Solved: ISE TC-NAC Tenable questions

Brian OHalloran · ‎03-29-2018

All,

I have some questions regarding the ISE 2.2 integration with Tenable Security Center.

I read through the following guide that details how one configures ISE with Security Center.

Cisco TC-NAC with ISE and Tenable Security Center

1-One can use a centralized Tenable deployment (with Security Center and scanners) or one can deploy Tenable using host based agent scanners.

Is this use case (Tenable host based agent scanners) supported?

The guide does not discuss this type of deployment, only the deployment type with non-host based scanners

2-What is the maximum number of Security Centers that have been tested/supported with ISE?

I am working with a large enterprise that has geographically distributed Security Centers.

3-I think the answer to the following question is no, but I'll pose it anyway.

If a scan is not initiated by ISE via the authorization policy but rather is generated by Security Center, can Security Center send ISE CVSS data in an "unsolicited" manner and have ISE process this data?

4-The TC-NAC ISE architecture does not support redundant PSNs.

According to the guide, one can deploy only one TC-NAC enabled PSN.

The sample ISE exception authorization policy described on page 8 will quarantine the user unconditionally if the CVSS score is equal to or greater than 5.

What is the ISE behavior if the lone TC-NAC PSN is unavailable?

What, if any, CVSS score does ISE use to determine if the endpoint is subject to the permissions defined in policy if the TC-NAC PSN is not available?

Is it possible to use conditions in this policy (or any other ISE policy) that would test for PSN availability and only then enforce the permissions defined in this authorization policy?

5-On page 9 of the guide, there is a ACAS_Compliant permission defined.

What, exactly, is being permitted in this permission?

Does this policy require specific TC-NAC related permissions?

Or, does one just define (without regard to TC-NAC CVSS results) whatever one wants to authorize?

6-Is there any TC-NAC feature related reason to use ISE 2.3 with this use case?

Or, is the feature set the same between 2.3 and 2.2 (I didn't notice anything in the ISE 2.3 release notes that indicated otherwise)?

Thanks,

Brian

jeppich · ‎04-01-2018

Questions answered off-line in direct correspondence with Brian.

Thanks,

John

jeppich@cisco.com

View solution in original post

jeppich · ‎04-01-2018

Questions answered off-line in direct correspondence with Brian.

Thanks,

John

jeppich@cisco.com

Jason Kunst · ‎04-01-2018

It would be good to see the answers for others to learn

kadamsanjay · ‎03-18-2020

Hi All,

I have few questions with respect to Tenable integration with ISE 2.2

1. As per guide, there is a ACAS_Compliant permission defined.

What, exactly, is being permitted in this permission?

Which authorization policy uses this profile?

Does this policy require specific TC-NAC related permissions?

2. The sample ISE exception authorization policy described on page 8 will quarantine the user unconditionally if the CVSS score is equal to or greater than 5.

Why creation of Quarantine authorization profile is not shown in document?

Is it built-in authorization profile.

3. At step 6 in document Authorization policy is configured. Where this policy need to be configured specifically?