Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Create Simple Posture Conditions Youcancreatefile,registry,application,service,anddictionarysimpleconditionsthatcanbeusedinposture policiesorinothercompoundconditions. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture. Step 2Chooseanyoneofthefollowing:File,Registry,Application,Service,orDictionarySimpleCondition. Step 3ClickAdd. Step 4Entertheappropriatevaluesinthefields. Step 5ClickSubmit. Compound Posture Conditions Compoundconditionsaremadeupofoneormoresimpleconditions,orcompoundconditions.Youcanmake useofthefollowingcompoundconditionswhiledefiningaPosturepolicy. •CompoundConditions—Containsoneormoresimpleconditions,orcompoundconditionsofthetype File,Registry,Application,orServicecondition •AntivirusCompoundConditions—ContainsoneormoreAVconditions,orAVcompoundconditions •AntispywareCompoundConditions—ContainsoneormoreASconditions,orAScompoundconditions •DictionaryCompoundConditions—Containsoneormoredictionarysimpleconditionsordictionary compoundconditions • Cisco-Predefined Condition for Enabling Automatic Updates in Windows Clients Thepr_AutoUpdateCheck_RuleisaCiscopredefinedcondition,whichisdownloadedtotheCompound Conditionspage.Thisconditionallowsyoutocheckwhethertheautomaticupdatesfeatureisenabledon Windowsclients.IfaWindowsclientfailstomeetthisrequirement,thentheNetworkAccessControl(NAC) AgentsenforcetheWindowsclienttoenable(remediate)theautomaticupdatesfeature.Afterthisremediation isdone,theWindowsclientbecomesposturecompliant.TheWindowsupdateremediationthatyouassociate intheposturepolicyoverridestheWindowsadministratorsetting,iftheautomaticupdatesfeatureisnot enabledontheWindowsclient. Cisco Identity Services Engine Administrator Guide, Release 1.3 575 Create Simple Posture Conditions
Cisco-Preconfigured Antivirus and Antispyware Conditions CiscoISEloadspreconfiguredantivirusandantispywarecompoundconditionsintheAVandASCompound Conditionpages,whicharedefinedintheantivirusandantispywaresupportchartsforWindowsandMacintosh operatingsystems.Thesecompoundconditionscancheckifthespecifiedantivirusandantispywareproducts existonalltheclients.YoucanalsocreatenewantivirusandantispywarecompoundconditionsinCiscoISE. Antivirus and Antispyware Support Chart CiscoISEusesanantivirusandantispywaresupportchart,whichprovidesthelatestversionanddateinthe definitionfilesforeachvendorproduct.Usersmustfrequentlypollantivirusandantispywaresupportcharts forupdates.Theantivirusandantispywarevendorsfrequentlyupdateantivirusandantispywaredefinition files,lookforthelatestversionanddateinthedefinitionfilesforeachvendorproduct. Eachtimetheantivirusandantispywaresupportchartisupdatedtoreflectsupportfornewantivirusand antispywarevendors,products,andtheirreleases,theNACAgentsreceiveanewantivirusandantispyware library.IthelpsNACAgentstosupportneweradditions.OncetheNACAgentsretrievethissupport information,theycheckthelatestdefinitioninformationfromtheperiodicallyupdatedse-checks.xmlfile (whichispublishedalongwiththese-rules.xmlfileinthese-templates.tar.gzarchive),anddeterminewhether clientsarecompliantwiththeposturepolicies.Dependinguponwhatissupportedbytheantivirusand antispywarelibraryforaparticularantivirus,orantispywareproduct,theappropriaterequirementswillbe senttotheNACAgentsforvalidatingtheirexistence,andthestatusofparticularantivirusandantispyware productsontheclientsduringposturevalidation. TheantivirusandantispywaresupportchartisavailableonCisco.com. Compliance Module Thecompliancemodulecontainsalistoffields,suchasvendorname,productversion,productname,and attributesprovidedbyOPSWATthatsupportsCiscoISEpostureconditions. Vendorsfrequentlyupdatetheproductversionanddateinthedefinitionfiles,therefore,youmustlookfor thelatestversionanddateinthedefinitionfilesforeachvendorproductbyfrequentlypollingthecompliance moduleforupdates.Eachtimethecompliancemoduleisupdatedtoreflectthesupportfornewvendors, products,andtheirreleases,theAnyConnectagentsreceivesanewlibrary.IthelpsAnyConnectagentto supportneweradditions.OncetheAnyConnectagentsretrievethissupportinformation,theycheckthelatest definitioninformationfromtheperiodicallyupdatedse-checks.xmlfile(whichispublishedalongwiththe se-rules.xmlfileinthese-templates.tar.gzarchive),anddeterminewhetherclientsarecompliantwiththe posturepolicies.Dependinguponwhatissupportedbythelibraryforaparticularantivirus,antispyware, antimalware,diskencryption,orpatchmanagementproduct,theappropriaterequirementswillbesenttothe AnyConnectagentsforvalidatingtheirexistence,andthestatusoftheparticularproductsontheclientsduring posturevalidation. ThecompliancemoduleisavailableonCisco.com. GivenbelowaretheOPSWATAPIversionsthatsupport/donotsupporttheISEposturepolicy.Thereare differentpolicyrulesforagentsthatsupportversions3and4. Compliance Module VersionPosture Condition OPSWAT Cisco Identity Services Engine Administrator Guide, Release 1.3 576 Cisco-Preconfigured Antivirus and Antispyware Conditions
Compliance Module VersionPosture Condition 3.xorearlierAntivirus 3.xorearlierAntispyware 4.xorlaterAntimalware 3.xorearlierand4.xorlaterDiskEncryption 3.xorearlierand4.xorlaterPatchManagement 4.xorlaterUSB Non-OPSWAT AnyversionFile AnyversionApplication AnyversionCompound AnyversionRegistry AnyversionService Besuretocreateseparateposturepoliciesforversion3.xorearlierandversion4.xorlater,inanticipation ofclientsthatmayhaveinstalledanyoneoftheaboveversions. Note OESISversion4supportisprovidedforcompliancemodule4.xandCiscoAnyConnect4.3andhigher. However,AnyConnect4.3supportsbothOESISversion3andversion4policies. Note Version4compliancemoduleissupportedbyISE2.1andhigher.Note Create Compound Posture Conditions Youcancreatecompoundconditionsthatcanbeusedinposturepoliciesforpostureassessmentandvalidation. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Cisco Identity Services Engine Administrator Guide, Release 1.3 577 Create Compound Posture Conditions
Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture>CompoundConditions>Add. Step 2Enterappropriatevaluesforthefields. Step 3ClickValidateExpressiontovalidatethecondition. Step 4ClickSubmit. Create Patch Management Conditions Youcancreateapolicytocheckthestatusofaselectedvendor'spatchmanagementproduct. Forexample,youcancreateaconditiontocheckifMicrosoftSystemCenterConfigurationManager(SCCM), ClientVersion4.xsoftwareproductisinstalledatanendpoint. SupportedversionsofCiscoISEandAnyConnect:Note •CiscoISEversion1.4 •AnyConnectversion4.1andlater Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture>PatchManagementCondition. Step 2ClickAdd. Step 3InthePatchManagementConditionpage,entertheappropriatevaluesinthefields. Step 4ClickSubmit. Related Topics PatchManagementConditionSettings AddaPatchManagementRemediation Create Disk Encryption Conditions Youcancreateapolicytocheckifanendpointiscompliantwiththespecifieddataencryptionsoftware. Forexample,youcancreateaconditiontocheckiftheC:driveisencryptedinanendpoint.IftheC:drive isnotencryptedthentheendpointreceivesanon-compliancenotificationandISElogsamessage. Cisco Identity Services Engine Administrator Guide, Release 1.3 578 Create Patch Management Conditions
Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorPolicyAdmin.YoucanassociateaDisk EncryptionconditionwithaposturerequirementonlywhenyouusetheAnyConnectISEpostureagent. Procedure Step 1ChoosePolicy>PolicyElements>Conditions>Posture>DiskEncryptionCondition. Step 2ClickAdd. Step 3IntheDiskEncryptionConditionpage,entertheappropriatevaluesinthefields. Step 4ClickSubmit. Configure Posture Policies Aposturepolicyisacollectionofposturerequirementsthatareassociatedwithoneormoreidentitygroups, andoperatingsystems.TheDictionaryAttributesareoptionalconditionsinconjunctionwiththeidentity groupsandtheoperatingsystemsthatallowyoutodefinedifferentpoliciesfortheclients. SeePostureServicesontheCiscoISEConfigurationGuideformoreinformation. Toconfigureaposturepolicy,performthefollowingprocedure: Before You Begin •YoumusthaveanunderstandingoftheAUP. •Youmusthaveanunderstandingofperiodicreassessments(PRA). Procedure Step 1ChoosePolicy>Posture. Step 2FromtheRuleStatusdrop-downlist,chooseeitherEnabledorDisabled. Step 3IntheRuleNamefield,enterthenameofthepolicy. Itisabestpracticetoconfigureaposturepolicywitheachrequirementasaseparateruleinorderto avoidunexpectedresults. Note Step 4FromtheIdentityGroupscolumn,selecttherequiredidentitygroup. Step 5FromtheOperatingSystemscolumn,selecttheoperatingsystem. Step 6InOtherConditions,youcanaddoneormoredictionaryattributesandsavethemassimpleorcompound conditionstoadictionary. DictionarysimpleconditionsanddictionarycompoundconditionsthatyoucreateinthePosture Policypagearenotdisplayedwhileconfiguringanauthorizationpolicy. Note Step 7SpecifytherequirementsintheRequirementsfield. Step 8ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 579 Configure Posture Policies
Posture Assessment Options Thefollowingtableprovidesalistofpostureassessment(postureconditions)optionsthataresupportedby theISEPostureAgentsforWindowsandMacintosh,andtheWebAgentforWindows. Table 48: Posture Assessment Options ISE Posture Agent for Macintosh OS X Web Agent for WindowsISE Posture Agent for Windows —OperatingSystem/Service Packs/Hotfixes OperatingSystem/Service Packs/Hotfixes —ServiceCheckServiceCheck —RegistryCheckRegistryCheck —FileCheckFileCheck —ApplicationCheckApplicationCheck AntivirusInstallationAntivirusInstallationAntivirusInstallation AntivirusVersion/Antivirus DefinitionDate AntivirusVersion/Antivirus DefinitionDate AntivirusVersion/Antivirus DefinitionDate AntispywareInstallationAntispywareInstallationAntispywareInstallation AntispywareVersion/Antispyware DefinitionDate AntispywareVersion/Antispyware DefinitionDate AntispywareVersion/Antispyware DefinitionDate —WindowsUpdateRunningWindowsUpdateRunning —WindowsUpdateConfigurationWindowsUpdateConfiguration —WSUSComplianceSettingsWSUSComplianceSettings Posture Remediation Options ThefollowingtableprovidesalistofpostureremediationoptionsthataresupportedbytheISEPostureAgents forWindowsandMacintosh,andtheWebAgentforWindows. Cisco Identity Services Engine Administrator Guide, Release 1.3 580 Posture Assessment Options
Table 49: Posture Remediation Options ISE Posture Agent for Macintosh OS X Web Agent for Windows ISE Posture Agent for Windows MessageText(LocalCheck)MessageText(LocalCheck)MessageText(LocalCheck) URLLink(LinkDistribution)URLLink(LinkDistribution)URLLink(LinkDistribution) —FileDistributionFileDistribution ——LaunchProgram AntivirusLiveUpdate—AntivirusDefinitionUpdate AntispywareLiveUpdate—AntispywareDefinitionUpdate ——WindowsUpdate ——WSUS Custom Conditions for Posture Apostureconditioncanbeanyoneofthefollowingsimpleconditions:afile,aregistry,anapplication,a service,oradictionarycondition.Oneormoreconditionsfromthesesimpleconditionsformacompound condition,whichcanbeassociatedwithaposturerequirement. Afteraninitialpostureupdate,CiscoISEalsocreatesCisco-definedsimpleandcompoundconditions. Cisco-definedsimpleconditionsusethepc_asandcompoundconditionsusepr_as. Auser-definedconditionoraCisco-definedconditionincludesbothsimpleandcompoundconditions. Postureservicemakesuseofinternalchecksbasedonantivirusandantispyware(AV/AS)compoundconditions. Hence,posturereportsdonotreflecttheexactAV/AScompound-conditionnamesthatyouhavecreated.The reportsdisplayonlytheinternalchecknamesofAV/AScompoundconditions. Forexample,ifyouhavecreatedanAVcompoundconditionnamed"MyCondition_AV_Check"tocheck anyVendorandanyProduct,theposturereportswilldisplaytheinternalcheck,thatis“av_def_ANY”,asthe conditionname,insteadof"MyCondition_AV_Check". Custom Posture Remediation Actions Acustompostureremediationactionisafile,alink,anantivirusorantispywaredefinitionupdates,launching programs,Windowsupdates,orWindowsServerUpdateServices(WSUS)remediationtypes. Add a File Remediation Afileremediationallowsclientstodownloadtherequiredfileversionforcompliance.Theclientagent remediatesanendpointwithafilethatisrequiredbytheclientforcompliance. Cisco Identity Services Engine Administrator Guide, Release 1.3 581 Custom Conditions for Posture
Youcanfilter,view,add,ordeletefileremediationsintheFileRemediationspage,butyoucannoteditfile remediations.TheFileRemediationspagedisplaysallthefileremediationsalongwiththeirnameand descriptionandthefilesthatarerequiredforremediation. Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickFileRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewFileRemediationpage. Step 6ClickSubmit. Add a Link Remediation AlinkremediationallowsclientstoclickaURLtoaccessaremediationpageorresource.Theclientagent opensabrowserwiththelinkandallowtheclientstoremediatethemselvesforcompliance. TheLinkRemediationpagedisplaysallthelinkremediationsalongwiththeirnameanddescriptionandtheir modesofremediation. Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickLinkRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewLinkRemediationpage. Step 6ClickSubmit. Add an Antivirus Remediation Youcancreateanantivirusremediation,whichupdatesclientswithup-to-datefiledefinitionsforcompliance afterremediation. TheAVRemediationspagedisplaysalltheantivirusremediationsalongwiththeirnameanddescriptionand theirmodesofremediation. Cisco Identity Services Engine Administrator Guide, Release 1.3 582 Custom Posture Remediation Actions
Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickAVRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewAVRemediationpage. Step 6ClickSubmit. Add an Antispyware Remediation Youcancreateanantispywareremediation,whichupdatesclientswithup-to-datefiledefinitionsforcompliance afterremediation. TheASRemediationspagedisplaysalltheantivirusremediationsalongwiththeirnameanddescriptionand theirmodesofremediation. Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickASRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewASRemediationspage. Step 6ClickSubmit. Related Topics AntispywareRemediation,onpage850 Add a Launch Program Remediation Youcancreatealaunchprogramremediation,wheretheclientagentremediatesclientsbylaunchingoneor moreapplicationsforcompliance. TheLaunchProgramRemediationspagedisplaysallthelaunchprogramremediationsalongwiththeirname anddescriptionandtheirmodesofremediation. Cisco Identity Services Engine Administrator Guide, Release 1.3 583 Custom Posture Remediation Actions
Procedure Step 1ChoosePolicy>PolicyElements>Results>Posture. Step 2ClickRemediationActions. Step 3ClickLaunchProgramRemediation. Step 4ClickAdd. Step 5ModifythevaluesintheNewLaunchProgramRemediationpage. Step 6ClickSubmit. Troubleshoot Launch Program Remediation Problem WhenanapplicationislaunchedasaremediationusingLaunchProgramRemediation,theapplicationis successfullylaunched(observedintheWindowsTaskManager),however,theapplicationUIisnotvisible. Solution TheLaunchprogramUIapplicationrunswithsystemprivileges,andisvisibleintheInteractiveService Detection(ISD)window.ToviewtheLaunchprogramUIapplication,ISDshouldbeenabledforthefollowing OS: •WindowsVista:ISDisinstopstatebydefault.EnableISDbystartingISDserviceinservices.msc. •Windows7:ISDserviceisenabledbydefault. •Windows8/8.1:EnableISDbychanging"NoInteractiveServices"from1to0intheregistry: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows. Windows Update Remediation WindowsupdateremediationensuresthatAutomaticUpdatesconfigurationisturnedonWindowsclientsper yoursecuritypolicy.WindowsadministratorshaveanoptiontoturnonorturnoffAutomaticUpdateson Windowsclients.MicrosoftWindowsusesthisfeaturetocheckforupdatesregularly.IftheAutomaticUpdates featureisturnedon,thenWindowsautomaticallyupdatesWindows-recommendedupdatesbeforeanyother updates. TheWindowsAutomaticUpdatessettingwilldifferfordifferentWindowsoperatingsystems. Forexample,WindowsXPprovidesthefollowingsettingsforconfiguringAutomaticUpdates: •Automatic(recommended)—WindowsallowsclientstodownloadrecommendedWindowsupdatesand installthemautomatically •Downloadupdatesforme,butletmechoosewhentoinstallthem—Windowsdownloadsupdatesfor clientsandallowsclientstochoosewhentoinstallupdates •Notifymebutdon’tautomaticallydownloadorinstallthem—Windowsonlynotifiesclients,butdoes notautomaticallydownload,orinstallupdates Cisco Identity Services Engine Administrator Guide, Release 1.3 584 Custom Posture Remediation Actions