topic Re: ISE Posture Policy in Network Access Control

ISE Posture Policy

Srinivasan Nagarajan — Fri, 14 May 2021 18:05:11 GMT

Hi Experts

We've ISE 2.6 running and the client is using an Mcafee AV solution and now would like to replace it with the Windows Defender (WD). I've been asked not to change the posture policy to 'Audit' or 'Optional' mode, to enforce the corporate policies. Once WD installed, the existing AV would be replaced immediately.

They'd like to get it tested for the Pilot AD groups before roll out to everyone. So, we need the Posture policy as given below:-

Condition: 'Service' condition which will look either of the AV services to be running on the users PC

Posture Requirement: Posture_Req_Mcafee_or_WD (call both the conditions here using the OR option)

Posture Policy:

Name: McaFee or WD

Operating System: Windows All

Compliance Module: Any

Other condition:

Domain_Users + Firewall OR WD_Pilot_Users+ Firewall = Posture_Req_Mcafee_or_WD

Mode: Mandatory

Requirements: Posture_Req_Mcafee_or_WD

With this option, it'll give us granularity to add users into the Pilot AD groups everyday on a phased approach, before roll out to everyone and thus keeping the corporate policies enforced for other users with the existing AV. Is there any option we can do it, as I'm not able to figure it out in the posture policy 'other conditions' i.e. Condition 1 or Condition 2.

Note: Adding the Mcafee or Windows Defender in the requirement is the last option as it'd be for everyone. We'd like to get it controlled with the AD groups.

Any suggestion? Thanks in advance.

Re: ISE Posture Policy

Mike.Cifelli — Fri, 14 May 2021 18:45:12 GMT

Is there any option we can do it, as I'm not able to figure it out in the posture policy 'other conditions' i.e. Condition 1 or Condition 2.

-Your OR option you are describing would not get configured in posture policy 'other conditions'. You would configure a new service condition to check for Defender service or whatever works for you. Then in the posture policy requirements you would add the new condition inside the existing requirement condition for McAfee. The catch is under the 'Condition' column you will add the new condition and set the 'met if' to 'Any Selected Condition Succeeds' as shown below:

This will allow you to phase it out as you desire forcing check for McAfee or Defender. Then after rollout you can remove the old condition from the requirement. This way you will not have to tweak production posture policy. HTH!

Re: ISE Posture Policy

Srinivasan Nagarajan — Sat, 15 May 2021 17:12:59 GMT

Hi @Mike.Cifelli

Thanks for the reply.

1. My plan is to configure 2 separate policies in Mandatory mode and it allows us to deploy the AV in a phased approach. Will it work?

Posture Policy for Mcafee Users: MCAFEE_AD_Users+ VPN = Mcafee Service Check (Mcafee Check will be evaluated not WD check)

Posture Policy for WD Users: WD_AD_Users = WD Service Check (WD check will be evaluated not Mcafee check)

We’ve an AD groups based AuthZ policy with the group-policy being pushed from ISE as configured on ASA.

2. Now, should we need to configure separate Authorization policy for Mcafee or WD AD groups as it consists of all the below users?

Authorization Policy:

SALES_AD_Users = SALES_GROUP_POLICY

HR_AD_Users = HR_GROUP_POLICY

Domain_Users = ALL_GROUP_POLICY

I guess Mcafee or WD AD groups config required only on the Posture policy (for controlling the posture checks) and not on the AuthZ policy or does the AuthZ need to be matched as similar to the posture policy ?

Note: We've Domain Users in the AuthZ policy which is a catch all condition.

Thanks in advance.

Re: ISE Posture Policy

Mike.Cifelli — Sat, 15 May 2021 17:32:34 GMT

-Correct. If you already have authz policies setup to support posturing then just focus on differentiating the two in posture policy then based on different groups, etc.

Re: ISE Posture Policy

Srinivasan Nagarajan — Sun, 16 May 2021 08:01:09 GMT

Thanks for the reply.

Final one, how is the requirement OR condition (Mcafee or Windows Defender) with 'Any Selected Condition Succeeds' is different from the Posture Compound condition?

Re: ISE Posture Policy

Mike.Cifelli — Sun, 16 May 2021 16:05:31 GMT

Final one, how is the requirement OR condition (Mcafee or Windows Defender) with 'Any Selected Condition Succeeds' is different from the Posture Compound condition?

-The requirement OR is tying together 2 or more types of posture conditions and in my example forcing the requirement to match ONE of the configured conditions in order to be deemed compliant. With this you would not have to modify the posture policy, you would modify the existing requirement (add new condition) that is then tied into the already configured/deployed posture policy. Posture compound conditions are an option of what you configure first which is what you wish to assess which is then added in requirements and the requirements are then added in the posture policy. Compound conditions include one or more simple conditions. Compound conditions allow you to combine one or more conditions using either AND/OR/NOT operators. I have not specifically attempted to configure a compound condition for 'McAfee or Defender', but IMO if it was to work then this would simply be another option for you resulting in the same idea/result. If that works, then to summarize you have 2 options: you could create two separate conditions that are then setup in a requirement with 'Any Selected Condition Succeeds' OR you could create the compound condition with OR operator and apply that as a requirement. HTH!