Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2089
Views
0
Helpful
1
Replies

Cisco ISE - Posture NonCompliant Corrections

Go to solution
PedroDias1994
Level 1
Level 1

‎01-13-2020 02:08 AM

Hi all,

 

I am implementing Posture on ISE 2.4 and everything is working and running smoothly, but I have one little problem with the NonCompliant machines, in specific, machines that don't have Anti-Malware installed.

 

In my solution, I am performing machine authentication and I am checking Anti-Malware in two ways:

1) Anti-Malware is installed or not.

2) Data Files are updated or not.

 

For the machines that fail the first check, they receive a NonCompliant DACL. Since users don't have admin rights, they can't install Anti-Malware, so the IT team has to install it remotely.

 

How can they install the Anti-Malware when the NonCompliant DACL is applied? So far, the only way to do it, is to remove the machine from the AD group that is configured on the Authz rule (checking for Posture), install the Anti-Malware and put the machine on the AD group again, but this solution is not scalable.

 

Some more details of the solution:

1) Anti-Malware: Kaspersky

2) NonCompliant DACL: permit ICMP ; permit DHCP ; permit DNS ; permit ISE ; permit Kaspersky internal machine updates ; permit RDP (3389) ; deny private networks ; permit any

3) I am not using any Client Provisioning Portal (Anti-Malware & AnyConnect agents were installed via GPO).

 

How can I solve this?

 

Thank you a lot for your help :)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2020 06:15 AM

Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2020 06:15 AM

Do you have SCCM in your environment? This may aide in finding a solution: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035
My recommendation would be to work towards having the anti-malware a part of your imaging process. Something else to consider if you have Software Center is to publish it to all users and allow installation this way. Then in your DACL for non-compliant allow connectivity there. HTH!
0 Helpful
Customers Also Viewed These Support Documents