Endpoints Security Compliance with Posture Feature of Cisco ISE

➡ For this time, I would like to explain that there are many employees who access wireless network(Wi-Fi) with 802.1X wireless standard in the enterprises or banks. It will be needed to control for getting network access to endpoint devices. For instance, employees’ PCs or Laptops will get full network access if their endpoint devices meet the security requirements or compliance defined by their enterprises. In this case, if the employees installed the games and Internet Download Manager (IDM) in their PCs, they may play games or download during office hours. To control the cases like these, we don’t need going to check each employee’ PC. All we need is to use the Posture feature included in the Cisco Identity Service Engine (ISE).

‍‍‍‍‍‍As mentioned above, Posture feature mainly checks whether employees’ laptops or PCs meet the security compliance defined by their enterprises when employees try to get network access using 802.1X wireless standard.‍‍‍ To be understandable, according to above figure, the working flow of posture is that

‍‍‍‍‍‍1️⃣ Employee’s PC is firstly checked whether Cisco AnyConnect software is installed in it or not. If it hasn’t installed AnyConnect Software, ISE places employee’s PC to Guest VLAN and makes it download by giving the link with the limited network access. At that time, employee can use network for downloading AnyConnect software only. We can set up manual installation of AnyConnect software to all employees’ PCs. However, if the enterprises are big, the above way is better.

2️⃣ After the employee’s PC has installed AnyConnect Software, this software starts doing for Posture Assessment.

‍‍‍‍‍‍Posture Assessment is that 

✔ Checking whether the employee’s PC has the updated version of anti-virus software or not?

✔ Is there window registration keys?

✔ Is there the files which every employee should have? 

✔ Have applications which are regarded as requirements installed or not?

✔ Are there games or IDM, etc. which shouldn’t have?

‍‍‍‍‍‍3️⃣ After AnyConnect software have finished checking requirements posture assessment, it reports to ISE whether the employee’s PC meet security compliance or not. If it didn’t meet, ISE would proceed the remediation step.The remediation is the same way as the above that ISE makes the employee’ PC fit with the security requirements. If there are still games and IDM in the employee’s PC, ISE gives him alert to uninstall them. If his anti-virus software is outdated, ISE makes him download as the above way.

‍‍‍‍4️⃣ After the remediation step has done, AnyConnect software checks again whether employee’s PC still has complains or not.

‍‍‍‍‍‍5️⃣ If there is no complain anymore, employee’s PC will now get full network access.‍‍‍‍Furthermore, Apex license is required to use posture feature. Normally, enterprises which are currently using ISE have already had base license for wired or wireless network access with 802.1X standard. Apex license needs to be imported on existing base license and can use posture feature.

‍‍‍‍‍‍In Conclusion, to protect the data corruption (Ransomware etc. ) and entering other viruses that can impact our organization, it will be good to make assured endpoint devices to meet security compliance by using Posture Feature of ISE.

Don’t forget to share this post!