ISE Automatic Remediation

Similar Messages

• ISE Posture Remediation issue with AV client installation

  Problem: If  user start AV client installation in pc via AV link remediation after some time (while AV client  installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def  remediation and Cisco NAC agent shows the message AV definition is not up to date.
  Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
  I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
  We have the following posture policies,
  1      AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
  2      AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
  3.     WSUS check
  4      SP   check
  Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
  Please can anybody let me know how remediation work internally ? like if  "AV inst" remediation start  so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
  Second question:what is remediation process sequence ?
  Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?

  Please check the below guide for Posture Configuration:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml

• McAfee Antivirus automatic remediation

  Hello All,
  I'm having an issue with McAfee Antivirus remediation. I'm using Cisco NAC 4.8.2 and it seems that automatic remediation is not working.
  Could someone help?
  Is there a webpage where we can check which AV can do automatic remediation?

  Hello,
  Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
  Regards.

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

• ISE - Discovery Host

  Dear All,
  I am facing issue with automatic discovery of ISE node by NAC agent (Discovery Host). Our client was using Cisco NAC 3310 appliances which has been replaced by ISE and we have upgraded the NAC agent software as well. Now what is happening that whenever NAC agent starts on a user PC it shows ip address of old NAC manager in the discovery host field of NAC agent and due to this, posture assesment doesn't complete and user gets stuck in remediation state.
  As a work arround , I changed the ip address manually in Discovery Host option of NAC agent to point towards new ISE node and then posture assesment gets completed. So kindly advice how I can make this process automatic so that NAC agent should communicated with ISE automatically.
  Regards,
  Mujeeb

  Hi,
  It has been resolved without manual entry in NAC agent or NACAgentCFG file. Actually the redirection was not working properly for agent so I changed the redirect ACL as follows,
  ip access-list ext ACL-AGENT-REDIRECT
      #deny udp any any eq 53
      #permit tcp any any eq 80
  Kindly refer following document for the same.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_10_universal_switch_config.pdf
  Now the agent is able to find the primary ISE node and posture is woking fine.
  Regards,
  Mujeeb

• ISE Addon for Checkout or Checkins via TFS 2013

  Hi
  I am coordination the development of some PowerShell scripts to work against our SharePoint Farm.  Now as there is more that just me developing these scripts, I think we need to start doing regular checkin and checkouts in our TFS 2013.  Anyway,
  I naively thought there must be an addon  I could add to ISE for this; since it seems such a common requirement. However, there does seem much out there that is actively being used. Are there alternatives that are widely used such a series of PS functions
  anyone knows about. 
  Daniel 
  Freelance consultant

  Hi Daniel,
  If you want to complete checkout in Powershell ISE automatically, please go through this article:
  Protect Your PowerShell Scripts with Version Control
  In addition, you can also refer to this script
  PowerShell ISE-specific profile script, which performs a few simple things:
  Checks if you have the TFS client installed (eg Team Explorer).
  Registers for ISE events on each open file and any files you open later.
  Upon editing of a file, if it is TFS-managed then checks it out.
  The end result is the same TFS workflow experience from within the PowerShell ISE as Visual Studio provides.
  Refer to:
  Automatic TFS Check Out for PowerShell ISE
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,                              
  Anna Wang
  TechNet Community Support

• Nac Agent do not execute remediation

  Hi to all,
  in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
  My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
  I have admin right on both pc.
  Why I can solve the problem?
  Thanks for help

  There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
  Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
  "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
  If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
  Hope that helps, rate if it does.
  Cheers,
  Tim

• Wireless posturing at branch sites

  Hi all,
  I have been looking in to an enterprise wide wireless solution for my company and I completely understand wireless posturing using WLC's & ISE's at our campus sites however what I am struggling to get a black and white answer for, is whether the same posturing can be done at the branch without having to tunnel all wireless traffic back to our DataCenters.
  We have a number of small sites (5 - 15 users on DSL), and we do not want to tunnel traffic back due to limited bandwidth so we want to know whether using Cisco kit can help us keep the wireless traffic locally switched and still apply posturing and automatic remediation techniques.
  Our Cisco partner have advised that we should use H-REAP or FlexConnect as its known now. But they advise that the drawback to this is that APs in H-REAP mode are not compatible with the ISE currently meaning that that the only way of achieving posturing is tunnelling all wireless traffic back to the DataCenter.
  I thought that posturing only requires to see the report from the NAC agent on the client machines. I did not think that posturing required that the ISE actually needs to look at the clients traffic.
  I can understand that maybe we will need a WLC at every site as the WLC supports the RADIUS CoA attribute, but will we need an ISE as well?
  Currently, I cannot find any Cisco Wireless / ISE design examples that fit our requirements. Effectively, we have 2 datacenters and then hundreds of very small DSL branch sites, and a few bigger branch sites with 10mbps ethernet bearers. Our end goal in security is that we want to provide 802.1x authentication at the network edge both wirelessly and wired. Can Cisco kit currently do this?
  I hope this all makes sense.
  thanks
  Mario De Rosa

  Hi,
  One important problem that we came up against with FlexConnect clients was that the ISE could not push an ACL when doing a CoA.
  So, when a client needs to go through posture, you can push out a VLAN, and an ACL restricting network access.
  BUT...
  once passed posture and the ISE issues a CoA, the ISE can only push a VLAN to place the client in to. The ISE completely removes the ACL, affectively permitting complete unrestricted access to the network. Meaning that you cannot push dACL's for particular user types.
  This is probably not much of an issue if you have full control and management of your own WAN. We do not, so to have VLANs added to remotes sites for particular groups of users would have cost us money every time. Plush changing any ACLs on our WAN routers would also have cost us money.
  I'm not sure whether this is a Wireless Controller limitation or an ISE limitation.
  Mario

• Windows 7 -How to authenticate to WiFi (home or public) with AnyConnect NAM installed

  Hello,
  We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
  So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
  But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
  So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
  The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.
  Thanks!

  Just so everyone knows...
  Please take note of the specific processor which is included with your HP Pro 3130 MT.
  HP Pro 3130 MT motherboards with specific processors do not have any onboard (integrated) graphics, although they still have the VGA and DVI connectors. This means that although you may remove the PCIe Graphics Card, you will not be able to be able to use a monitor with the onboard VGA or DVI (because there is no integrated graphics).  This also means that you will not be able change your bios to onboard graphics (because there is no integrated graphics).
  "NOTE: HP Pro 3130 with Intel Core i5 750 processor or any Intel i7 processor has no integrated
  graphics."(1)
  (1) Source: http://h18000.www1.hp.com/products/quickspecs/13640_ca/13640_ca.PDF
  If you would like to know why, let me know. Thanks!
  -Dave

• Windows Update Service keeps turning back on

  I have Windows Update service stopped and Disabled in my image. It doesn't turn back on upon every reboot I attempt.     
  However, once I use it in an OSD to apply image and carry out my OSD task sequence, every single time the Windows Update service now shows as "Started" with Startup Type configured as "Automatic (Delayed Start)". 
  I'm not showing anything in my setupcomplete.cmd that indicates this server should be turned on. I'm not seeing anything in OSD that indicates this should be turned on.
  maybe I am missing something though. Is SCCM configured to turn services back on for me or should I be looking somewhere else to see why? 
  There's no GPO for Windows Update in the AD I'm on either 

  I came across this, is this legitimate? Sccm 2012 R2 Cu4
  http://blogs.technet.com/b/configurationmgr/archive/2013/02/05/support-tip-after-disabling-the-windows-update-service-it-automatically-becomes-enabled-the-next-day.aspx
  So this was what was enabling our Windows Update Service every day. To prevent this from happening we can exclude clients from remediation via a Registry change on the client:
  1.      Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly. 
  2.      Change the value to True
  When set to True, the client computer will not automatically remediate any problems that are found, however you will still be alerted in the Monitoring workspace
  about any problems with this client. More information and alternate methods for disabling remediation on selected machines can be found athttp://blogs.technet.com/b/seanm/archive/2012/12/20/configuration-manager-client-health-disable-automatic-remediation-for-selected-machines.aspx
  When set to False (the default setting), the client computer will automatically remediate problems when they are found and you will be alerted in the Monitoring workspace. For more information see How
  to Configure Client Status in Configuration Manager at http://technet.microsoft.com/en-us/library/hh338432.aspx.
  Yes that's the blog entry I have linked to. It will do what you require.
  Cheers
  Paul | sccmentor.wordpress.com

• Automatic Antivirus Remediation in Posture

  Hi All,
  I have configured ISE (1.2) to check Antivirus Installation on endpoints and it is working flawlessly.
  Now, the client wants,
  1) If Antivirus is not updated on endpoint for more than 5 days; it should be considered as "non-compliant" and as a remediation action; updates should be downloaded automatically.
  --> I configured AV Remediation action.
  Now, the problem is when endpoint gets categorized as non-compliant, ideally AV updates should get downloaded on endpoint as a remediation action. But AV updates are not getting downloaded.
  Please help me in solving this problem..
  Thanks in advance,
  Aditya

  Adding an Antivirus Remediation
  You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.
  The AV Remediations page displays all the antivirus remediations along with their name and description and their modes of remediation.
  Step 1 Choose Policy > Policy Elements > Results > Posture.
  Step 2 Click Remediation Actions.
  Step 3 Click AV Remediation.
  Step 4 Click Add.
  Step 5 Modify the values in the New AV Remediation page.
  Step 6 Click Submit.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_pos_pol.html#pgfId-1924006
  Antivirus Remediation
  The following table describes the fields in the AV Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_policy.html#23739
  Table C-23 Antivirus Remediation
  Fields
  Usage Guidelines
  Name
  Enter a name for the antivirus remediation.
  Description
  Enter a description for the antivirus remediation.
  Remediation Type
  Choose one of the following:
  Automatic —When selected, you should enter values for the Interval and Retry Count.
  Manual —When selected, Retry Count and Interval fields are not editable.
  Interval (in seconds)
  Enter the time interval in seconds that clients can try to remediate after previous attempts.
  Retry Count
  Enter the number of attempts that clients can try to update an antivirus definition.
  Operating System
  Choose one of the following:
  Windows
  Macintosh —when selected Remediation Type, Interval, and Retry Count fields are not editable
  AV Vendor Name
  Choose the antivirus vendor.

• Automatic AV Remediation

  We're working with Cisco ISE 1.3.0.876 and NAC Agent with posture policies and we need a remediation that automatically send to the Symantec Endpoint Protection server that's locally. How can we do that?

  We're running the version 12.1.4. Can I do a file remediation to the antivirus files? Why Cisco ISE only permits 50MB to upload files?

• ISE 1.2 - AV/AS Remediation missing vendors

  Trying to create a remediation rule in ISE 1.2 patch 3 and the drop down list for the AV/AS Vendor Name is not scrollable so I am not able to select our AS/AV vendor. See picture below:

  You're right.    I just tested this and was able to scroll down using the down arrow on the keyboard.

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420