Solved: ISE Service check Posture Policy

Srinivasan Nagarajan · ‎05-23-2021

Hi Team,

Currently we’ve an Authorization policy as follows and I’ve been asked to configure/modify a posture check to migrate Service check conditions from McaFee to Windows Defender (WD) on a phased approach for the Remote Access VPN Users. NAD is ASA and ISE is running on 2.6

Authorization Policy: Based on the users AD groups, group-policy is pushed down to the ASA from ISE

SALES_AD_Users = SALES_GROUP_POLICY

HR_AD_Users = HR_GROUP_POLICY

Domain_Users = ALL_GROUP_POLICY

Posture Policy: Mandatory

WD Policy : WD_AD_Users + Device Type: Firewall = WD check (WD policy is checked and Mcafee is skipped)

Mcafee Policy : Mcafee_AD_Users + Device Type: Firewall = Mcafee check (Mcafee policy is checked and WD is skipped)

1.With this approach, we’d be able to migrate the AV in a phased approach but also enables the policy in a Mandatory mode to enforce the corporate policies (so users have either of the Anti-virus service check). Am I right or will it work?

2.If noticed AuthZ policy contains 'Domain Users' as a catch-all policy. Should we need to configure a AuthZ policy with the AD groups as similar to the posture policy AD groups (to match the WD/Mcafee users)?

Please be informed, we've AuthZ policy configured and running successfully. Our requirement, is now only to modify the Posture policy with the AD groups to determine which requirements are mandatory and for whom

I've been told that AuthZ policy may need to be modified with the AD groups as similar to the posture policy AD groups for this work. Need your assistance please.

Mike.Cifelli · ‎05-24-2021

My query is, should I configure the AuthZ policy as given below? or the existing one (as shared above) would still work?

-The existing one will still work as expected given that the user is a part of old AD group as you mentioned via this statement:

Now, we configure different AD groups by name in the Posture policy (but still the users remains part of the above AD group). In your scenario the user would be a part of two AD groups and ISE would be leveraging the two groups (one group for posturing and one group for authz)

-Lastly, if it makes it easier for you/your team you can configure new authz policies if you wish. IMO this is up to you based on your requirements. You can accomplish the same end goal either way.

View solution in original post

Mike.Cifelli · ‎05-24-2021

1.With this approach, we’d be able to migrate the AV in a phased approach but also enables the policy in a Mandatory mode to enforce the corporate policies (so users have either of the Anti-virus service check). Am I right or will it work?

-Yes you are right as long as you are able to differentiate the two based on your groups as you mentioned.

2.If noticed AuthZ policy contains 'Domain Users' as a catch-all policy. Should we need to configure a AuthZ policy with the AD groups as similar to the posture policy AD groups (to match the WD/Mcafee users)?

-No. As I assume you already have authz policies in place for each respective group. Within your authz policies you are authorizing clients based on posture status being compliant/non-compliant. IMO you should not need to reconfigure these policies. Your focus should be on ensuring the posture assessment for the respective groups is working as expected. I say this because I assume passed McAfee checks and passed WD checks are already setup to be authorized in their respective networks once deemed compliant. HTH!

Srinivasan Nagarajan · ‎05-24-2021

Hi @Mike.Cifelli

Thanks for your time and the reply. If you notice Authorization policy, we've SALES , HR, followed by the Domain users AD groups and depending on the AD groups, respective group-policy is pushed from the ISE.

Now, in the Posture policy, we'd be configuring Mcafee or Windows Defender AD groups which are not called DIRECTLY in the AuthZ policy. Of course, users of these AV groups are part of the 'Domain Users' in the AuthZ policy.

My query is, Does it require separate AD groups AuthZ policy to match the posture policy AD groups? or I'd put in this way: I know AuthZ result works based on the posture policy result. But does the groups of posture policy/Authorization policy need to be similar?

I hope i'm not missing anything or confusing you. Thanks for your support

Mike.Cifelli · ‎05-24-2021

My query is, Does it require separate AD groups AuthZ policy to match the posture policy AD groups? or I'd put in this way: I know AuthZ result works based on the posture policy result. But does the groups of posture policy/Authorization policy need to be similar?

-Not necessarily. IMO this depends on how your environment is built out. If you push different network policy (vlan/sgt/etc.) for each group then yes you would/could rely on AD sec groups as an additional condition in regard to authz policies. In regard to posturing and authz conditions the focus is on unknown/noncompliant/compliant states. If both of those AD sec groups get same network policy after being deemed noncompliant/compliant, then the answer is no. You would just need to worry about what assessments are being done to each group by differentiating the two in your posture policies that you have already mentioned.

Srinivasan Nagarajan · ‎05-24-2021

Many thanks for the assistance provided so far. Much appreciated.

I'm scared that I've failed to provide the complete info. I'm re-sharing for reference.

Authorization Policy: Based on the users AD groups, group-policy is pushed down to the ASA from ISE

SALES_AD_Users+Compliant = SALES_GROUP_POLICY

HR_AD_Users+Compliant = HR_GROUP_POLICY

Domain_Users+Compliant = ALL_GROUP_POLICY

Now, we configure different AD groups by name in the Posture policy (but still the users remains part of the above AD group)

Posture Policy: Mandatory

WD Policy : WD_AD_Users + Device Type: Firewall = WD check (WD policy is checked and Mcafee is skipped)

Mcafee Policy : Mcafee_AD_Users + Device Type: Firewall = Mcafee check (Mcafee policy is checked and WD is skipped)

The Users who are part of the WD/Mcafee users are still part of HR/SALES/Domain AD group.

My query is, should I configure the AuthZ policy as given below? or the existing one (as shared above) would still work?

WD_AD_Users + Compliant= ALL_GROUP_POLICY

Mcafee_AD_Users + Compliant= ALL_GROUP_POLICY

Hope I didn't miss anything. Please assist

Mike.Cifelli · ‎05-24-2021

My query is, should I configure the AuthZ policy as given below? or the existing one (as shared above) would still work?

-The existing one will still work as expected given that the user is a part of old AD group as you mentioned via this statement:

Now, we configure different AD groups by name in the Posture policy (but still the users remains part of the above AD group). In your scenario the user would be a part of two AD groups and ISE would be leveraging the two groups (one group for posturing and one group for authz)

-Lastly, if it makes it easier for you/your team you can configure new authz policies if you wish. IMO this is up to you based on your requirements. You can accomplish the same end goal either way.

Srinivasan Nagarajan · ‎05-24-2021

Many thanks for the reply. Final one on this thread,

We've a posture policy for the 'Application' with the Other condition: Device Type: Firewall configured

As we split up the existing posture policy based on the AD groups, would the above one be applicable for everyone or does it also need to be with the AD groups condition configured?

Mike.Cifelli · ‎05-24-2021

As we split up the existing posture policy based on the AD groups, would the above one be applicable for everyone or does it also need to be with the AD groups condition configured?

-The way it is setup now would be all encompassing. Once you start splitting, you will want to split them up:

Posture policy1: Other condition: Device type: firewall AND AD group A Then run Mcafee requirement

Posture policy2: Other condition: Device type: firewall AND AD group B Then run WD requirement