STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ISE NAC Security Technical Implementation Guide

V-242576

CAT I (High)

The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). This is required for compliance with C2C Step 4.

Rule ID

SV-242576r1146387_rule

STIG

Cisco ISE NAC Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000213

Discussion

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the unauthorized network access. Configuration policy sets with specific authorization policies. Policies consist of rules, where each rule consists of conditions to be met that allow differential access based on grouping of device types by common attributes. ISE requires each authorization policy to have at a minimum one condition. The default authorization policy is the only policy in which there is not a requirement for a condition, nor is it possible to assign a condition to the default authorization policy.

Check Content

If DoD is not at C2C Step 4 or higher, this is not a finding.

Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix Text

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 

1. Work Centers >> Network Access >> Policy Sets.
2. Choose ">" on the desired policy set.
3. Expand Authorization Policy.

On the default authorization rule select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.