Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE Automatic Remediation

Hi,

We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.

In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.

And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.

Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.

Can you help us with this issue? Thanks!

Best regards,

Carlos Morais

Everyone's tags (1)
4 REPLIES

ISE Automatic Remediation

That is your only option. My suggestion is to deny the traffic to mcafee subnet and test.

Tarik Admani *Please rate helpful posts*
New Member

ISE Automatic Remediation

Hi, Tarik.

Thanks for your answer. We've opened a case in TAC and we are working to find the best solution. Denying traffic redirection for McAfee subnet is not a solution for us, since we want to control every machine (from inside and outside the company) and we want to allow all AV vendors.

Best regards,

Carlos Morais

New Member

ISE Automatic Remediation

Hi,

Did TAC found a solution for providing external access to external remediation servers (not internal, managed) based on domain name and not IP?

New Member

ISE Automatic Remediation

Hi,

No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:

"If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."

Best regards,

Carlos Morais

2787
Views
0
Helpful
4
Replies