ISE Automatic Remediation

Unanswered Question
Aug 3rd, 2012


We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.

In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.

And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.

Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.

Can you help us with this issue? Thanks!

Best regards,

Carlos Morais

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tarik Admani Sun, 08/12/2012 - 13:09

That is your only option. My suggestion is to deny the traffic to mcafee subnet and test.

carlos.morais Thu, 08/16/2012 - 07:56

Hi, Tarik.

Thanks for your answer. We've opened a case in TAC and we are working to find the best solution. Denying traffic redirection for McAfee subnet is not a solution for us, since we want to control every machine (from inside and outside the company) and we want to allow all AV vendors.

Best regards,

Carlos Morais

Octavian Szolga Fri, 04/19/2013 - 01:29


Did TAC found a solution for providing external access to external remediation servers (not internal, managed) based on domain name and not IP?

carlos.morais Mon, 04/22/2013 - 06:40


No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:

"If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."

Best regards,

Carlos Morais


Login or Register to take actions

This Discussion

Posted August 3, 2012 at 6:45 AM
Replies:4 Overall Rating:
Views:2230 Votes:0
Tags: ise

Related Content