RSA_RC4_128_SHA, RSA_RC4_128_MD5). We recommend that you enable this option only if your legacy clients support only weak ciphers.

This option is disabled by default.

Note

Cisco ISE does not support EDH_RSA_DES_64_CBC_SHA and EDH_DSS_DES_64_CBC_SHA.

Require Message Authenticator for all RADIUS Requests

If this option is enabled, Cisco ISE verifies whether the RADIUS Message Authenticator attribute is present in the RADIUS message. If the message authenticator attribute is not present, the RADIUS message is discarded.

Enabling this option provides protection from spoofed Access-Request messages and RADIUS message tampering.

The RADIUS Message Authenticator attribute is a Message Digest 5 (MD5) hash of the entire RADIUS message.

Note

EAP uses the Message Authenticator attribute by default and does not require that you enable it.

PAC Options

The following table describes the fields after you select Use PACs in the Allowed Protocols Services List window. The navigation path for this window is Policy > Policy Elements > Results > Authentication > Allowed Protocols.

Table 22. PAC Options
Field Name	Usage Guidelines
Use PAC	Tunnel PAC Time To Live: The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days. Proactive PAC Update When: <n%> of PAC TTL is Left: The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%. Allow Anonymous In-band PAC Provisioning: Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC. Allow Authenticated In-band PAC Provisioning: Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE. When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning. Server Returns Access Accept After Authenticated Provisioning: Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning. Allow Machine Authenticatio: Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed. When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client). Enable Stateless Session Resume: Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and skip phase two of EAP-FAST (default = enabled). Uncheck this check box in the following cases: If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients To always perform phase two of EAP-FAST When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.

Authorization Profile Settings

The following fields in the Authorization Profiles window define attributes for network access. The navigation path for this window is Policy > Policy Elements > Results > Authorization > Authorization Profiles.

Authorization Profile Settings

Name: Enter a name for this new authorization profile.
Description: Enter a description for this authorization profile.
Access Type: Choose the access type: ACCESS_ACCEPT or ACCESS_REJECT.
Service Template: Enable this option to support sessions with SAnet-capable devices. Cisco ISE implements service templates in authorization profiles using a special flag that marks them as Service Template compatible. Since the service template is also an authorization profile, it acts as a single policy that supports both SAnet and non-SAnet devices.

Track Movement: Enable this option to track user location with Cisco Mobility Services Engine (MSE).

Note

This option may impact Cisco ISE performance, it is only intended for high-security locations.

Passive Identity Tracking: Enable this option to use the Easy Connect feature of Passive Identity for policy enforcement and user tracking.

Common Tasks

Common tasks are specific permissions and actions that apply to network access.

DACL Name : Enable this option to use a downloadable ACL. You can use the default values (PERMIT_ALL_TRAFFICor DENY_ALL_TRAFFIC), or select an attribute from the following dictionaries:
- External identity store (attributes)
- Endpoints
- Internal User
- Internal Endpoint
For more information about adding DACLs or editing and managing existing DACLs, see Downloadable ACLs.

Security Group: Enable this option to assign a security group (SGT) part of authorization.

If Cisco ISE is not integrated with Cisco DNA Center, Cisco ISE assigns VLAN ID 1.
If Cisco ISE is integrated with Cisco DNA Center, then select the Virtual Network (VN) that Cisco DNA Center shared with Cisco ISE, select the Data Type, and the subnet/address pool.

Note

A Security Group task includes a security group and a VN. If you configure a security group, then you cannot configure a VLAN. An endpoint device can only be assigned to one virtual network.

VLAN: Enable this option to specify a virtual LAN (VLAN) ID. You can enter integer or string values for the VLAN ID. The format for this entry is Tunnel-Private-Group-ID:VLANnumber.
Voice Domain Permission : Enable this option to use a downloadable ACL. The vendor-specific attribute (VSA) of cisco-av-pair is associated with the value device-traffic-class=voice. In multidomain authorization mode, if the network switch receives this VSA, the endpoint connects to a voice domain after authorization.
Web Redirection (CWA, DRW, MDM, NSP, CPP): Enable this option to enable web redirection after authentication.
- Select the type of redirection. The type of Web Redirection that you select displays additional options, which are described below.
- Enter an ACL to support the redirection that Cisco ISE sends to the NAD.
  
  The ACL you enter to send to the NAD displays in the Attributes Details pane as a cisco-av pair. For example, if you enter acl119, it is displayed in the Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl119.
- Select the other settings for the selected web redirection type.
Select one of the following types web redirection:
- Centralized Web Auth: Redirect to the portal you select from the Value drop-down.
- Client Provisioning (Posture): Redirect to the client provisioning portal you select from the Value drop-down, to enable posture on the client.
- Hot Spot: Redirect: Redirect to the hot spot portal you select from the Value drop-down.
- MDM Redirect: Redirect to the MDM portal on the MDM server that you specify.
- Native Supplicant Provisioning: Redirect to the BYOD portal you select from the Value drop-down.
After selecting the web redirection type, and entering the required parameters, configure the following options:
- Display Certificates Renewal Message: Enable this option to display a certificate renewal message. The URL-redirect attribute value changes and includes the number of days for which the certificate is valid. This option is only for Centralized Web Auth redirection.
- Static IP/Host Name/FQDN: Enable this option to redirect a user to a different PSN. Enter the target IP address, hostname, or FQDN. If you do not configure this option, the user is redirected to the FQDN of the policy service node that received this request.
- Suppress Profiler CoA for endpoints in Logical Profile: Enable this option to cancel the redirect for a certain type of endpoint device.
Auto SmartPort: Enable this option to use Auto SmartPort functionality. Enter an event name, which creates a VSA cisco-av-pair with that value as auto-smart-port=event_name. This value is displayed in the Attributes Details pane.
Access Vulnerabilities: Enable this option to run the Threat Centric NAC Vulnerability Assessment on this endpoint as part of authorization. Select the adapter, and when to run the scan.
Reauthentication: Enable this option to keep the endpoint connected during reauthentication. You choose to maintain connectivity during reauthentication by choosing to use RADIUS-Request (1). The default RADIUS-Request (0) disconnects the existing session. You can also set an inactivity timer.
MACSec Policy: Enable this option to use the MACSec encryption policy whenever a MACSec enabled client connects to Cisco ISE. Choose one of the following options: must-secure, should-secure, or must-not-secure. Your settings are displayed in the Attributes Details pane as: cisco-av-pair = linksec-policy=must-secure.
NEAT : Enable this option to use Network Edge Access Topology (NEAT), which extends identity recognition between networks. Checking this check box displays cisco-av-pair = device-traffic-class=switch in the Attributes Details pane.
Web Authentication (Local Web Auth) : Enable this option to use local web authentication for this authorization profile. This value lets the switch recognize authorization for web authentication by Cisco ISE sending a VSA along with a DACL. The VSA is cisco-av-pair = priv-lvl=15, which is displayed in the Attributes Details pane.
Airespace ACL Name: Enable this option to send an ACL name to Cisco Airespace wireless controller. The Airespace VSA uses this ACL to authorize a locally defined ACL to a connection on the WLC. For example, if you entered rsa-1188, it is displayed as Airespace-ACL-Name = rsa-1188 in the Attributes Details pane.
ASA VPN: Enable this option to assign an Adaptive Security Appliances (ASA) VPN group policy. From the drop-down list, choose a VPN group policy.
AVC Profile Name: Enable this option to run application visibility on this endpoint. Enter the AVC profile to use.

Advanced Attributes Settings

Dictionaries: Click the down arrow icon to view the available options in the Dictionaries window. Select a dictionary and an attribute that should be configured in the first field.
Attribute Values: Click the down-arrow icon to display the available options in the Attribute Values window. Select the desired attribute group and the attribute value. This value is matched with the one selected in the first field. The Advanced Attributes settings that you configure are displayed in the Attribute Details panel.

Attributes Details: This pane displays the configured attribute values that you have set for Common Tasks and Advanced Attributes.

The values that are displayed in the Attributes Details pane are read-only.

Note

To modify or delete any of the read-only values that are displayed in the Attributes Details pane, modify or delete these values in the corresponding Common Tasks field, or in the attribute that you selected in the Attribute Values field in the Advanced Attributes Settings pane.

Profiling Exception Action Settings

The following table describes the fields in the Profiler Exception Actions window. The navigation path for this window is Policy > Policy Elements > Results > Profiling > Exception Actions.

Table 23. Creating an Exception Action
Field Name	Usage Guidelines
Name	Enter the name of the exception action that you want to create.
Description	Enter the description of the exception action that you want to create.
CoA Action to enforce CoA	Check the CoA Action check box to enforce CoA. When you associate an exception action in the endpoint profiling policy and enforce a CoA, you must configure CoA globally in Cisco ISE that can be done in the following location: Administration > System > Settings > Profiling.
Policy Assignment	Click the Policy Assignment drop-down list that displays endpoint profiling policies that are configured in Cisco ISE, and choose the profiling policy against which the endpoint will be profiled when the exception action is triggered, regardless of its matched value.
System Type	Exception Actions can be any one of the following types: Cisco Provided: Includes AuthorizationChange, EndpointDelete, and FirstTimeProfile Administrator Created: Includes that are created by you as an administrator of Cisco ISE.

File Remediation

The following table describes the fields in the File Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > File Remediation.

Table 24. File Remediation
Field Name	Usage Guidelines
File Remediation Name	Enter a name for the file remediation. Once created and saved, you cannot edit the name of the file remediation.
File Remediation Description	Enter a description for the file remediation.
Version	Enter the file version.
File to Upload	Click Browse to locate the name of the file to be uploaded to the Cisco ISE server. This is the file that will be downloaded to the client when the file remediation action is triggered.

Firewall Remediations

The following table describes the fields on the Firewall Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Firewall Remediations.

Table 25. Firewall Remediations

Field Name

Usage Guidelines

Name

Enter a name for the Firewall remediation.

Description

Enter the description for the Firewall remediation.

Operating System

Choose the Windows OS or Mac OSX.

Compliance Module

Support for OESIS version 4.x or later.

Remediation Type

Choose one of the following:

Automatic: Enter values for the Interval and Retry Count. The ISE server identifies noncompliant clients and selects a remediation notification method and automatically updates the Firewall application on the client.
Manual: (Interval and Retry Count fields are disabled) Noncompliant clients should manually download and apply the latest Firewall application.

Interval (in seconds)

(Available only when you select the Automatic remediation type) Enter the time interval in seconds after which a scheduled patch update on the client is performed. Valid range is 0 to 9999.

Retry Count

(Available only when you select the Automatic remediation type) Enter the number of times that a client can attempt to update critical patches. Valid range is 0 to 99.

Vendor Name

Choose a vendor name (for example, VMware Inc.) from the drop-down list.

Note

Supported versions of Cisco ISE and AnyConnect:

Cisco ISE version 2.2 and later
AnyConnect version 4.4 and later

Remediation Option

Enable: Enables the Firewall application (if the vendor supports the enable option), in case it is disabled on the endpoint.

Click the Products for Selected Vendor drop-down arrow, to view the list of products (for example, VMware vCentre Protect Agent), Version (for example, 8.x), and Enabled Remediation Support (for example, Yes) that the vendor you have specified in the Vendor Name supports. For example, if you have selected Vendor A, that has two products, namely Product 1 and Product 2. Product 1 may support the Enable remediation option, whereas Product 2 might not. The Products for Selected Vendor table changes according to the selected remediation option.

Link Remediation

The following table describes the fields in the Link Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Link Remediation.

Table 26. Link Remediation
Field Name	Usage Guidelines
Link Remediation Name	Enter a name for link remediation.
Link Remediation Description	Enter a description for the link remediation.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter values for the Interval and Retry Count. Manual: When selected, Retry Count and Interval fields are not editable.
Retry Count	Enter the number of attempts that clients can try to remediate from the link.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate from the link after previous attempts.
URL	Enter a valid URL that leads to a remediation page or resource.

Application Remediation

The following table describes the fields in the Application Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Application Remediation.

Table 27. Application Remediation

Field Name

Usage Guidelines

Name

Enter a name for the application remediation.

Description

Enter the description for the application remediation.

Operating System

Select the Windows OS or MAC OSX to which the application remediation condition should be applied.

Compliance Module

Support for OESIS version 4.x or later.

Remediation Type

Choose one of the following:

Automatic: Enter values for the Interval and Retry Count. The ISE server identifies non-compliant clients and selects a remediation notification method and automatically updates the latest patch on the client.
Manual: (Interval and Retry Count fields are disabled) Non-compliant clients should manually download and apply the latest patches.

Interval (in seconds)

(Available only when you select the Automatic remediation type) Enter the time interval in seconds after which a scheduled patch update on the client is performed. Valid range is 0 to 9999.

Retry Count

(Available only when you select the Automatic remediation type) Enter the number of times that a client can attempt to update critical patches. Valid range is 0 to 99.

Vendor Name

Choose a vendor name from the drop-down list. The application name (for example, Internet Explorer), version, vendor (for example, Microsoft Corporation), running processes, and category (for example, anti-phishing) are displayed in the Products for Selected Vendor table.

Note

Supported versions of Cisco ISE and AnyConnect:

Cisco ISE version 2.2 and later
AnyConnect version 4.4 and later

Remediation Option

Select any one of the following options:

Uninstall: Uninstalls an application. For example, you observe that there are many endpoints that are running a malicious application in the Context Directory page. You can create a requirement that uninstalls the malicious application.
Kill Process: Kills the required running patch management process. For example, you observe that there are many endpoints that are running a malicious process in the Context Directory page. You can create a requirement that kills these malicious processes that are running.

Click the Products for Selected Vendor drop-down arrow, to view the list of products that the vendor you have specified in the Patch Management Vendor Name supports. For example, if you have selected Vendor A, that has two products, namely Product 1 and Product 2. Product 1 may support the Enable remediation option, whereas Product 2 might not. Or, if Product 1 does not support the Enable and Install missing patches remediation options, then Product 1 is disabled (grayed out). The Products for Selected Vendor table changes according to the selected remediation option.

Antimalware Remediation

The following table describes the fields in the AV Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.

Table 28. Antivirus Remediation
Field Name	Usage Guidelines
Name	Enter a name for the antimalware remediation.
Description	Enter a description for the antimalware remediation.
Operating System	Choose one of the following: Windows Macintosh: when selected Remediation Type, Interval, and Retry Count fields are not editable
Compliance Module	OESIS version 4 supports compliance module 4.x and AnyConnect 4.3 and higher.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter values for the Interval and Retry Count. Manual: When selected, Retry Count and Interval fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that clients can try to update an antimalware definition.
Anti-Malware Vendor Name	Choose the required antimalware vendor.

Antivirus Remediation

The following table describes the fields in the Anti-Virus Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Anti-Virus Remediation.

Table 29. Anti-Virus Remediation
Field Name	Usage Guidelines
Name	Enter a name for the antivirus remediation.
Description	Enter a description for the antivirus remediation.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter values for the Interval and Retry Count. Manual: When selected, Retry Count and Interval fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that clients can try to update an antivirus definition.
Operating System	Choose one of the following: Windows Macintosh: When selected Remediation Type, Interval, and Retry Count fields are not editable
AV Vendor Name	Choose the antivirus vendor.

Antispyware Remediation

The following table describes the fields in the Antispyware Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Antispyware Remediation.

Table 30. Antispyware Remediation
Field Name	Usage Guidelines
Name	Enter a name for the antispyware remediation.
Description	Enter a description for the antispyware remediation.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter values for the Interval and Retry Count. Manual: When selected, Retry Count and Interval fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that clients can try to update an antispyware definition.
Operating System	Choose one of the following: Windows Macintosh: When selected, Remediation Type, Interval, and Retry Count fields are not editable
AS Vendor Name	Choose the antispyware vendor.

Launch Program Remediation

The following table describes the fields in the Launch Program Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Launch Program Remediation.

Table 31. Launch Program Remediation
Field Name	Usage Guidelines
Name	Enter a name for the launch program remediation.
Description	Enter a description for the launch program remediation that you want to create.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter the Retry Count and Interval options. Manual: When selected, Interval and Retry Count fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that clients can try to launch required programs.
Program Installation Path	From the drop-down list, choose the path where the remediation program has to be installed. ABSOLUTE_PATH: Remediation program is installed in the fully qualified path of the file. For example, C:\<directory>\ SYSTEM_32: Remediation program is installed in the C:\WINDOWS\system32 directory SYSTEM_DRIVE: Remediation program is installed in the C:\ drive SYSTEM_PROGRAMS: Remediation program is installed in the C:\Program Files SYSTEM_ROOT: Remediation program is installed in the root path of Windows system
Program Executable	Enter the name of the remediation program executable, or an installation file.
Program Parameters	Enter required parameters for the remediation programs.
Existing Programs	Existing Programs table displays the installation paths, name of the remediation programs, and parameters if any. Click Add to add remediation programs to the Existing Programs list. Click the delete icon to remove the remediation programs from the list.

Windows Update Remediation

The following table describes the fields in the Windows Update Remediation windows. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Windows Update Remediation.

Table 32. Windows Update Remediation
Field Name	Usage Guidelines
Name	Enter a name for the Windows update remediation.
Description	Enter a description for the Windows update remediation.
Remediation Type	Choose one of the following: Automatic: When selected, you should enter the Retry Count and Interval options. Manual: When selected, Interval and Retry Count fields are not editable.
Interval (in seconds)	Enter the time interval in seconds that clients can try to remediate after previous attempts.
Retry Count	Enter the number of attempts that Windows clients can try for Windows updates.
Windows Update Setting	Choose from the following: Do not change setting: The Windows Automatic Updates client configuration does not change during or after Windows update remediation. Notify to download and install: Windows only notifies clients, but does not automatically download, or install them. Automatically download and notify to install: Windows downloads updates for clients, and notifies clients to install Windows updates. Automatically download and install: Windows automatically downloads, and installs Windows updates. This is the highly recommended setting for Windows clients.
Override User’s Windows Update setting with administrator’s	Check this check box to enforce the administrator-specified setting for Windows Automatic Updates on all the clients during, and after Windows update remediation. If unchecked, the setting enforces the following: The administrator-specified setting only when Automatic Updates are disabled on Windows clients. The Windows clients-specified setting only when Windows Automatic Updates are enabled on the client.

Windows Server Update Services Remediation

The following table describes the fields in the Windows Update Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Windows Server Update Services Remediation.

Table 33. WSUS Remediation

Field Name

Usage Guidelines

Name

Enter a name for the WSUS remediation.

Description

Enter a description for the WSUS remediation.

Remediation Type

Choose from the following:

Automatic: The agent automatically updates Windows clients with the latest WSUS updates.
Manual: If selected, the Interval and Retry Count fields are not editable. The user manually updates the Windows client with the latest WSUS updates from a Microsoft-managed WSUS server, or from the locally administered WSUS server.

Interval (in seconds)

Enter the interval in seconds (the default interval is 0) to delay WSUS updates before the client and web agents attempt to retry after the previous attempt.

Retry Count

Enter the number of attempts that the client and web agents retry to update Windows clients with WSUS updates.

Validate Windows Updates using

Choose from the following:

Cisco Rules: If you choose this option, you can select custom or preconfigured rules as conditions in the posture requirement
Severity Level: If you choose this option, you can select custom or preconfigured rules as conditions in the posture requirement, but they are not used. The pr_WSUSRule can be used as a placeholder condition (a dummy condition) in the posture requirement that specifies a WSUS remediation.

Windows Updates Severity Level

Choose the severity level:

Critical: Installs only critical Windows updates
Express: Installs important and critical Windows updates
Medium: Installs all critical, important, and moderate Windows updates

All: Installs all critical, important, moderate, and low Windows updates

Note

When you associate a WSUS remediation action to a posture requirement to validate Windows updates by using the severity level option, you must choose the pr_WSUSRule (a dummy compound condition) compound condition in the posture requirement. When the posture requirement fails, the agent enforces the remediation action (Windows updates) based on the severity level that you define in the WSUS remediation.

Update to latest OS Service Pack

Check this check box to allow WSUS remediation install the latest service pack available for the client's operating system automatically.

Note

The operating system service packs are updated automatically irrespective of the Medium and All severity level options selected in WSUS remediation.

Windows Updates Installation Source

Specifies the source from where you install WSUS updates on Windows clients:

Microsoft server: Microsoft-managed WSUS server
Managed server: Locally administered WSUS server

Installation Wizard Interface Setting

Allows you to display the installation wizard on the client during WSUS updates:

Show UI: Displays the Windows Update Installation Wizard progress on Windows clients. Users must have Administrator privileges on clients to view the installation wizard during WSUS updates.

No UI: Hides the Windows Update Installation Wizard progress on Windows clients.

Note

You must select the No UI option, if you want to allow users without Administrator privileges to use WSUS remediation to install Windows updates.

Patch Management Remediation

The following table describes the fields in the Patch Management Remediation window. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > Patch Managment Remediation.

Table 34. Patch Management Remediation

Field Name

Usage Guidelines

Name

Enter a name for the patch management remediation.

Description

Enter a description for the patch management remediation.

Compliance Module

Support for OESIS version 4.x or later or 3.x or earlier.

Remediation Type

Choose one of the following:

Automatic: Enter values for the Interval and Retry Count. The ISE server identifies non-compliant clients and selects a remediation notification method and automatically updates the latest patch on the client.
Manual: (Interval and Retry Count fields are disabled) Non-compliant clients should download and apply the latest patches manually.

Interval (in seconds)

(Available only when you select the Automatic remediation type) Enter the time interval in seconds after which a scheduled patch update on the client is performed.

Retry Count

(Available only when you select the Automatic remediation type) Enter the number of times that a client can attempt to update critical patches.

Operating System

Windows OS is the only OS that is supported.

Patch Management Vendor Name

Choose a vendor name from the drop-down list. The patch management remediation products of a vendor along with their product's support for the version, enable remediation, update remediation, and show UI remediation is displayed in the Products for Selected Vendor table.

Note

Supported versions of Cisco ISE and AnyConnect:

Cisco ISE version 1.4 and later
AnyConnect version 4.1 and later

Remediation Option

Select any one of the following options:

Enable: Enables the patch management software, in case it is disabled on the endpoint.
Install Missing Patches: Updates the patch on the endpoint.
Activate Patch Management Software GUI: Displays the patch management software user interface. Follow the instructions on this page to change the software settings or initiate software updates.

Check Patches Installed

You can configure severity levels for missing patch management remediation software, which are then deployed based on the severity. Select any one of the severity levels:

(Available for all remediation options) Critical Only: To check if critical remediation software patches are installed on endpoints in your deployment.
(Available only when you select the Install Missing Patches remediation option) Important and Critical: To check if important and critical remediation software patches are installed on endpoints in your deployment.
(Available only when you select the Install Missing Patches remediation option) Moderate, Important, & Critical: To check if moderate, important, and critical remediation software patches are installed on endpoints in your deployment.
(Available only when you select the Install Missing Patches remediation option) Low To Critical
(Available only when you select the Install Missing Patches remediation option) All: Checks all severity levels.

USB Mass Storage Check Workflow

You can use the USB_Check condition (Cisco predefined) in a posture policy to check if a USB mass storage device is connected to an endpoint . The USB mass storage check and remediation flow is described below.

The AnyConnect agent:

Checks for a USB connection.
Detects a USB plug-in and applies the USB_Block remediation (Cisco predefined). The AnyConnect agent reports a remediation failure to Cisco ISE and initiates a CoA. The USB mass storage remediation is always active and is not limited to the time of access or Periodic reassessment (PRA).
Stops running the USB detection, when the user disconnects from the network interface.
Runs the posture flow again, when the endpoint reconnects. However, if the endpoint is in the posture lease period, the AnyConnect agent does not run the USB check again.

Note

AnyConnect performs the USB check and remediation sequentially. Consequently, there may be a delay in handling USB dynamic change while performing PRA. When the USB check is configured, it is recommended to minimize the PRA grace time (Work Centers > Posture > Settings > Reassessment Configurations) for the other checks.

Note

You cannot create a compound condition for USB check.

USB Mass Storage Remediation

The following table describes the fields in the USB Mass Storage Remediation window. The navigation path is Work Centers > Posture > Policy Elements > Remediations > USB. You can also view the option in the Policy > Policy Elements > Results > Posture > Remediation Actions > USB Remediation window.

Table 35. USB Remediation Settings
Field Name	Usage Guideline
Name	Enter the name for the USB remediation.
Description	Enter a description for the USB remediation.
Compliance Module	A display-only field for ISE posture compliance module support for version 4.x (and later).
Operating System	A display-only field to indicate support for Windows OS.
Remediation Type	A display-only field to indicate that the remediation is automatic.
Interval	Enter the time interval in seconds after which a scheduled USB mass storage device check on the client is performed.
Retry Count	Enter the time interval in seconds after which a USB mass storage device reassessment on the client is performed.

Client Posture Requirements

To create a posture requirement:

Choose Policy > Policy Elements > Results > Posture > Requirements.
From the Edit drop-down list at the end of any requirement row, choose Insert New Requirement.
Enter the required details and click Done.

The following table describes the fields in the Client Posture Requirements window.

Table 36. Posture Requirement
Field Name	Usage Guidelines

Cisco Identity Services Engine Administrator Guide, Release 2.3

Bias-Free Language

Results

Chapter: Policy User Interface Reference

Policy User Interface Reference

Policy Set Settings

Policy Set Configuration Settings

Authentication Policy Configuration Settings

Local and Global Exceptions Configuration Settings

Authorization Policy Settings

Endpoint Profiling Policies Settings

Endpoint Context Visibility Using UDID Attribute

RADIUS Vendor Dictionary Attribute Settings

Special Conditions

Profiler Condition Settings

Posture Condition Settings

File Condition Settings

Firewall Condition Settings

Registry Condition Settings

Application Condition Settings

Continuous Endpoint Attribute Monitoring

Application Condition Settings

Service Condition Settings

Posture Compound Condition Settings

AntiVirus Condition Settings

Antispyware Compound Condition Settings

Antimalware Condition Settings

Dictionary Simple Condition Settings

Dictionary Compound Condition Settings

Patch Management Condition Settings

Disk Encryption Condition Settings

USB Condition Settings

Hardware Attributes Condition Settings

Time and Date Condition Settings

Results

Allowed Protocols

PAC Options

Authorization Profile Settings

Authorization Profile Settings

Common Tasks

Advanced Attributes Settings

Profiling Exception Action Settings

File Remediation

Firewall Remediations

Link Remediation

Application Remediation

Antimalware Remediation

Antivirus Remediation

Antispyware Remediation

Launch Program Remediation

Windows Update Remediation

Windows Server Update Services Remediation

Patch Management Remediation

USB Mass Storage Check Workflow

USB Mass Storage Remediation

Client Posture Requirements

Was this Document Helpful?

Contact Cisco