Posture Assessment through Cisco ISE 3.1 in distributed deployment

Tiroyaone72926925 · ‎11-25-2024

I am planning to deploy posture assessment in my environment. I have three clustered ISE nodes v3.1, all with PSN enabled, two admin and monitoring roles (primary and secondary). So, I need your expertise/advise in the best/ recommended deployment more especially in creation of the authorization policies for posture statuses (unknown, non-compliant and compliant). Is it required to have authorisation policy for each status? for example, assuming my nodes are as follows; ISE1, ISE2, ISE3. Im i required to create unknown authorisation policy for ISE1, ISE2, and ISE, non-compliant authrz for ISE1, ISE2, ISE3, and compliant policy for ISE1,ISE2,ISE3.

Also, the Web redirection for unknown status profiles, is it required to state the static ip/host for each ISE nodes.

stephan.l.martin1 · ‎11-25-2024

I will do my best to assist however your question is slightly confusing.

1) An authorization policy is required for each policy element. That being said- you would not need to create them individually for each server in a cluster rather you would create a single Authz result for compliant (typically ACCESS_ACCEPT) Not-Compliant (ACCESS_ACCEPT with dynamic VLAN or dACL to restrict access) or Unknown which includes URL redirect.
Below is a link to an exceptionally well written guide that can help you to understand each aspect and how to integrate. Overall the policies and requirements must come from you or your organization to meet the intent of your posture requirements.
https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273

Tiroyaone72926925 · ‎11-26-2024

Thank you for the helpful response. Based on your response, you seem to understand my question. But i still have questions; how does the PSN that is doing the asssessment know which node authenticated the endpoint. What if all the PSN fight or compete to do posture assessment, even the ones that did not authenticate the endpoint?

stephan.l.martin1 · ‎11-26-2024

The NAD (network access device) can operate in one of two modes

load balance (command load-balance least outstanding)

Linear (the order you define in the switch)

you can manually load balance across your network or manage primary/secondary for distributed setups.

ISE knows which network device sent the request but posturing is strictly client side (at the host computer). The posture “checklist” is sent to the host and the posture module on the device performs the checks. Once complete the node sends the results to ISE and a change of authorization is performed when required to apply the appropriate network access policy.

Tiroyaone72926925 · ‎11-26-2024

Thanks Martin. much appreciated, Could you please point me to a cisco document that speaks to that?

stephan.l.martin1 · ‎11-26-2024

There are a couple of guides that tap dance around the process. Below are two links which provide quite a bit of material. At the end of the day there are multiple methods that can be used to posture assess (agent v. agentless) all of which have use cases and separate scenarios. You will be required to understand your organizations posture policy (or develop one).
The last link is more from the design/framework side which is based around Zero-trust which is the core tenant of posturing to begin with. If you are unsure of how to get after developing a posture environment that meets the intent of your security requirements I would recommend reviewing the Zero-trust guide as it may give you some ideas on how to tackle this problem.

https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-frameworks.html

Please be sure to mark as helpful and accept as a solution if these answered your question!

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_compliance.html#ID873
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html