cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2097
Views
0
Helpful
1
Replies

Cisco ISE - Posture NonCompliant Corrections

PedroDias1994
Level 1
Level 1

Hi all,

 

I am implementing Posture on ISE 2.4 and everything is working and running smoothly, but I have one little problem with the NonCompliant machines, in specific, machines that don't have Anti-Malware installed.

 

In my solution, I am performing machine authentication and I am checking Anti-Malware in two ways:

1) Anti-Malware is installed or not.

2) Data Files are updated or not.

 

For the machines that fail the first check, they receive a NonCompliant DACL. Since users don't have admin rights, they can't install Anti-Malware, so the IT team has to install it remotely.

 

How can they install the Anti-Malware when the NonCompliant DACL is applied? So far, the only way to do it, is to remove the machine from the AD group that is configured on the Authz rule (checking for Posture), install the Anti-Malware and put the machine on the AD group again, but this solution is not scalable.

 

Some more details of the solution:

1) Anti-Malware: Kaspersky

2) NonCompliant DACL: permit ICMP ; permit DHCP ; permit DNS ; permit ISE ; permit Kaspersky internal machine updates ; permit RDP (3389) ; deny private networks ; permit any

3) I am not using any Client Provisioning Portal (Anti-Malware & AnyConnect agents were installed via GPO).

 

How can I solve this?

 

Thank you a lot for your help :)

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!

View solution in original post

1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni
Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!