Cisco Cisco Identity Services Engine 1.2 Guía Para Resolver Problemas
Posture Policy
The posture policy defines the set of requirements for an endpoint to be deemed compliant based upon file
presence, registry key, process, application, Windows, and anti−virus (AV)/anti−spyware (AS) checks and
rules. Posture policy is applied to endpoints based upon a defined set of conditions such as user identity and
client OS type. The compliance (posture) status of an endpoint can be:
presence, registry key, process, application, Windows, and anti−virus (AV)/anti−spyware (AS) checks and
rules. Posture policy is applied to endpoints based upon a defined set of conditions such as user identity and
client OS type. The compliance (posture) status of an endpoint can be:
Unknown: No data was collected in order to determine posture state.
•
Noncompliant: A posture assessment was performed, and one or more requirements failed.
•
Compliant: The endpoint is compliant with all mandatory requirements.
•
Posture requirements are based on a configurable set of one or more conditions. Simple conditions include a
single assessment check. Compound conditions are a logical group of one or more simple conditions. Each
requirement is associated with a remediation action that helps endpoints satisfy the requirement, such as AV
signature update.
single assessment check. Compound conditions are a logical group of one or more simple conditions. Each
requirement is associated with a remediation action that helps endpoints satisfy the requirement, such as AV
signature update.
Authorization Policy
The authorization policy defines the levels of network access and optional services to be delivered to an
endpoint based on posture status. Endpoints that are deemed not compliant with posture policy may be
optionally quarantined until the endpoint becomes compliant; for example, a typical authorization policy may
limit a user's network access to posture and remediation resources only. If remediation by the agent or end
user is successful, then the authorization policy can grant privileged network access to the user. Policy is often
enforced with downloadable access control lists (dACLs) or dynamic VLAN assignment. In this configuration
example, dACLs are used for endpoint access enforcement.
endpoint based on posture status. Endpoints that are deemed not compliant with posture policy may be
optionally quarantined until the endpoint becomes compliant; for example, a typical authorization policy may
limit a user's network access to posture and remediation resources only. If remediation by the agent or end
user is successful, then the authorization policy can grant privileged network access to the user. Policy is often
enforced with downloadable access control lists (dACLs) or dynamic VLAN assignment. In this configuration
example, dACLs are used for endpoint access enforcement.
Posture Example Workflow
In this configuration example, both persistent (NAC Agent) and temporal (Web Agent) agent files are
downloaded to ISE, and client provisioning policies are defined that require domain users to download the
NAC Agent and guest users to download the Web Agent.
downloaded to ISE, and client provisioning policies are defined that require domain users to download the
NAC Agent and guest users to download the Web Agent.
Before posture assessment policies and requirements are configured, the authorization policy is updated to
apply authorization profiles to domain users and guests that are flagged as noncompliant. The new
authorization profile defined in this configuration limits access to posture and remediation resources.
Employees and guest users flagged as compliant are allowed regular network access.Once client provisioning
services have been verified, posture requirements are configured in order to check for anti−virus installation,
virus definition updates, and Windows critical updates.
apply authorization profiles to domain users and guests that are flagged as noncompliant. The new
authorization profile defined in this configuration limits access to posture and remediation resources.
Employees and guest users flagged as compliant are allowed regular network access.Once client provisioning
services have been verified, posture requirements are configured in order to check for anti−virus installation,
virus definition updates, and Windows critical updates.
Note: Verify all items on these endpoint and ISE checklists before you attempt to configure posture.
Endpoint Checklist
ISE Fully Qualified Domain Name (FQDN) must be resolvable by the endpoint device.
1.
Verify that the endpoint browser is configured as shown here:
Firefox or Chrome: Java plugin must be enabled on the browsers.
♦
Internet Explorer: ActiveX must be enabled in the browser settings.
♦
Internet Explorer 10:
♦
Importing Self−Signed Certificate: If you are using a self−signed certificate for ISE,
run Internet Explorer 10 in Administrator mode in order to install these certificates.
run Internet Explorer 10 in Administrator mode in order to install these certificates.
◊
Compatibility Mode: Compatibility mode must be changed on Internet Explorer 10
settings in order to allow NAC Agent download. In order to change this setting,
settings in order to allow NAC Agent download. In order to change this setting,
◊
2.