--> Posture assessment in ISE allows you to check internal state such as antivirus, registry entries, personal firewall and many more things before allowing the access to the network.
--> It is very important in case of BYOD network designs.
--> In order to ISE to check internal state, the user needs to either install NAC agent or use web agent.
--> Web Agent is temporary software basically installed in guest systems whereas NAC agent is permanent software that is installed in corporate systems.
--> The ISE posture module is integrated with the Cisco AnyConnect package.
--> We can install this Anyconnect package by using group policy easily in all the user computers.
--> Three steps need to be done in order to implement Posture Assessment using ISE
i) Client Provisioning Policy :
--> Place the NAC Agent or Web Agent in Cisco ISE so that users can download.
--> Specify which users can download what agent.
ii) Posture Policy
--> Specifies what conditions( Anti-Virus/ Anti-Spyware/ Windows Firewall etc) need to be matched in order to get access to the network once they download the agent.
--> Posture policy status can be following
i) Unknown: No data is collected
ii) Non-Compliant: posture conditions did not match with the endpoint.
iii) Compliant: The endpoint is compliant with all mandatory requirements.
iii) Authorization Policy
--> defines the levels of network access and optional services to be delivered to an endpoint based on posture status.
--> for example, a typical authorization policy may limit a user's network access to posture and remediation resources only.
--> If remediation by the agent or end user is successful, then the authorization policy can grant privileged network access to the user.
Md.Kareemoddin ( CCIE #54759)
--> It is very important in case of BYOD network designs.
--> In order to ISE to check internal state, the user needs to either install NAC agent or use web agent.
--> Web Agent is temporary software basically installed in guest systems whereas NAC agent is permanent software that is installed in corporate systems.
--> The ISE posture module is integrated with the Cisco AnyConnect package.
--> We can install this Anyconnect package by using group policy easily in all the user computers.
--> Three steps need to be done in order to implement Posture Assessment using ISE
i) Client Provisioning Policy :
--> Place the NAC Agent or Web Agent in Cisco ISE so that users can download.
--> Specify which users can download what agent.
ii) Posture Policy
--> Specifies what conditions( Anti-Virus/ Anti-Spyware/ Windows Firewall etc) need to be matched in order to get access to the network once they download the agent.
--> Posture policy status can be following
i) Unknown: No data is collected
ii) Non-Compliant: posture conditions did not match with the endpoint.
iii) Compliant: The endpoint is compliant with all mandatory requirements.
iii) Authorization Policy
--> defines the levels of network access and optional services to be delivered to an endpoint based on posture status.
--> for example, a typical authorization policy may limit a user's network access to posture and remediation resources only.
--> If remediation by the agent or end user is successful, then the authorization policy can grant privileged network access to the user.
Md.Kareemoddin ( CCIE #54759)
0 Comments