← Back to Cisco ISE NAC Security Technical Implementation Guide

V-242600

CAT II (Medium)

The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.

Rule ID

SV-242600r812782_rule

STIG

Cisco ISE NAC Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000778

Discussion

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery.

Check Content

If DoD is not at C2C Step 4 or higher, this is not a finding.

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix Text

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination of these used to restrict the access.