Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
0
Helpful
1
Replies

Cisco ISE - Posture NonCompliant Corrections

Go to solution
PedroDias1994
Level 1
Level 1

‎01-13-2020 02:08 AM

Hi all,

 

I am implementing Posture on ISE 2.4 and everything is working and running smoothly, but I have one little problem with the NonCompliant machines, in specific, machines that don't have Anti-Malware installed.

 

In my solution, I am performing machine authentication and I am checking Anti-Malware in two ways:

1) Anti-Malware is installed or not.

2) Data Files are updated or not.

 

For the machines that fail the first check, they receive a NonCompliant DACL. Since users don't have admin rights, they can't install Anti-Malware, so the IT team has to install it remotely.

 

How can they install the Anti-Malware when the NonCompliant DACL is applied? So far, the only way to do it, is to remove the machine from the AD group that is configured on the Authz rule (checking for Posture), install the Anti-Malware and put the machine on the AD group again, but this solution is not scalable.

 

Some more details of the solution:

1) Anti-Malware: Kaspersky

2) NonCompliant DACL: permit ICMP ; permit DHCP ; permit DNS ; permit ISE ; permit Kaspersky internal machine updates ; permit RDP (3389) ; deny private networks ; permit any

3) I am not using any Client Provisioning Portal (Anti-Malware & AnyConnect agents were installed via GPO).

 

How can I solve this?

 

Thank you a lot for your help :)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2020 06:15 AM

Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2020 06:15 AM

Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents