cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4434
Views
0
Helpful
4
Replies

ISE Automatic Remediation

Carlos Morais
Level 1
Level 1

Hi,

We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.

In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.

And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.

Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.

Can you help us with this issue? Thanks!

Best regards,

Carlos Morais

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

That is your only option. My suggestion is to deny the traffic to mcafee subnet and test.

Hi, Tarik.

Thanks for your answer. We've opened a case in TAC and we are working to find the best solution. Denying traffic redirection for McAfee subnet is not a solution for us, since we want to control every machine (from inside and outside the company) and we want to allow all AV vendors.

Best regards,

Carlos Morais

Hi,

Did TAC found a solution for providing external access to external remediation servers (not internal, managed) based on domain name and not IP?

Hi,

No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:

"If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."

Best regards,

Carlos Morais

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: