Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 611

    Page 611 CHAPTER 23 Configure Client Posture Policies PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork. •PostureService,page566 •PostureAdministrationSettings,page569 •DownloadPostureUpdatestoCiscoISE,page572 •ConfigureAcceptableUsePoliciesforPostureAssessment,page573 •PostureConditions,page574... 
    CHAPTER 23
Configure Client Posture Policies
PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also
knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity
policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork.
•PostureService,page566
•PostureAdministrationSettings,page569
•DownloadPostureUpdatestoCiscoISE,page572
•ConfigureAcceptableUsePoliciesforPostureAssessment,page573
•PostureConditions,page574...

    Page 612

    Page 612 •CustomPermissionsforPosture,page587 •ConfigureStandardAuthorizationPolicies,page588 Posture Service PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork. ClientsinteractwiththepostureservicethroughtheAnyConnectISEPostureAgentorNetworkAdmission... 
    •CustomPermissionsforPosture,page587
•ConfigureStandardAuthorizationPolicies,page588
Posture Service
PostureisaserviceinCiscoIdentityServicesEngine(CiscoISE)thatallowsyoutocheckthestate,also
knownasposture,ofalltheendpointsthatareconnectingtoanetworkforcompliancewithcorporatesecurity
policies.Thisallowsyoutocontrolclientstoaccessprotectedareasofanetwork.
ClientsinteractwiththepostureservicethroughtheAnyConnectISEPostureAgentorNetworkAdmission...

    Page 613

    Page 613 ThemessagesusedinthePosturePhaseareintheNEAPB/PAformat(RFC5792). Posture and Client-Provisioning Policies Workflow Figure 33: Posture and Client Provisioning Policies Workflow in Cisco ISE Posture Service Licenses CiscoISEprovidesyouwiththreetypesoflicenses,theBaselicense,thePluslicense,andtheApexlicense. IfyouhavenotinstalledtheApexlicenseonthePrimaryPAN,thentheposturerequestswillnotbeserved inCiscoISE.ThepostureserviceofCiscoISEcanrunonasinglenodeoronmultiplenodes. Posture Service Deployment... 
    ThemessagesusedinthePosturePhaseareintheNEAPB/PAformat(RFC5792).
Posture and Client-Provisioning Policies Workflow
Figure 33: Posture and Client Provisioning Policies Workflow in Cisco ISE
Posture Service Licenses
CiscoISEprovidesyouwiththreetypesoflicenses,theBaselicense,thePluslicense,andtheApexlicense.
IfyouhavenotinstalledtheApexlicenseonthePrimaryPAN,thentheposturerequestswillnotbeserved
inCiscoISE.ThepostureserviceofCiscoISEcanrunonasinglenodeoronmultiplenodes.
Posture Service Deployment...

    Page 614

    Page 614 Theothernodesthatrunotherservicesarethesecondarynodeswhichcanbeconfiguredforbackupservices foroneanother. Enable Posture Session Service in Cisco ISE Before You Begin •YoumustenablesessionservicesinCiscoISEandinstalltheadvancedlicensepackagetoserveallthe posturerequestsreceivedfromtheclients. •Ifyouhavemorethanonenodethatisregisteredinadistributeddeployment,allthenodesthatyou haveregisteredappearintheDeploymentNodespage,apartfromtheprimarynode.Youcanconfigure... 
    Theothernodesthatrunotherservicesarethesecondarynodeswhichcanbeconfiguredforbackupservices
foroneanother.
Enable Posture Session Service in Cisco ISE
Before You Begin
•YoumustenablesessionservicesinCiscoISEandinstalltheadvancedlicensepackagetoserveallthe
posturerequestsreceivedfromtheclients.
•Ifyouhavemorethanonenodethatisregisteredinadistributeddeployment,allthenodesthatyou
haveregisteredappearintheDeploymentNodespage,apartfromtheprimarynode.Youcanconfigure...

    Page 615

    Page 615 Posture Administration Settings YoucangloballyconfiguretheAdminportalforpostureservices.Youcandownloadupdatesautomatically totheCiscoISEserverthroughthewebfromCisco.YoucanalsoupdateCiscoISEmanuallyofflinelater. Inaddition,havinganagentlikeAnyConnect,theNACAgent,ortheWebAgentinstalledontheclients providespostureassessmentandremediationservicestoclients.Theclientagentperiodicallyupdatesthe compliancestatusofclientstoCiscoISE.Afterloginandsuccessfulrequirementassessmentforposture,the... 
    Posture Administration Settings
YoucangloballyconfiguretheAdminportalforpostureservices.Youcandownloadupdatesautomatically
totheCiscoISEserverthroughthewebfromCisco.YoucanalsoupdateCiscoISEmanuallyofflinelater.
Inaddition,havinganagentlikeAnyConnect,theNACAgent,ortheWebAgentinstalledontheclients
providespostureassessmentandremediationservicestoclients.Theclientagentperiodicallyupdatesthe
compliancestatusofclientstoCiscoISE.Afterloginandsuccessfulrequirementassessmentforposture,the...

    Page 616

    Page 616 failureofposture.Whensuccessfullypostured,CiscoISEallowsclientstotransitionfromunknownto compliantmodewithinthetimespecifiedinthenetworktransitiondelaytimer.Uponfailureofposture,Cisco ISEallowsclientstotransitionfromunknowntononcompliantmodewithinthetimespecifiedinthetimer. Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2Enteratimevalueinseconds,intheNetworkTransitionDelayfield. Thedefaultvalueis3seconds.Thevalidrangeis2to30seconds. Step 3ClickSave. Set Login Success... 
    failureofposture.Whensuccessfullypostured,CiscoISEallowsclientstotransitionfromunknownto
compliantmodewithinthetimespecifiedinthenetworktransitiondelaytimer.Uponfailureofposture,Cisco
ISEallowsclientstotransitionfromunknowntononcompliantmodewithinthetimespecifiedinthetimer.
Procedure
Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings.
Step 2Enteratimevalueinseconds,intheNetworkTransitionDelayfield.
Thedefaultvalueis3seconds.Thevalidrangeis2to30seconds.
Step 3ClickSave.
Set Login Success...

    Page 617

    Page 617 Procedure Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings. Step 2FromtheDefaultPostureStatusdrop-downlist,choosetheoptionasCompliantorNoncompliant. Step 3ClickSave. Posture Lease YoucanconfigureCiscoISEtoperformpostureassessmenteverytimeauserlogsintoyournetworkor performpostureassessmentinspecifiedintervals.Thevalidrangeis1to365days. ThisconfigurationappliesonlyforthosewhouseAnyConnectagentforpostureassessment. Periodic Reassessments... 
    Procedure
Step 1ChooseAdministration>System>Settings>Posture>GeneralSettings.
Step 2FromtheDefaultPostureStatusdrop-downlist,choosetheoptionasCompliantorNoncompliant.
Step 3ClickSave.
Posture Lease
YoucanconfigureCiscoISEtoperformpostureassessmenteverytimeauserlogsintoyournetworkor
performpostureassessmentinspecifiedintervals.Thevalidrangeis1to365days.
ThisconfigurationappliesonlyforthosewhouseAnyConnectagentforpostureassessment.
Periodic Reassessments...

    Page 618

    Page 618 •IfaPRAconfigurationalreadyexistswithauseridentitygroup“Any”,youcannotcreateotherPRA configurationsunlessyouperformoneofthefollowing: ◦UpdatetheexistingPRAconfigurationwiththeAnyuseridentitygrouptoreflectauseridentity groupotherthanAny. ◦DeletetheexistingPRAconfigurationwithauseridentitygroup“Any”. Procedure Step 1ChooseAdministration>System>Settings>Posture>Reassessments. Step 2ClickAdd. Step 3ModifythevaluesintheNewReassessmentConfigurationpagetocreateanewPRA. Step... 
    •IfaPRAconfigurationalreadyexistswithauseridentitygroup“Any”,youcannotcreateotherPRA
configurationsunlessyouperformoneofthefollowing:
◦UpdatetheexistingPRAconfigurationwiththeAnyuseridentitygrouptoreflectauseridentity
groupotherthanAny.
◦DeletetheexistingPRAconfigurationwithauseridentitygroup“Any”.
Procedure
Step 1ChooseAdministration>System>Settings>Posture>Reassessments.
Step 2ClickAdd.
Step 3ModifythevaluesintheNewReassessmentConfigurationpagetocreateanewPRA.
Step...

    Page 619

    Page 619 Step 4ModifythevaluesonthePostureUpdatespage. Step 5ClickUpdateNowtodownloadupdatesfromCisco. Step 6ClickOKtocontinuewithothertasksonCiscoISE. Onceupdated,thePostureUpdatespagedisplaysthecurrentCiscoupdatesversioninformationasaverification ofanupdateunderUpdateInformationsectioninthePostureUpdatespage. Download Posture Updates Automatically Afteraninitialupdate,youcanconfigureCiscoISEtocheckfortheupdatesanddownloadthemautomatically. Before You Begin... 
    Step 4ModifythevaluesonthePostureUpdatespage.
Step 5ClickUpdateNowtodownloadupdatesfromCisco.
Step 6ClickOKtocontinuewithothertasksonCiscoISE.
Onceupdated,thePostureUpdatespagedisplaysthecurrentCiscoupdatesversioninformationasaverification
ofanupdateunderUpdateInformationsectioninthePostureUpdatespage.
Download Posture Updates Automatically
Afteraninitialupdate,youcanconfigureCiscoISEtocheckfortheupdatesanddownloadthemautomatically.
Before You Begin...

    Page 620

    Page 620 Procedure Step 1ChooseAdministration>System>Settings>Posture>AcceptableUsePolicy. Step 2ClickAdd. Step 3ModifythevaluesintheNewAcceptableUsePolicyConfigurationpage. Step 4ClickSubmit. Posture Conditions Apostureconditioncanbeanyoneofthefollowingsimpleconditions:afile,aregistry,anapplication,a service,oradictionarycondition.Oneormoreconditionsfromthesesimpleconditionsformacompound condition,whichcanbeassociatedtoaposturerequirement.... 
    Procedure
Step 1ChooseAdministration>System>Settings>Posture>AcceptableUsePolicy.
Step 2ClickAdd.
Step 3ModifythevaluesintheNewAcceptableUsePolicyConfigurationpage.
Step 4ClickSubmit.
Posture Conditions
Apostureconditioncanbeanyoneofthefollowingsimpleconditions:afile,aregistry,anapplication,a
service,oradictionarycondition.Oneormoreconditionsfromthesesimpleconditionsformacompound
condition,whichcanbeassociatedtoaposturerequirement....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals