cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
0
Helpful
1
Replies

ISE Posture capabilities limit

we have ISE distributed demployment and we use ISE for wired and wireless access through the do1x and easy connect methods.
my manager wants to utilize the ISE posture capabilities in our environment. we need to check on how to do the below tasks with ISE posture, keeping in mind that we intend to use the NAC agent (also if the anyconnect is needed in any of the below situations please advice):

1. give access using policy based on time (working hours limited access and after working hours internet only access)?
2. will non complaint devices return to the production VALN after remediation when the reason for that made it non complaint disappear?
3. can the solution be full Automated: fix devices that are not compliant automatically for example :
device without McAfee, will ISE install McAfee
Device with McAfee but not updated, will ise auto update
automatically insall updated for not updated windows devices
4. can we build new roles based on our OS and antivirus?
5. Integrate and communicate with McAfee to isolate detected device?
6. If ISE system down. What will happen in our network? (for example connected devices and new devices)
7. can the ISE Integrate with Juniper and PaloAlto global protect?
8. can ISE Integrate with next generation Firewall PaloAlto?
9. Ability to stopping USB port on device?

1 Reply 1

Charlie Moreton
Cisco Employee
Cisco Employee

First and foremost, which version and Patch level of ISE do you have installed?

1. give access using policy based on time (working hours limited access and after working hours internet only access)?

- Yes.  

Before You Begin
To perform the following task, you must be a Super Admin or Policy Admin.
Step 1 Choose Policy > Policy Elements > Conditions > Time and Date > Add.
Step 2 Enter appropriate values in the fields.
• In the Standard Settings area, specify the time and date to provide access.
• In the Exceptions area, specify the time and date range to limit access.
Step 3 Click Submit

2. will non complaint devices return to the production VALN after remediation when the reason for that made it non complaint disappear? 

- Yes, After Remediation, Posture Check is run again and upon success, placement in the correct VLAN will happen


3. can the solution be full Automated: fix devices that are not compliant automatically for example : 
device without McAfee, will ISE install McAfee 
Device with McAfee but not updated, will ise auto update
automatically insall updated for not updated windows devices

- Automatic Remediation can be configured


4. can we build new roles based on our OS and antivirus?

- Yes


5. Integrate and communicate with McAfee to isolate detected device?

- ISE Can detect the installation of and definition dates for AV


6. If ISE system down. What will happen in our network? (for example connected devices and new devices)

- If the Whole (HA) ISE System is down, logged in users will continute to be authorized, whereas new users would not be able to authenticate onto the network.  This can be mitigated through the use of specific switchport configurations, for example:

authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice

7. can the ISE Integrate with Juniper and PaloAlto global protect?

- This integration does not exist today, however, Cisco has opened up the ISE APIs and pxGrid connectivity to the Security Community as a whole.  If the companies referenced want the integration, all they need to do is to build it into their products.


8. can ISE Integrate with next generation Firewall PaloAlto?

- Check this link:

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295


9. Ability to stopping USB port on device?

- v2.1 allows persistent check for USB Mass Storage devices and can force non-compliance when a storage device (USB Flash Drive, External Hard Drive, etc.) is attached.

I hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: