ISE Posture capabilities limit

Amr Mohammed Mashaal — Mon, 11 Mar 2019 07:52:47 GMT

we have ISE distributed demployment and we use ISE for wired and wireless access through the do1x and easy connect methods.
my manager wants to utilize the ISE posture capabilities in our environment. we need to check on how to do the below tasks with ISE posture, keeping in mind that we intend to use the NAC agent (also if the anyconnect is needed in any of the below situations please advice):

1. give access using policy based on time (working hours limited access and after working hours internet only access)?
2. will non complaint devices return to the production VALN after remediation when the reason for that made it non complaint disappear?
3. can the solution be full Automated: fix devices that are not compliant automatically for example :
device without McAfee, will ISE install McAfee
Device with McAfee but not updated, will ise auto update
automatically insall updated for not updated windows devices
4. can we build new roles based on our OS and antivirus?
5. Integrate and communicate with McAfee to isolate detected device?
6. If ISE system down. What will happen in our network? (for example connected devices and new devices)
7. can the ISE Integrate with Juniper and PaloAlto global protect?
8. can ISE Integrate with next generation Firewall PaloAlto?
9. Ability to stopping USB port on device?

First and foremost, which

Charlie Moreton — Sun, 23 Jul 2017 14:05:25 GMT

First and foremost, which version and Patch level of ISE do you have installed?

1. give access using policy based on time (working hours limited access and after working hours internet only access)?

- Yes.

Before You Begin
To perform the following task, you must be a Super Admin or Policy Admin.
Step 1 Choose Policy > Policy Elements > Conditions > Time and Date > Add.
Step 2 Enter appropriate values in the fields.
• In the Standard Settings area, specify the time and date to provide access.
• In the Exceptions area, specify the time and date range to limit access.
Step 3 Click Submit

2. will non complaint devices return to the production VALN after remediation when the reason for that made it non complaint disappear?

- Yes, After Remediation, Posture Check is run again and upon success, placement in the correct VLAN will happen

3. can the solution be full Automated: fix devices that are not compliant automatically for example :
device without McAfee, will ISE install McAfee
Device with McAfee but not updated, will ise auto update
automatically insall updated for not updated windows devices

- Automatic Remediation can be configured

4. can we build new roles based on our OS and antivirus?

- Yes

5. Integrate and communicate with McAfee to isolate detected device?

- ISE Can detect the installation of and definition dates for AV

6. If ISE system down. What will happen in our network? (for example connected devices and new devices)

- If the Whole (HA) ISE System is down, logged in users will continute to be authorized, whereas new users would not be able to authenticate onto the network. This can be mitigated through the use of specific switchport configurations, for example:

authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice

7. can the ISE Integrate with Juniper and PaloAlto global protect?

- This integration does not exist today, however, Cisco has opened up the ISE APIs and pxGrid connectivity to the Security Community as a whole. If the companies referenced want the integration, all they need to do is to build it into their products.

8. can ISE Integrate with next generation Firewall PaloAlto?

- Check this link:

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

9. Ability to stopping USB port on device?

- v2.1 allows persistent check for USB Mass Storage devices and can force non-compliance when a storage device (USB Flash Drive, External Hard Drive, etc.) is attached.

I hope this helps

topic First and foremost, which in Network Access Control

ISE Posture capabilities limit

First and foremost, which