Configuring Posture Policies

Table Of Contents

Configuring Client Posture Policies

Posture Service

Understanding the Posture Service

Posture and Client Provisioning Services

Posture and Client Provisioning Policies Flow

Licenses for the Posture Service

Deploying the Posture Service

Configuring the Posture Service in Cisco ISE

Posture Compliance Dashlet

Viewing Posture Reports

Posture Administration Settings in Cisco ISE

Posture General Settings

Posture Reassessments

Initiating and Requesting a PRA

PRA Failure Actions

Identity Group (Role) Assignment

PRA Report Tracking and Enforcement

PRA Enforcement During Distributed System Failure

Configuring Client Posture Periodic Reassessments

Posture Updates

Dynamic Posture Updates

Offline Posture Updates

Posture Acceptable Use Policy

Configuring Acceptable Use Policies

Client Posture Assessments in Cisco ISE

Client Posture Assessment Policies

Creating, Duplicating, and Deleting Client Posture Policies

Creating a New Posture Policy

Duplicating a Posture Policy

Deleting a Posture Policy

Custom Conditions for Posture

File Condition

Configuring File Conditions

Viewing File Conditions

Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type

Filtering File Conditions

Registry Condition

Configuring Registry Conditions

Viewing Registry Conditions

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type

Filtering Registry Conditions

Application Condition

Configuring Application Conditions

Viewing Application Conditions

Creating, Duplicating, Editing, and Deleting an Application Condition

Filtering Application Conditions

Service Condition

Configuring Service Conditions

Viewing Service Conditions

Creating, Duplicating, Editing, and Deleting a Service Condition

Filtering Service Conditions

Compound Condition

Configuring Compound Conditions

Viewing Compound Conditions

Creating, Duplicating, Editing, and Deleting a Compound Condition

Filtering Compound Conditions

Antivirus and Antispyware Compound Conditions

Antivirus Compound Condition

Configuring Antivirus Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition

Filtering Antivirus Compound Conditions

Antispyware Compound Condition

Configuring Antispyware Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition

Filtering Antispyware Compound Conditions

Dictionary Simple Condition

Configuring Dictionary Simple Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition

Filtering Dictionary Simple Conditions

Dictionary Compound Condition

Configuring Dictionary Compound Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition

Filtering Dictionary Compound Conditions

Posture Results

Custom Posture Remediation Actions

Configuring Custom Posture Remediation Actions

File Remediation

Viewing, Adding, and Deleting a File Remediation

Filtering File Remediations

Link Remediation

Adding, Duplicating, Editing, and Deleting a Link Remediation

Filtering Link Remediations

AVAS Remediation

Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation

Filtering Antivirus or Antispyware Remediations

Launch Program Remediation

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

Filtering Launch Program Remediations

Windows Update Remediation

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

Filtering Windows Update Remediations

Windows Server Update Services Remediation

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

Filtering Windows Server Update Services Remediations

Client Posture Assessment Requirements

Creating, Duplicating, and Deleting Client Posture Requirements

Creating a New Posture Requirement

Duplicating a Posture Requirement

Deleting a Posture Requirement

Custom Authorization Policies for Posture

Standard Authorization Policies for a Posture

Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture

Custom Permissions for Posture

Configuring a Standard Authorization Profile


Configuring Client Posture Policies


This chapter describes the posture service in the Cisco Identity Services Engine (Cisco ISE) appliance that allows you to check the state (posture) for all the endpoints that are connecting to your Cisco ISE enabled network with your corporate security policies for compliance before clients access protected areas of your network.

This chapter guides you through the features of the Cisco ISE posture service in detail.

Posture Service

Understanding the Posture Service

Posture Compliance Dashlet

Viewing Posture Reports

Posture Administration Settings in Cisco ISE

Posture General Settings

Posture Reassessments

Posture Updates

Posture Acceptable Use Policy

Client Posture Assessments in Cisco ISE

Client Posture Assessment Policies

Custom Conditions for Posture

Posture Results

Custom Posture Remediation Actions

Client Posture Assessment Requirements

Custom Authorization Policies for Posture

Custom Permissions for Posture

Posture Service

The Network Admission Control (NAC) Agents that are installed on the clients interact with the posture service to enforce security policies on all the endpoints that attempt to gain access to your protected network. At the same time, the NAC Agents enforce security policies on noncompliant endpoints by blocking network access to your protected network. They assist you in evaluating clients against posture policies, and as well as enforce clients to meet requirements that are required for compliance with your organization's security policies.

The posture service checks the state (posture) of the clients for compliance with your corporate security policies before the client gains the privileged network access. The Client Provisioning service ensures that the clients are setup with appropriate Agents that provide posture assessment and remediation for the clients.

For information on the posture service in detail, see the "Understanding the Posture Service" section.

For information on Posture Compliance dashlet, see the "Posture Compliance Dashlet" section.

For information on posture reports, see the "Viewing Posture Reports" section.

SWISS Protocol

The SWISS protocol is a stateless request response protocol that allows NAC Agents which are running on managed clients to discover the Cisco ISE server, and retrieve configuration and operational information. The NAC Agent connects to the Cisco ISE server by sending SWISS unicast discovery packets out on User Datagram Protocol (UDP) port 8905 until a Cisco ISE node that assumes the Policy Service persona sends a response to the client. The SWISS protocol uses TCP transport for all the messages and UDP transport for periodical requests. The NAC Agent tunnels all the SWISS requests over HTTPS and pings the Cisco ISE SWISS UDP server for changes to its authentication and posture state.

The SWISS request message that comes from the client machine includes information pertaining to resource types for the following items:

Agent profiles

Agent compliance modules

Agent customization package

In addition to answering the above request items, the SWISS response from the Cisco ISE server can also contain prompts to update the current Agent and URL or URLs that are required to perform posture assessment and remediation on the client machine.

For descriptions of the various types of agents availalbe in Cisco ISE, see Cisco ISE Agents, page 18-1.

Understanding the Posture Service

Cisco ISE posture service primarily includes the posture administration services and the posture run-time services. If you do not have the advanced license package installed on your Cisco ISE deployment, then the posture administration services user interface will not be available for you to use in Cisco ISE.

Posture Administration Services

The administration services provide the back-end support for posture specific custom conditions, and remediation actions that are associated to the requirements and authorization policies that are configured for posture service on your Cisco ISE deployment.

Posture Run-time Services

The posture run-time services encapsulates the SWISS protocol services, and all the interactions that happen between the NAC Agents and the Cisco ISE server for posture assessment and remediation of clients.

Validating a Posture Requirement Request

Once the client (an endpoint) is authenticated on the network, the client can be granted limited access on the network. For example, the client can access remediation-only resources on the network. The NAC Agent that is installed on the client validates the requirements for an endpoint and the endpoint is moved to a compliant state upon successful validation of the requirements. If the endpoint satisfies the requirement, a compliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a Change of Authorization (CoA) for the posture compliant status. If the endpoint fails to satisfy the requirement, a noncompliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a CoA for the posture noncompliant status.

Now, the Agent gets its session ID from the redirect URL and sends it along with its MAC address and IP address in a SWISS request. The posture run-time services looks up in the session cache using the session ID first, MAC address, and then the IP address, if required. If the posture run-time services finds the same session using the session ID in the session cache, then it queries the posture policies in Cisco ISE and tries to match the posture policies. Once matched, it generates the specified XML format that contains the matched requirements and sends to the NAC Agents. The NAC Agents send the posture report to the posture run-time services.

Generating a Posture Requirement

The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions. Once the posture policy is retrieved for the endpoint, the posture run-time services communicate the requirement to the NAC Agent in a specified XML format.

Processing the Posture Report from the Cisco NAC Agent

The NAC Agent validates the endpoint for compliance based on the requirements that are sent from the Cisco ISE server and determines the posture of the endpoint. If the endpoint is not compliant with the requirement, then the NAC Agent prompts to remediate the endpoint for compliance. Any failures during posture evaluation results in the noncompliance of the endpoint. The NAC Agent sends the appropriate compliance report to the Cisco ISE server once postured compliant or noncompliant.

Issuing a CoA Based on the Posture Report Evaluation

Upon evaluating the posture report received from the NAC Agent, an endpoint may be identified as compliant or noncompliant. If the endpoint is compliant or noncompliant, then the posture run-time services triggers a CoA for that endpoint session. Based on the profile configured for compliant or noncompliant, the end user gets the appropriate level of access privileges to the network.

Logging

Upon processing the posture request and report, the run-time services sends audit log messages to the Cisco ISE node that assumes the Monitoring persona.

For information on how posture and client provisioning session services work in Cisco ISE, see the "Posture and Client Provisioning Services" section.

For information on licenses for the posture service, see the "Licenses for the Posture Service" section.

For information on how to deploy the posture service in detail, see the "Deploying the Posture Service" section.

Posture and Client Provisioning Services

Prerequisites:

Before you begin, you should have an understanding of the available client provisioning resources in Cisco ISE that you can configure for the clients.

For information on how to configure client provisioning resource policies, see the "Configuring Client Provisioning Resource Policies" section on page 18-23.

Before you begin, you should have an understanding of the Client Provisioning session service in Cisco ISE. Cisco ISE manage client provisioning resources for your clients and uses the client provisioning resource policies to ensure that the client systems are set up with an appropriate Agent version, up-to-date compliance modules for antivirus and antispyware vendor support, and correct agent customization packages and profiles.

For information on the Client Provisioning session service, see Chapter 18, "Configuring Client Provisioning Policies."

For information on the NAC Agent that is installed on the client and the client operating system compatibility, see Cisco Identity Services Engine Network Component Compatibility.

Posture and Client Provisioning Policies Flow

Figure 19-1 shows the flow of posture and client provisioning policies in Cisco ISE posture service.

Figure 19-1 Posture and Client Provisioning Policies Workflow in CIsco ISE

Licenses for the Posture Service

Prerequisites:

Before you begin, you should have an understanding on how licenses restrict the usage of Cisco ISE posture service with both the base and advanced license packages.

For more information on Cisco ISE license packages, refer to the Performing Post Installation Tasks chapter in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.

Cisco ISE allows you to configure the posture service to run on multiple Cisco ISE nodes in a distributed deployment. You can also configure the posture service on a single node in a standalone Cisco ISE deployment.

Cisco ISE deployment provides you with two main types of licenses, namely the base license and advanced license. You also have an evaluation license which, if further use is desired, needs to be upgraded to the appropriate base or advanced license once the evaluation license period is over.

In addition, if you do not have the advanced license installed on your primary administration node, then the SWISS server does not get initialized during run time. If the SWISS server does not initialize, then the posture requests will not be served in Cisco ISE. If the advanced license is not installed in Cisco ISE, then the posture service menus on the Cisco ISE administration user interface will be removed except the default posture status configuration for unsupported operating system on the Administration > System > Settings > Posture > General Settings configuration page. The posture run-time services takes appropriate action when you add or remove any advanced license file to your Cisco ISE deployment. During run time, the SWISS server initializes when you add the advanced license, and it stops when you remove the advanced license, or when the advanced license expires.

Deploying the Posture Service

Prerequisites:

Before you begin, you should have an understanding of the centralized configuration and management of Cisco ISE nodes in the distributed deployment.

For information on Cisco ISE distributed deployment, Chapter 9, "Setting Up Cisco ISE in a Distributed Environment"

You can deploy Cisco ISE either in a standalone environment (on a single node), or in a distributed environment (on multiple nodes). Depending on the type of your deployment and the license you have installed, the posture service of Cisco ISE can run on a single node or on multiple nodes. You need to install either the base license to take advantage of the basic services or the advanced license to take advantage of all the services of Cisco ISE.

In a standalone Cisco ISE deployment, you can configure a single node for all the administration services, the monitoring and trouble shooting services, and the policy run-time services. You cannot configure a node as an node in a standalone deployment.

In a distributed Cisco ISE deployment, you can configure each node as a Cisco ISE node for administration services, monitoring and troubleshooting services, and policy run-time services, or as an inline posture node as needed. A node that runs the administration services is the primary node in that Cisco ISE deployment. The other nodes that run other services are the secondary nodes which can be configured for backup services for one another.

Configuring the Posture Service in Cisco ISE

From the Administration menu, you can choose Deployment to manage the ISE deployment on a single node or multiple nodes. You can use the Deployment Nodes page to configure the posture service for your Cisco ISE deployment.

To manage the Cisco ISE deployment, complete the following steps:


Step 1 Choose Administration > System > Deployment.

The Deployment menu window appears on the left pane of the user interface. You can use the Table view button or the List view button to display the nodes in your Cisco ISE deployment.

Step 2 Click the Table view button.

Step 3 Click the Quick Picker (right arrow) icon to view the nodes that are registered in your deployment.

The Table view displays all the nodes that are registered in a row format on the right pane of the user interface.


Note To view the nodes in your deployment in a tree, click the List view button. An arrow appears in front of the Deployment menu. Click the arrow in front of the Deployment menu to view the nodes that are registered in your deployment in a tree view. The List view displays all the nodes in the Deployment menu window in a tree.


From the Deployment menu, you can run the posture service on any Cisco ISE node that assumes the Policy Service persona in a distributed deployment.


To deploy the posture session service, complete the following steps:


Step 1 Choose Administration > System > Deployment > Deployment (menu window).

The Deployment menu window appears. You can use the Table view or the List view button to display the nodes on your deployment.

Step 2 Click the Table view button.

Step 3 Click the Quick Picker (right arrow) icon to view the nodes that are registered in your deployment.

The Table view displays all the nodes that are registered in a row format on the Deployment Nodes page of the user interface. The Deployment Nodes page displays the Cisco ISE nodes that you have registered, along with their names, personas, roles, and the replication status for the secondary nodes in your deployment.

Step 4 Choose a Cisco ISE node from the Deployment Nodes page.


Note If you have more than one node that are registered in a distributed deployment, all the nodes that you have registered appear in the Deployment Nodes page, apart from the primary node. You have the option to configure each node as a Cisco ISE node (administration, policy service, and monitoring personas) or an Inline Posture node.


Step 5 Click the Edit button.

The Edit Node page appears. This page contains the General settings tab that is used to configure the Cisco ISE deployment. This page also features the Profiling Configuration tab, which is used to configure the probes on each node. If you have the Policy Service persona disabled, or if enabled but the Enable Profiler services option is not selected, then the Cisco ISE administrator user interface does not display the Profiling Configuration tab. If you have the Policy Service disabled on any node, ISE displays only the General settings tab and does not display the Profiling Configuration tab that prevents you from configuring the probes on the node.

Step 6 From the General settings tab, check the Policy Service check box, if it is already active.

If you have the Policy Service check box unchecked, both the session services and the Profiler service check boxes are disabled.

Step 7 For the Policy Service persona to run the Network Access, Posture, Guest, and Client Provisioning session services, check the Enable Session Services check box, if it is not already active. To stop the session services, uncheck the Enable Session Services check box.


Note The posture service only runs on Cisco ISE nodes that assume the Policy Service persona and does not run on Cisco ISE nodes that assume the administration and monitoring personas in a distributed deployment.


Step 8 Click Save to save the node configuration.


Posture Compliance Dashlet

The Posture Compliance dashlet summarizes the posture compliance in percentage, and Mean Time To Remediate (MTTR) data for the last 24 hour period, as well as 60 minutes from the current system time. It refreshes data every minute and displays it on the dashlet. You can invoke the Posture Detail Assessment report from the tool tips that are displayed on the 24 hour and 60 minutes spark lines for a specific period. The stack bars display the posture noncompliance distribution of endpoints by operating systems and the reason for failures of the requirements.

The MAC address is used as a key to calculate MTTR.

The dashlet provides you the following distribution details for the last 24 hour period, as well as 60 minutes from the current system time.

Table 19-1 describes the details, which are shown in the Posture Compliance dashlet on Cisco ISE.

Table 19-1 Posture Compliance Dashlet 

Name
Description

Passed in percentage

Displays the percentage (passed percentage) of posture compliance of endpoints by using posture compliance and noncompliance of endpoints.

Mean Time to Remediate (MTTR)

Displays the mean time difference between endpoints moving from the noncompliant state to the complaint state based on the unique MAC address.

Operating System

Displays the noncompliance distribution by operating system that is running on the client.

Reason

Displays the noncompliance distribution by failures of posture conditions.


Viewing Posture Reports

Cisco ISE provides you with various reports on posture, and troubleshooting tools that you can use to efficiently manage your network. You can generate reports for historical as well as current data. You may be able to drill down on a part of the report to look into more details. You can also schedule reports (specially for large reports) and download it in various formats.

For more information on how to generate reports and work with the interactive viewer, see Chapter 23, "Reporting."

For more information on posture reports see the "Standard Reports" section.

Standard Reports

For your convenience, the standard reports present a common set of predefined report definitions. You can click on the Report Name link to run the report for today. You can query the output by using various parameters, which are predefined in the system. You can enter specific values for these parameters.

You can use the Run button to run the report for a specific period, and as well as use the Query and Run option. The Query and Run option allows you to query the output by using various parameters. The Add to Favorite button allows you to add your reports that you use frequently to the Monitor > Reports > Favorites location. The Reset Reports button allows you to reset your reports in this catalog to factory defaults.

You can run the reports on posture from the following location:

Monitor > Reports > Catalog > Posture.

The following are the standard reports for posture:

Posture Detail Assessment—a report to view the posture authentication summary information for a particular user for a selected time period

Posture Trend—a report to view the count of passed/failed and status information for a particular policy along with the graphical representation for a selected time period

Posture Administration Settings in Cisco ISE

After you deploy Cisco ISE on your network, you can globally configure Cisco ISE to download updates automatically through web to the Cisco ISE server, or updates that can be done offline later.

For information on posture updates, see the "Posture Updates" section.

In addition, the NAC Agents and Web Agents, which are installed on the clients provide posture assessment, and remediation services to clients. The NAC Agents and Web Agents periodically update the compliance status of clients to Cisco ISE. After login and successful requirement assessment for posture, the NAC Agents and Web Agents on Windows display a dialog with a link that requires end users to comply with terms and conditions of network usage. You can use this link to define network usage information for your enterprise network that end users accept before they can gain access to your network.

For information on posture periodic assessment of clients for compliance that NAC Agents and Web Agents do, see the "Posture Reassessments" section.

For information on accepting network usage policies for your network, see the "Posture Acceptable Use Policy" section.

This section describes the configuration settings that you define for clients to remediate on Cisco ISE, periodic reassessments of clients for compliance that NAC and Web Agents check periodically and report to Cisco ISE. It describes the configuration settings that you define for Cisco ISE updates with Cisco rules, checks, antivirus and antispyware charts, and operating system support. It also provides information on the configuration settings that end users must comply with network usage policies for using your network resources.

This section provides procedures that describe the following topics:

Posture General Settings

Posture Reassessments

Configuring Client Posture Periodic Reassessments

Filtering Client Posture Periodic Reassessments

Posture Updates

Dynamic Posture Updates

Offline Posture Updates

Posture Acceptable Use Policy

Posture General Settings

The posture general settings for agents on Windows clients and Macintosh clients can be configured in client provisioning resources. Here, you can configure agent profiles in client provisioning by setting the timers used for remediation and transition of clients posture state on your network, and also setting the timer to close the login success screens automatically on agents without end users intervention.

You can configure all these timers for agents on Windows clients and Macintosh clients in client provisioning resources in the following location:

Policy > Policy Elements > Results > Client Provisioning > Resources > Add > New Profile.

For more information on creating agent profiles and setting agent profile parameters, see the "Agent Profile Parameters and Applicable Values" section on page 18-12.

Cisco recommends configuring agent profiles with remediation timers, network transition delay timers and the timer used to control the login success screen on client machines so that these settings are policy based. However, when there are no agent profiles configured match the client provisioning policies, you can use the settings in the Administration > System > Settings > Posture > General Settings configuration page to accomplish the same goal.

Remediation Timer

Here, you can configure the timer for clients to remediate themselves within the time specified in the timer after failing to meet all the requirements defined in the posture policies for compliance. When clients fail to satisfy configured posture policies during an initial assessment, the NAC Agents wait for the clients to remediate within the time configured in the remediation timer. If the client fails to remediate within this specified time, then the NAC Agents and Web Agents send a report to the posture run-time services after which the clients are moved to the noncompliance state. The remediation timer default value is four minutes.

Network Transition Delay Timer

Here, you can configure the timer for clients to transit from one state to the other state within a specified time as specified in the network transition delay timer, which is required for Change of Authorization (CoA) to complete for clients to move from one state to the other state. This timer is used for clients in both successful and failure of posture. It may require a longer delay time when clients need time to get a new VLAN IP address during successful and failure of posture. Upon successfully postured, Cisco ISE allows clients to transit from pending to compliant mode within the time specified in the network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transit from pending to noncompliant mode within the time specified in the timer.

Default Posture Status

Here, you can configure the posture status of endpoints to compliant, or noncompliant for endpoints that run on Linux, iDevices like Ipad, Ipod (non-agent devices). The same settings also apply to endpoints that run on Windows and Macintosh operating systems when there is no client provisioning policy matching found during posture run-time.

Successful Login Screen

After login and successful posture assessment, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a network usage term and conditions link for end users to accept the network usage policies that you define for your network. If end users reject network usage policies from the temporary network access screen, then they are denied to access your network. If they accept the network usage policies, then the agents display the login success screen and permit network access.

This section describes the following posture general settings that you configure for clients in posture:

Remediation Timer—specifies time in minutes required for any type of remediation within which clients need to remediate from the noncompliance state to the compliance state

Network Transition Delay—specifies time in seconds for network transition for both successful and failure of posture of clients on your network

Default Posture Status—specifies the posture status for clients that do not run supported operating systems in Cisco ISE

Successful Login Screen—specifies the timeout in seconds that closes the login success screen without end users intervention.

You can use the posture General Settings page to configure the timers for remediation, network transition, and closing the login success screen on Windows clients.


Step 1 Choose Administration > System > Settings (menu window).

The Settings menu window appears.

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose General Settings.

The Posture General Settings page appears.


Tip The information icon provides you details on the posture General Settings page with the following message: "These settings will be used if there is no profile under client provisioning policy."


Step 5 Enter a time value in the Remediation Timer field in minutes.

The default value is 4 minutes. You can configure the remediation timer, which the information icon displays the valid range between 1-300 minutes.

Step 6 Enter a time value in the Network Transition Delay field in seconds.

The minimum default value is 3 seconds. You can configure the network transition delay timer, which the information icon displays the valid range between 2-30 seconds.

Step 7 From the Default Posture Status field, choose the option from the drop-down list.

Here, you can configure the posture status of endpoints to compliant, or noncompliant where the information icon displays with the following message: "Provides posture status for non-agent devices (i.e. Linux based operating systems), and endpoints for which no agent installation policy applies."

The following are the options:

Compliant (default)

NonCompliant

Step 8 Click to check the Automatically close login success screen after check box.

Step 9 Enter a time value for the Automatically close login success screen after check box.

Once checked the check box, and configured the time in seconds, the NAC Agents and Web Agents display the login success screen till the time out occurs. This setting allows clients to login into your network failing which the login success screen is closed automatically. You can configure the timer to close the login screen automatically between 0-300 seconds. If the time is set to zero seconds, then the NAC Agents and Web Agents do not display the login success screen.


Tip The information icon provides you details on Automatically close login success screen after check box with the following message: "Setting the time to zero seconds will not display the login success screen. Valid range: 0-300 seconds.


Step 10 Click Save to save the current input data.


To reset the posture general settings, complete the following steps:


Step 1 Click the Remediation Timer field.

Enter a time value (current input data) in the Remediation Timer field in minutes.

or

Step 2 Click the Network Transition Delay field.

Enter a time value (current input data) in the Network Transition Delay field in seconds.

or

Step 3 From the Default Posture Status field, choose the option from the drop-down list.

The following options appear: Compliant (default), NonCompliant

or

Step 4 Check to enable, or uncheck to disable the Automatically close login success screen after check box.

Step 5 Click Save to save the current input data.


Posture Reassessments

This section describes the periodic reassessment (PRA) configurations for clients that are successfully postured already for compliance on your network. PRA cannot occur if clients are not compliant on your network.

For more information on initiating and requesting a PRA, see the Initiating and Requesting a PRA.

For more information on PRA failure action configuration, see the PRA Failure Actions.

For more information on PRA and identity group (role) assignment, see the Identity Group (Role) Assignment.

For more information on PRA report tracking and enforcement, see the PRA Report Tracking and Enforcement

For more information on PRA enforcements when Cisco ISE distributed deployment failures, see the PRA Enforcement During Distributed System Failure

Initiating and Requesting a PRA

The NAC Agent sends a compliance report to the policy service node once the client is postured successfully compliant on your network. A PRA is valid and applicable only if endpoints are in compliant state. Then the policy service node checks the relevant policies, and compiles the requirements depending on the client role that is defined in the configuration to enforce a PRA. If PRA configuration match is found, the policy service node responds to the NAC Agent with the PRA attributes that are defined in the PRA configuration for the client before issuing a change of authorization request. The NAC Agent periodically sends the PRA requests based on the interval specified in the configuration. Here, the client remains in the compliant state, if the PRA succeeds, or the action configured in the PRA configuration is to continue. If the client fails to meet PRA, then the client is moved from the compliant state to the noncompliant state.


Note The PostureStatus attribute shows the current posture status as compliant in a PRA request instead of pending even though it is a posture reassessment request. The same is updated in the Monitoring reports as well. The PostureStatus attribute of any client before reassessment of new requirements and posture policies retrieved from the server in a PRA request should represent the posture status as pending in a PRA request assuming that the client is being postured after successful authentication.


PRA Failure Actions

If the client is not compliant, the policy service node activates a PRA failure action. The PRA failure action that will be taken either to continue so that the client continues to access your network, or to log off from your network, or to remediate itself.

If you associate an user to different roles and each associated role is configured with different PRA failure actions, then the logoff action is applied on the endpoint.

If the PRA failure action that is configured for the client is not the continue action but, rather, the logoff or remediate action, then the policy service node updates the client posture status accordingly.

The following enforcement types apply to PRA failure actions:

Continue

Logoff

Remediate

PRA Failure Action to Continue

In this scenario, the client is not compliant, and the configured PRA failure action is to continue. This failure action to continue does not allow the user to remediate the client and the NAC Agent does not show the user the need to remediate the client for compliance. Instead, the user continues to have the privileged access without any user intervention to remediate the client irrespective of the posture requirement, which is set to mandatory or optional.

PRA Failure Action to Logoff

In this scenario, the client is not compliant, and the configured PRA failure action is to force the client to log off from your network. The Agent sends a logoff request to the policy service node, and the client logs off. The client logs in again, and its compliance status is pending for the current session.

PRA Failure Action to Remediate

In this scenario, the client is not compliant, and the configured PRA failure action is to remediate. The agent waits for a specified time for the remediation to occur. After the client has remediated, the agent sends the PRA report to the policy service node. If the remediation is ignored on the client, then the Agent sends a logoff request to the policy service node to force the client to log off from your network and log in again to remediate for compliance.

If the posture requirement is set to mandatory, then the RADIUS session will be cleared as a result of the PRA failure action and a new RADIUS session has to start for the client to be postured again.

If the posture requirement is set to optional, then the NAC Agent allows the user to click the continue option from the Agent. The user can continue to stay in the current network without any restriction.

Identity Group (Role) Assignment

You can configure each PRA to an identity group (a role) that is defined in the system. If you configure a PRA with a role Any then only the configuration with the role Any exists, and no other configurations can exist in the system.

The following section summarizes the PRA configuration to a role:

1. Ensure that each PRA configuration has a unique role or a unique combination of roles assigned to the configuration.


Note You can assign a role_test_1 and a role_test_2, the two unique roles to a PRA configuration. You can combine these two roles with a logical operator and assign the PRA configuration as a unique combination of two roles. For example, role_test_1 or role_test_2.


2. Ensure that two PRA configurations cannot have a role in common.

3. If a PRA configuration already exists with a role of Any, you cannot create other PRA configurations unless you perform the following:

a. You update the existing PRA configuration with a role of Any to reflect a role (or roles) other than Any.

or

b. You delete the existing PRA configuration with a role of Any.


Note If you must create a PRA configuration with a role of Any, ensure that you delete all the other PRA configurations from the reassessment configurations list.


PRA Report Tracking and Enforcement

You can keep track of the PRA reports from the NAC Agent and enforce PRA on the clients that are already successfully postured on your network.

Upon successful compliance for posture, the NAC Agent validates the client for compliance and sends the compliance reports to the policy service node. The NAC Agent periodically sends the PRA requests for reassessment based on the interval that is specified in the configuration.

If the policy service node does not receive the PRA report within the maximum wait interval period, then the policy service node assigns the client to the pending status and the client needs to be checked again for posture compliance. The maximum wait interval is an interval between two consecutive compliance (PRA) reports from the NAC Agent sent to the policy service node before the execution of a PRA failure action for noncompliance and the end of the client session.


Note The maximum wait interval is the sum of the PRA interval and twice the grace time that is configured in the PRA configuration as maximum wait interval = PRA interval + (grace time * 2).


PRA Enforcement During Distributed System Failure

The PRA is not supported in cases where policy service nodes fail in the distributed environment.

You cannot enforce a PRA on your clients, and the clients stay connected on your network regardless of their compliance in case there is a failure in the distributed environment. The Agents stop sending the PRA requests to the policy service nodes.

Configuring Client Posture Periodic Reassessments

Upon successful compliance for posture, the NAC Agents validate the compliance of clients, and periodically send the compliance reports to the Cisco ISE policy service node. The Cisco ISE policy service nodes check the relevant policies and compiles requirements depending on the client roles that are defined in the configuration to enforce a periodic reassessment. The Cisco ISE policy service nodes then respond to the NAC Agents with PRA attributes defined in the PRA configurations. As you associate an user to more than one identity group (roles), the PRA configurations are applied according to the most restricted attributes on the relevant role's related configurations.

The following are the most restricted configuration definitions for the PRA attributes:

Use reassessment enforcement—requires at least one configuration and has its reassessment required flag on the PRA configuration

Interval—the least interval of all the relevant PRA configurations

Grace time—the least interval of all the relevant PRA configurations

Enforce type—the most restricted enforcement type is logoff; after log off, the client needs to remediate and then continue.

You can use the Reassessment configurations list page to display and manage the periodic reassessments for a posture.

This section provides the procedures to configure the periodic reassessment configurations:

Creating, Duplicating, Editing, and Deleting a Client Posture Periodic Reassessment

Filtering Client Posture Periodic Reassessments

Creating, Duplicating, Editing, and Deleting a Client Posture Periodic Reassessment

This section describes the periodic reassessment configuration that you can create in Cisco ISE for your clients after they are successfully postured.

The Reassessment configurations list page displays existing configurations that are configured to roles along with their names, description, and the action enforced on the clients in case the clients fail posture assessment. You can create, duplicate, edit, delete, or filter a PRA from the Reassessment configurations list page. Once created and saved, you can see existing PRA configurations, and the roles to which the PRA configurations apply on the configurations list page.

To create a periodic reassessment, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Reassessments.

The Reassessment configurations list page appears, which lists all the PRAs that you have already created.

Step 5 Click Add.

Step 6 Modify the values on the New Assessment configuration page, as shown in Table 19-2.

Here, you can create to add a new PRA on the Reassessment configurations list page.

Step 7 Click Submit to create a PRA configuration.

Click Cancel to return to the Reassessment configurations list page from the New Reassessment configuration page when you do not want to add a new PRA on this page.


To duplicate a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture.

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments.

The Reassessment configurations list page appears, which lists all the PRAs that you have already created. PRA configurations display the roles to which existing PRAs are configured on the Reassessment configurations list.

Step 4 Choose the PRA that you want to duplicate.

Step 5 From the Reassessment configurations list page, choose Duplicate.

Here, you can create a copy of the PRA.

Step 6 Click Submit to create a copy of the PRA.

Click Cancel to return to the Reassessment configurations list page from the edit page when you do not want to create a copy of the PRA on the edit page.


To edit a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture.

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments.

The Reassessment configurations list page appears, which lists all the PRAs that you have already created.

Step 4 Choose the PRA that you want to edit.

Step 5 From the Reassessment configurations list page, choose Edit.

Here, you can edit a PRA

Step 6 Click Save to save the changes made to the PRA.

The PRA will appear on the Reassessment configurations list page after editing on the edit page, as well as appear on the PRA configurations that displays the roles to which existing PRAs are configured on the configurations list.

Step 7 Click the Reassessment configuration List link from the edit page to return to the Reassessment configurations list page.


To delete a PRA, complete the following steps:


Step 1 From the Settings menu window, choose Posture.

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Reassessments.

The Reassessment configurations list page appears, which lists all the PRAs that you have already created.

Step 4 Choose the PRA that you want to delete.

Step 5 From the Reassessment configurations list page, choose Delete.

A confirmation dialog appears with the following message: "Are you sure you want to delete?".

Step 6 Click OK to delete a PRA.

Here, you can delete a PRA. Click Cancel to return to the Reassessment configurations list page without deleting a PRA.


Table 19-2 describes the fields on the New Assessment configuration page that allow you to create, duplicate a PRA, and edit a PRA on its edit page:

Table 19-2 PRA Configurations 

Field Name
Field Description

Configuration Name

From the Configuration Name field, enter the name of the PRA configuration that you want to create.

Configuration Description

From the Configuration Description field, enter the description of the PRA configuration.

Use Reassessment Enforcement ? :

When the Use Reassessment Enforcement check box is checked, the PRA configurations configured for the roles are applied. If unchecked, the PRA configurations configured for the roles are not applied.

Enforcement Type

If clients fail to meet the posture requirement, then one of the following actions is enforced on the client. Click the drop-down arrow to view the predefined settings:

Continue

Logoff

Remediate

Choose one from the list.

Interval

From the Interval field, enter a time interval specified in minutes to initiate PRA on the clients thereafter first successful log in.

The information icon next to the Interval field provides you the minimum and maximum interval that you can set for PRAs. The minimum interval can be 60 minutes (one hour), and the maximum interval can be 1440 minutes (24 hours) for PRAs. The default interval time is specified as 240 minutes (4 hours).

Grace time

From the Grace Time field, enter a time interval specified in minutes to allow the client to complete remediation. The grace time cannot be zero, and greater than the PRA interval. It can range between the default minimum interval (5 minutes) and the minimum PRA interval.

The information icon next to the Grace time field provides you the minimum and maximum interval that you can set for PRAs. The minimum grace time can be 5 minutes and the maximum grace time can be 60 minutes.

Note The grace time is enabled only when the enforcement type is set to remediate action after the client fails the posture reassessment.

Select Roles

From the Select Roles field, choose a unique role, or a unique combination of roles for your PRA configuration.

Note the following while creating a PRA configuration:

Each configuration must have a unique role, or a unique combination of roles

No two configurations have any role in common

If you want to create a PRA configuration with a role of Any, then delete all other PRA configurations first

If you create a PRA configuration with a role of Any, then you cannot create other PRA configurations with a unique role, or roles. To create a PRA configuration with a role other than Any, either delete an existing PRA configuration with a role of Any first, or update an existing PRA configuration with a role of Any with a unique role, or roles.

PRA configurations—configurations list

An area that lists existing PRA configurations and the roles associated to PRA configurations.


Filtering Client Posture Periodic Reassessments

A quick filter is a simple and quick filter that can be used to filter periodic reassessments on the Reassessment configurations list page. It filters periodic reassessments based on the field description such as the name of the periodic reassessment, description, action enforced on the clients when clients fail posture assessment, roles to which periodic reassessments are configured, and periodic reassessments that are enabled or disabled on the Reassessment configurations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Reassessment configurations list page. It filters periodic reassessments based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Reassessment configurations list page.

To filter periodic reassessments, complete the following steps:


Step 1 Choose Administration > System > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Reassessments.

The Reassessment configurations list page appears, which lists all the PRAs that you have already created.

Step 5 From the Reassessment configurations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-3.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Reassessment configurations list page.


Note To return to the Reassessment configurations list page, choose All from the Show drop-down to display all the periodic reassessments without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters periodic reassessments based on each field description on the Reassessment configurations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Reassessment configurations list page. If you clear the field, it displays the list of all the periodic reassessments on the Reassessment configurations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter periodic reassessments by using variables that are more complex. It contains one or more filters, which filter periodic reassessments based on the values that match the field description. A filter on a single row filters periodic reassessments based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter periodic reassessments by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add the filtered lists, or click the Remove Row button (minus [-] sign) to remove the filtered lists.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-3 describes the fields that allow you to filter the PRAs:

Table 19-3 Filtering Reassessment Configurations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter periodic reassessments by the name of the periodic reassessment.

Description

This field enables you to filter periodic reassessments by the description of the periodic reassessment.

Type

This field enables you to filter periodic reassessments by actions enforced on the client.

Roles

This field enables you to filter periodic reassessments by the roles configured for periodic reassessments.

Enable

This field enables you to filter periodic reassessments by those reassessments that are enabled.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Roles

Enable

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter periodic assessments.

Value

From the Value field, choose the value for the field description that you selected against which to filter periodic assessments.


Posture Updates

Prerequisite

If the default Update Feed URL is not reachable, you must configure the proxy settings in the Administration > System > Settings > Proxy.

For more information on proxy settings, see Specifying Proxy Settings in Cisco ISE, page 18-7.

Updates for posture includes a set of predefined checks, rules, antivirus and antispyware support charts for both Windows and Macintosh operating systems, and operating systems information that are supported by Cisco. You can download posture updates from Cisco to your Cisco ISE deployment through the web dynamically, and as well as configure updates to occur automatically after allowing a time delay within a maximum of 24 hours in hh:mm:ss format. Thereafter, Cisco ISE checks and downloads updates at specified intervals from the initial updates automatically. You can also update Cisco ISE offline from a file on your local system, which contains the latest archives of updates.

When you deploy Cisco ISE on your network for the first time, you can download initially posture updates from the web that usually takes around 20 minutes of time. Thereafter, you can configure to check and download incremental updates to occur automatically on Cisco ISE without your intervention. Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.

This section provides procedures that describe dynamic, and offline update configurations for posture:

Dynamic Posture Updates

Offline Posture Updates

Related Topics

Custom Conditions for Posture

Dynamic Posture Updates

You can use the Posture Update page to download updates dynamically from the web, and configure updates to occur automatically after allowing a time delay from the initial updates. Thereafter you can check and download updates at regular intervals without your intervention.

To download updates dynamically from the web, complete the following steps:


Step 1 Choose Administration > System > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates.

The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Web option to download updates dynamically.

Step 6 Click the Set to Default button to set the Cisco default value for the Update Feed URL field.

For example, the default Update Feed URL is https://www.cisco.com/web/secure/pmbu/posture-update.xml.


Note If this default Update Feed URL is not reachable, then you can configure the proxy settings alternatively on the Posture Updates page. For more information on proxy settings, see Specifying Proxy Settings in Cisco ISE, page 18-7.


Step 7 Modify the values on the Posture Updates page, as shown in Table 19-4.

Step 8 Click the Update Now button to download updates from Cisco.

Cisco ISE displays an information dialog with the following message:

"The update might take up to 20 minutes to finish. Navigating to other pages will not stop the updating and you can check the result on this page later."

Step 9 Click OK to continue with other tasks on Cisco ISE.

Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.


Note Downloading updates dynamically from the web may take a few minutes for the first time to update the Cisco ISE server. When updates is in progress, you can leave the updates page to continue with other tasks on Cisco ISE. If an update is in progress, then you will see a waning dialog displayed on the updates page when you return to the Posture Updates page. When an update is in progress, Cisco ISE displays a warning dialog with the following warning message: "There is already an update running. Please try later."



After an initial update, you can configure to check for updates and download updates to your Cisco ISE deployment automatically on the Posture Updates page. Cisco ISE downloads updates at specified intervals from the web automatically after an allowed initial delay from the first time updates.

To continue to check for updates automatically and download at a specified interval from the initial updates, complete the following steps:


Step 1 Check the Automatically check for updates starting from initial delay check box.

Step 2 Enter the initial delay time in hh:mm:ss format.

Cisco ISE starts checking for updates after the initial delay time is over.

Step 3 Enter the time interval in hours.

Cisco ISE downloads updates to your deployment thereafter at specified intervals from the initial delay time.

Step 4 Click Yes to continue.

Step 5 Click Save to download updates at regular intervals from the initial time delay.


Table 19-4 describes the fields that allow you to download updates dynamically from the web, or offline.

Table 19-4 Update Configurations 

Field
Field Description

Posture Updates options

The following options are available for Posture updates on Cisco ISE: Web, and Offline.

Update Feed URL

A valid URL to update from the web.

For example:

https://www.cisco.com/web/secure/pmbu/posture-update.xml

Set to Default

Click to set the Cisco default URL for Update Feed URL.

Proxy Address

The IP address of the configured proxy server.

Proxy Port

The port of the configured proxy server.

Automatically check for updates starting from initial delay  checkbox

Allows Cisco ISE automatically to check for updates after the delay time is over, and thereafter download updates at regular intervals.

Click to check the check box.

An initial delay time specified in hh:mm:ss format, after which Cisco ISE checks for updates

Cisco ISE starts checking for updates after an initial delay time is over.

Here, click the drop-down arrow to choose the initial delay time in hh:mm:ss format after which Cisco ISE should start to check for updates.

An interval specified in hours, at which Cisco ISE downloads updates automatically from the initial delay time.

Here, enter the interval hours of time at which Cisco ISE should download updates automatically from the initial delay time.


Offline Posture Updates

For details on performing offline posture package updates in Cisco ISE, see the "Cisco ISE Offline Updates" section of the Release Notes for the Cisco Identity Services Engine, Release 1.0.

Posture Acceptable Use Policy

After login and successful posture assessment of clients, the NAC Agents and Web Agents display a temporary network access screen. Here, the agents display a link on the temporary network access screen for end users to click on the link. This link redirects end users to a page, where you can define your network usage terms and conditions that end users must read, and accept the network usage policies here.

Each AUP configuration must have a unique role, or a unique combination of roles. Even though a user can be associated to multiple roles in Cisco ISE, and there are different AUP configurations for a unique role, or a unique combination of roles, Cisco ISE looks for the roles and the associated AUP configuration for the roles. Cisco ISE finds the AUP for the first matched role, and then it communicates to the NAC Agent and Web Agent to display the AUP of the first matched role. The user can click the link to accept the network usage policies here after which the user gets access privileges to your network.

Authorization Profile Configuration Guidance for Posture Clients Quarantine State

This section guides you through the configuration details when clients are moved into quarantine state due to end users deny to comply with your network usage policies, or when clients fail to meet the mandatory requirements.

Without accepting the network usage terms and conditions even though clients meet all the mandatory requirements that are defined in the posture assessment policies, they are denied network access to your network, and moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again depending on your configuration, and then agree to the network usage policies of your network.

You can choose an authorization profile and configure it using the Policy > Policy Elements > Results > Authorization > Authorization Profiles page.

For more information on authorization policies and profiles, see Chapter 16, "Managing Authorization Policies and Profiles."

Here, you can choose the Access-Accept option from the Access Type field, and configure information for re-authentication under Common Tasks, or under Advanced Attributes Settings for an authorization profile.

For example, you can configure the value of RADIUS: Termination-Action attribute to Default, and the RADIUS: Session-Timeout attribute to a time value under Common Tasks > Re-authentication, or under Advanced Attributes Settings. If the value of RADIUS: Termination-Action attribute is set to RADIUS-Request, the NAS sends a new Access-Request to the RADIUS server, including the state attribute, if any upon termination of the specified service. This configuration allows you to set a timeout value for a quarantine state. After the time out, a new RADIUS session can be started and the client can reauthenticate again and check for posture.

RADIUS: Termination-Action—An action, which should be taken by the NAS when the specified service is completed. It is only used in Access-Accept message.

RADIUS: Session-Timeout—A timeout value specified in maximum number of seconds of service to be provided to the user before termination of the RADIUS session, where the client remains connected by the NAS. It is an attribute to be sent by the RADIUS server to the client in an Access-Accept, or Access-Challenge messages.

In addition to the above, you have to enter the following additional commands for your network device:

authentication periodic—use this interface configuration command to enable, or disable re-authentication on a port. Enter the no form of this command to disable re-authentication.

This CLI command shows how to enable periodic re-authentication on a port.

Switch(config-if)# authentication periodic

authentication timer reauthenticate server—use this interface configuration command to configure the time out and re-authentication parameters for an 802.1x-enabled port.

This CLI command shows how to set the re-authentication timer where reauthenticate specifies time in seconds after which an automatic re-authentication attempt should start, and server specifies an interval in seconds after which an attempt can be made to authenticate an unauthorized port.

authentication timer—interface configuration command

reauthenticate—specifies time in seconds after which an automatic re-authentication attempt starts. It is set to one hour.

server—specifies interval in seconds after which an attempt is made to authenticate an unauthorized port

Switch(config-if)# authentication timer reauthenticate server

Configuring Acceptable Use Policies

You can view, create, delete, or filter acceptable use policies (AUPs) on the Acceptable use policy configurations list page. It displays all the AUPs with their names, description, type, the name of the zipped file, or the URL that contains the network usage policies depending on the type of the AUPs, and the roles to which they are configured.

This section covers the following procedures:

Viewing, Adding, and Deleting an Acceptable Use Policy

Filtering Acceptable Use Policies

Viewing, Adding, and Deleting an Acceptable Use Policy

You can use the Acceptable use policy configurations list page to view, create, or delete acceptable use policies, which allow network access to your network to clients on acceptance of the network usage policies.

To view an acceptable use policy, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy.

The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.

Step 5 Choose an acceptable use policy from the list.

Step 6 Click View.

Here, you can view the acceptable use policy.

Step 7 Click the Acceptable use policy configuration list link to return to the Acceptable use policy configuration list page.

Click Cancel to return to the Acceptable use policy configuration list page. A confirmation dialog appears with the following message: "Are you sure you want to cancel?. You will lose all the changes you have made." Click Yes to return to the Acceptable use policy configuration list page. If you click No, you are retained on the same view page.


To create an acceptable use policy, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy.

The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.

Step 5 Click Add.

Step 6 Modify the values on the Acceptable use policy configuration page, as shown in Table 19-5.

Here, you can configure a new AUP for a role on the Acceptable use policy configurations list page.

Step 7 Click Submit to create a AUP configuration.

Step 8 Click Cancel to return to the Acceptable use policy configurations list page from the Acceptable use policy configuration page when you do not want to add a new AUP from this page.


To delete an acceptable use policy, complete the following steps:


Step 1 From the Settings menu window, choose Posture.

Step 2 Click the arrow to view the settings used for posture.

Step 3 Choose Acceptable Use Policy.

The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.

Step 4 Choose an acceptable use policy that you want to delete.

Step 5 From the Acceptable use policy configurations list page, choose Delete.

A confirmation dialog appears with the following message: "Are you sure you want to delete?".

Step 6 Click OK to delete an AUP.

Here, you can delete an AUP.

Step 7 Click Cancel to return to the Acceptable use policy configurations list page without deleting the AUP that you selected.


Table 19-5 describes the fields that allow to create an AUP configuration on the Acceptable use policy configurations page.

Table 19-5 AUP Configurations 

Field
Field Description

Configuration Name

From the Configuration Name field, enter the name of the AUP configuration that you want to create.

Configuration Description

From the Configuration Description field, enter the description of the AUP configuration that you want to create.

Show AUP to Agent users (for NAC Agent and Web Agent on Windows only)

If checked, the Show AUP to Agent users check box displays end users (for NAC Agents, and Web Agents on Windows only) the link to network usage terms and conditions for your network, and then click it to view the AUP upon successful authentication and posture assessment.

Use URL for AUP message radio button

When selected, you must enter the URL to the AUP message in the AUP URL field, which clients must access upon successful authentication and posture assessment.

Use file for AUP message radio button

When selected, you must browse to the location and upload a file in a zipped format in the AUP File field, which contains the index.html at the top level.

The zip file can include other files and sub directories in addition to the index.html file. These files can reference each other using HTML tags.

AUP URL

From the AUP URL field, enter the URL to the AUP, which clients must access upon successful authentication and posture assessment.

AUP File

From the AUP File field, browse to the file and upload it to the Cisco ISE server. It should be a zipped file and the zipped file should contain the index.html at the top level.

Select Roles

From the Select Roles field, choose a unique role, or a unique combination of roles for your AUP configuration.

Note the following while creating a AUP configuration:

Posture AUP is not applicable for a guest flow

Each configuration must have a unique role, or a unique combination of roles

No two configurations have any role in common

If you want to create a AUP configuration with a role of Any, then delete all other AUP configurations first

If you create a AUP configuration with a role of Any, then you cannot create other AUP configurations with a unique role, or roles. To create a AUP configuration with a role other than Any, either delete an existing AUP configuration with a role of Any first, or update an existing AUP configuration with a role of Any with a unique role, or roles.

Acceptable use policy configurations—Configurations list

An area that lists existing AUP configurations and the roles associated to AUP configurations.


Filtering Acceptable Use Policies

A quick filter is a simple and quick filter that can be used to filter acceptable use policies on the Acceptable use policy configurations list page. It filters acceptable use policies based on the field description such as the name of the acceptable use policy, description, URL of the acceptable use policy, roles to which acceptable use policies are configured, acceptable use policies that are enabled, or disabled on the Acceptable use policy configurations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Acceptable use policy configurations list page. It filters acceptable use policies based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Acceptable use policy configurations list page.

To filter acceptable use policies, complete the following steps:


Step 1 Choose Administration > System > Settings > Settings (menu window).

Step 2 From the Settings menu window, choose Posture.

Step 3 Click the arrow to view the settings used for posture.

Step 4 Choose Acceptable Use Policy.

The Acceptable use policy configurations list page appears, which lists all the AUPs that you have already created.

Step 5 From the Acceptable use policy configurations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-6.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Acceptable use policy configurations list page.


Note To return to the Acceptable use policy configurations list page, choose All from the Show drop-down to display all the acceptable use policies without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters acceptable use policies based on each field description on the Acceptable use policy configurations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Acceptable use policy configurations list page. If you clear the field, it displays the list of all the acceptable use policies on the Acceptable use policy configurations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter acceptable use policies by using variables that are more complex. It contains one or more filters, which filter acceptable use policies based on the values that match the field description. A filter on a single row filters acceptable use policies based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter acceptable use policies by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add the filtered lists, or click the Remove Row button (minus [-] sign) to remove the filtered lists.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

Step 8 The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-6 describes the fields that allow you to filter the AVPs:

Table 19-6 Filtering Acceptable Use Policy Configurations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter acceptable use policies by the name of the acceptable use policy.

Description

This field enables you to filter acceptable use policies by the description of the acceptable use policy.

URL

This field enables you to filter acceptable use policies by the remote location of the acceptable use policy.

Roles

This field enables you to filter acceptable use policies by the roles configured for acceptable use policies.

Enabled

This field enables you to filter acceptable use policies by AUPs that are configured to display, or not to Agent users (for NAC Agent and Web Agent on Windows only).

True—display AUP to Agent users

False—does not display AUP to Agent users

Advanced Filter

Choose the field description from the following:

Name

Description

URL

Roles

Enabled

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter acceptable use policies.

Value

From the Value field, choose the value for the field description that you selected against which to filter acceptable use policies.


Client Posture Assessments in Cisco ISE

The posture service assists in determining the compliance of endpoints that are accessing your Cisco ISE-enabled network by using posture policies based on posture requirements, which are associated to posture policies. It evaluates the configured posture policies for all the endpoints that are connecting to your network, which are associated to one or more identity groups to which the users belong, and the operating systems that are installed on the clients. The NAC Agents that are installed on your clients interact with the Cisco ISE posture service, and evaluate the posture policies which are configured for your clients.

In addition, you should have an understanding on how Cisco ISE provides support for operating systems that are installed on the clients for posture.

Support for Hierarchical Operating Systems

Cisco ISE provides support to all the Windows and Macintosh operating systems, which are structured in a hierarchical group. You can also select an individual operating system from the hierarchy. A parent group includes the operating system versions for the group, and each version of the group includes the underlying operating system versions. When you select a parent group of an operating system from the hierarchy, you implicitly select all the underlying operating systems of the parent group. The posture conditions apply to all the underlying versions of the operating systems when you select the parent group or the group.

For example, when you choose Windows All from the Operating Systems field while creating a posture policy for posture in Cisco ISE, a condition that you define in the posture policy applies to all Microsoft Windows operating systems and their underlying operating systems, which includes Microsoft Windows 7 (All), Microsoft Windows Vista (All), Microsoft Windows XP (All), and their underlying operating systems for Windows All.

Filtering by Operating System

The selection of an operating system within the hierarchy implements the filtering of conditions, compound conditions and requirements that overrides a parent operating system Group associated to a simple condition. This implementation filters conditions, compound conditions and requirements by using the operating system that is associated with the compound condition. If you have a simple condition that is associated with a parent operating system group and a compound condition that is associated with the underlying version from the parent operating system group, then the filtering is based only on the underlying version of the operating system that is associated in the compound condition.

For example, you might have a simple condition that is associated with the Windows Vista parent operating system group. And you might also have a compound condition that is associated with the underlying version of Windows Vista from the operating system group. However, the filtering is done using only the underlying version of the operating system that is associated in the compound condition.

Dynamic Support for Operating System Version

You can configure the posture policies for an endpoint that is associated with the role to which you belong, as well as the operating system on the client. The posture configurations that you save apply only at the group level of an operating system that is not at the operating system level. This level of application allows you to map multiple versions of an operating system that is structured in the hierarchical groups.

For example, when you choose the Windows All option from the operating system group, you are choosing the hierarchical structure of all of the Windows 7, Windows Vista, and Windows XP groups that contain each of their underlying versions.

Cisco ISE dynamically supports new versions of client operating systems and Agents, including both the Windows and Macintosh NAC agents and NAC Web agent. Located on the ISE server, the osgroups.xml file is automatically updated by Cisco to reflect the latest version support information. If an Agent sends the Cisco ISE server an operating system version that is not listed in the osgroups.xml file, then you cannot continue to work with the posture service through the Agents.

Related Topics

Client Posture Assessment Policies

Client Posture Assessment Requirements

Troubleshooting Topics

Agent Fails to Initiate Posture Assessment, page D-27

Client Posture Assessment Policies

A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. The Dictionary Attributes are optional conditions in conjunction with the identity groups, and the operating systems that allow you to define different policies for the clients.

Here, posture requirements are associated to the posture policies and also optional dictionary attributes where you can use dictionary simple and compound conditions from the library or create new dictionary simple and compound conditions.

Prerequisite:

You must have an understanding of acceptable use policy (AUP) and posture reassessments (PRA) as you create posture policies with respect to posture compliance.

For more information on AUP, see Posture Acceptable Use Policy and on PRA, see Posture Reassessments.

In addition, see the following:

Dictionary Simple Condition

Dictionary Compound Condition

Configuring Time and Date Conditions, page 16-22

You can use the Posture Policies page to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy.

Table 19-7 describes the fields on the Posture Policies page that allow you to insert a new posture policy, or duplicate an existing policy. or delete an existing posture policy.

Table 19-7 Posture Policy 

Field
Field Description

Status

From the Status field, click the drop-down arrow to choose an option. It can be used to enforce, or not to enforce a posture assessment policy for evaluation.

Rule Name

From the Rule Name field, enter the name of the posture policy that you want to create. Once created and saved, the name of the posture policy in not editable.

Identity Groups

From the Identity Groups field, choose an identity group. The selection of an identity group applies to the role of the user to which the user belongs in conjunction with the operating system that is installed on the client.

Operating Systems

From the Operating Systems field, choose an operating system. It allows you to select all, or specific Windows, or Macintosh operating systems to which the posture requirement is applied.

Conditions

From the Other Conditions field, choose a dictionary simple condition, or a dictionary compound condition to which the posture requirement should apply. If more than one condition is selected, then all the conditions must be met to form a compound condition. The system uses "&" (a logical AND) as the AND operator.

Requirements

From the Requirements field, choose a posture requirement. The selection of a posture requirement that is associated to the matching posture policy determines the compliance of an endpoint during a posture policy evaluation.

Actions

It allows you to insert a new posture policy, duplicate an existing policy or delete an existing policy.


For information on how to manage posture policies, see the "Creating, Duplicating, and Deleting Client Posture Policies" section.

Creating, Duplicating, and Deleting Client Posture Policies

This section describes the following procedures on how to insert (create) a new policy, or duplicate an existing policy, or delete an existing policy on the Posture Policies page.

Creating a New Posture Policy

Duplicating a Posture Policy

Deleting a Posture Policy

Creating a New Posture Policy

You can create a new posture policy on the Posture Policies page.

To create a new posture policy, complete the following steps:


Step 1 Choose Policy > Posture.

The Posture Policies page appears.

Step 2 Choose the Status type.

You can enforce a posture policy to be one of the following types:

Enabled—this option allows you to enforce a posture policy for evaluation

Disabled—this option allows you not to enforce a posture policy for evaluation

Step 3 From the Rule Name field, enter the policy name.

Step 4 From the Identity Groups field, choose Select Role.

The identity group anchored overlay appears.

To choose a role, complete the following steps:

a. From the Select Role field, click the plus [+] sign to expand the identity group anchored overlay.

The identity group anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Role Quick Picker (down arrow) icon.

The Roles widget appears.

c. From the Roles widget, choose the role.

d. Click the Add (plus [+] sign) button to associate more than one role to the policy.

e. Click the Remove (minus [-] sign) button to remove the role from the policy.

Step 5 From the Operating Systems field, choose Select Operating Systems.

The operating system anchored overlay appears.

To choose an operating system, complete the following steps:

a. From the Select Operating System field, click the plus [+] sign to expand the operating system anchored overlay.

The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Operating System Quick Picker (down arrow) icon.

The Operating System Groups widget appears.

c. From the Operating System Groups widget, choose All.

Here, click the Quick Picker (right arrow) icon to view the operating system groups.

d. From the All widget, choose the operating system group.

The parent groups for the operating system appears.

e. Choose the parent operating system group.

For Mac OS X (Macintosh), the group has two underlying versions.

For Windows All, the group has the Windows 7 (All), Windows Vista (All), and Windows XP (All) groups that contain underlying versions for each of the groups.

f. From the Mac OS X (Macintosh) group, choose the underlying Macintosh operating system.

g. From the Windows All group, choose the underlying Windows group and the Windows version.

Each Windows group contains its own underlying versions.

h. Click the Add (plus [+] sign) button to associate more than one operating system to the policy.

i. Click the Remove (minus [-] sign) button to remove the operating system from the policy.

Step 6 From the Other Conditions field, choose (Optional) Dictionary Attributes.

The conditions anchored overlay appears, which allows you an option to add new one or more dictionary attributes, and save them as simple, and compound conditions to a dictionary (a library). You can use an AND, or OR operator to form a dictionary compound condition, and then save them to the dictionaries. From the Other Conditions field, you can choose dictionary simple, and compound conditions from the library for validation during posture policies evaluation.

To choose a condition, complete the following steps:

a. From the (Optional) Dictionary Attributes field, click the plus [+] sign to expand the conditions anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Conditions Quick Picker (down arrow) icon.

The Dictionaries widget appears, which lists the dictionary simple conditions and dictionary compound conditions.

c. Choose the condition.

d. Choose an AND operator or an OR operator from the drop-down list.

e. Click the Action Icon button to add a new dictionary attribute and its value, add a condition from the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Delete

f. Click the Save icon to add all the conditions from the conditions overlay to the library.

To choose a dictionary attribute (optional), complete the following steps:

a. From the (Optional) Dictionary Attributes field, click the plus [+] sign to expand the conditions overlay.

The conditions anchored overlay appears. It allows you to create a new dictionary simple condition or dictionary compound condition (an expression). Click the minus [-] sign, or click outside the anchored overlay to close it.

b. From the Attribute field, click the Select Attribute Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the available dictionaries.

c. From the Dictionaries widget, click the navigation arrow to view the dictionary attributes.

The dictionary attributes appear for the dictionary.

d. Choose the dictionary attribute.

e. Choose an operator, and a value to create a dictionary simple condition.

f. Click the Action Icon button to add a dictionary simple condition to a library.

To save, click the icon, or click the icon to clear.

g. Choose an AND operator or an OR operator from the drop-down list to create a dictionary compound condition.

h. Click the Save icon to add all the conditions from the conditions overlay to the library.

i. Click the Action Icon button to add a new dictionary attribute and its value, add a condition from the library, duplicate a condition, add a condition to the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Duplicate

Add Condition to Library

Delete

Step 7 From the Requirements field, choose Select Requirement.

The requirements anchored overlay appears.

To choose a requirement, complete the following steps:

a. From the Select Requirement field, click the plus [+] sign to expand the requirements anchored overlay. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Requirement Quick Picker (down arrow) icon.

The Requirements widget appears.

c. Choose a requirement.

You can enforce a posture requirement to be one of the following items types:

Mandatory—This option enforces the client to meet the posture requirement. The user cannot proceed or have access to the network unless the client meets the posture requirement.

Optional—This option does not enforce the client to meet the posture requirement. The client can bypass the requirement, if required. The client does not require to meet the requirement for the user to proceed or have network access.

Audit—This option checks the client for the posture requirement without notifying the user. It does not affect user network access.

d. Click the Add (plus [+] sign) button to associate more than one requirement to the Policy.

e. Click the Remove (minus [-] sign) button to remove the requirement from the Policy.

Step 8 Click Save to save the posture policy.

Click Cancel to revert to the Posture Policies page without creating a new policy on the Posture Policies page.


Troubleshooting Topics

Agent Fails to Initiate Posture Assessment, page D-27

Duplicating a Posture Policy

You can create a copy of the posture policy that you want to duplicate on the Posture Policies page.

To duplicate a policy, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Duplicate.

Here, you can create a copy of the policy that you want to duplicate on the Posture Policies page.


Troubleshooting Topics

Agent Fails to Initiate Posture Assessment, page D-27

Deleting a Posture Policy

You can also delete a posture policy from the Posture Policies page.

To delete a policy, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Delete.

A confirmation dialog appears with the following message: "Are you sure you want to delete Policy(s)?".

Step 3 Click OK to delete a policy.

Here, you can delete a posture policy from the Posture Policies page.

Step 4 Click Cancel to return to the Posture Policies page without deleting the posture policy.


Custom Conditions for Posture

A posture condition can be any one of the following simple conditions: a file, a registry, an application, a service, or a dictionary condition. One or more conditions from these simple conditions form a compound condition, which can be associated to a posture requirement.

You can use the Posture menu to manage the following posture simple conditions:

File Condition—A simple condition that checks the existence of a file, the date of a file, and the versions of a file on the client

Registry Condition—A simple condition that checks for the existence of a registry key or the value of the registry key on the client

Application Condition—A simple condition that checks if an application (process) is running or not running on the client

Service Condition—A simple condition that checks if a service is running or not running on the client

Dictionary Simple Condition—A simple condition that checks an attribute associated to an operator and the operator to a value


Note A simple condition cannot be deleted due to Referential Integrity errors in Cisco ISE when they are associated to one or more compound conditions. As simple conditions can be associated to a compound condition, you cannot delete the following simple conditions: a file, a registry, an application, a service, and a dictionary simple condition. If you attempt to delete a simple condition, Cisco ISE throws an error message stating that the compound conditions need to be updated, or deleted first to which simple conditions are associated.



Note You cannot delete, or edit Cisco defined posture simple conditions.


You can use the Posture menu to manage the following posture compound conditions:

Compound Condition—contains one or more simple conditions, or compound conditions of the type File, Registry, Application, or Service condition

Antivirus Compound Condition—contains one or more AV conditions, or AV compound conditions

Antispyware Compound Condition—contains one or more AS conditions, or AS compound conditions

Dictionary Compound Condition—contains one or more dictionary simple conditions or dictionary compound conditions


Note A compound condition cannot be deleted due to Referential Integrity errors in Cisco ISE. As compound conditions can be associated to a posture requirement, you cannot delete the following compound conditions: a compound condition, an antivirus, an antispyware, and a dictionary compound condition. If you attempt to delete a compound condition, Cisco ISE throws an error message stating that the posture requirements need to be updated, or deleted first to which compound conditions are associated.



Note You cannot delete, or edit Cisco defined posture compound conditions.


File Condition

A file condition is a simple (single) condition that checks for a file by its existence on the client, or its date when created, or modified on the client, or its version that exists on the client. You can create FileExistence, FileDate, and FileVersion types of file conditions to check the compliance of the file on the client. The FileExistence type checks the existence of a file on the client. The FileDate type checks the file based on its file-created date, or file-modified date on the client. The FileVersion type checks for the specific version of the file that you define in the file condition. When you create a file condition on the File condition list page, you can see the fields change to provide details according to your input.

The File conditions list page displays file conditions along with their names and description on the File conditions list. It also displays the names of the files to be checked for each of the file condition type.


Note Cisco predefined file conditions which are listed on the File conditions list page are not editable.


This section provides the procedures that you can use to configure file conditions.

Configuring File Conditions

Configuring File Conditions

You can create any one of the following types of a file condition on the File conditions list page: FileExistence, FileDate, and FileVersion. You can also duplicate, edit, delete, or filter file conditions from the File conditions list page.

This section covers the following procedures:

Viewing File Conditions

Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type

Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type

Filtering File Conditions

Viewing File Conditions

You can use the File conditions list page to view file conditions.

To view file conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Choose a file condition from the file conditions list.

Step 6 Click View.

Here, you can choose a file condition to view the details.


Creating, Duplicating, Editing, and Deleting a File Condition of FileExistence Type

You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileExistence type, which allows you to check that a file exists on the client, or does not exist on the client.

To create a file condition of FileExistence type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page, as shown in Table 19-8.

Here, you can create to add a file condition of FileExistence type, which appears on the File conditions list page.

Step 7 Click Submit to create a file condition of FileExistence type.


To duplicate a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File conditions list page, choose Duplicate.

Here, you can create a copy of the file condition of FileExistence type.

Step 4 Click Submit to create a copy of the file condition of FileExistence type.


To edit a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File conditions list page, choose Edit.

Here, you can edit a file condition of FileExistence type.

Step 4 Click Save to save the changes to the file condition of FileExistence type.

The file condition of FileExistence type will be available on the File conditions list page after editing on the edit page.

Step 5 Click the File Condition List link from the edit page to return to the File conditions list page.


To delete a file condition of FileExistence type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File conditions list page, choose Delete.

Here, you can delete a file condition of FileExistence type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-8 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileExistence type condition.

Table 19-8 File Condition of FileExistence Type 

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter a description of the file condition that you want to create.

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.

SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.

SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.

SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.

SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of a file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

FileExistence—checks whether a file exists on the system.

FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.

FileVersion—checks whether a particular version of a file exists on the system.

Operator

From the Operator field, selecting an operator allows you to check the existence of a file in the specified location. Click the drop-down arrow to view the following predefined settings.

Exists

DoesNotExist

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Creating, Duplicating, Editing, and Deleting a File Condition of FileDate Type

You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileDate type by using file-created, or file-modified date.

To create a File Condition of FileDate type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page, as shown in Table 19-9.

Here, you can create a file condition of FileDate type with file-created date or file-modified date.

Step 7 Click Submit to create a file condition of FileDate type.


To duplicate a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File conditions list page, choose Duplicate.

Here, you can create a copy of the file condition of FileDate type.

Step 4 Click Submit to create a copy of the file condition of FileDate type.


To edit a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File conditions list page, choose Edit.

Here, you can edit a file condition of FileDate type.

Step 4 Click Save to save the changes to the file condition of FileDate type.

The file condition of FileDate type will be available on the File conditions list page after editing on the edit page.

Step 5 Click the File Condition List link from the edit page to return to the File conditions list page.


To delete a file condition of FileDate type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File conditions list page, choose Delete.

Here, you can delete a file condition of FileDate type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-9 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileDate type condition.

Table 19-9 File Condition of FileDate Type 

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter the description of a file condition that you want to create

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.

SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.

SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.

SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.

SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of the file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

FileExistence—checks whether a file exists on the system.

FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.

FileVersion—checks whether a particular version of a file exists on the system.

File Date Type

From the File Date Type field, selecting the date type allows you to check the existence of a file with a particular file-created or file-modified date. Click the drop-down arrow to view the following predefined settings:

Creation Date

Modification Date

Operator

From the Operator field, selecting an operator allows you to check the existence of a file with a particular date or version. Click the drop-down arrow to view the following predefined settings:

EarlierThan

LaterThan

EqualTo

File Date

From the File Date field, entering date and time of the client system, which is expressed in mm/dd/yyyy [hh:mm:ss] format allows you to check the existence of a file with date and time of the client system.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Creating, Duplicating, Editing, and Deleting a File Condition of FileVersion Type

You can use the File conditions list page to create, duplicate, edit, or delete a file condition of FileVersion type that has more than one version.

To create a file condition of FileVersion type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the file condition is not editable.

Step 6 Modify the values on the New File Condition page, as shown in Table 19-10.

Here, you can create a file condition of FileVersion type, where the file has more than one version.

Step 7 Click Submit to create a file condition of FileVersion type.


To duplicate a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to duplicate.

Step 3 From the File conditions list page, choose Duplicate.

Here, you can create a copy of the file condition of FileVersion type.

Step 4 Click Submit to create a copy of the file condition of FileVersion type.


To edit a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to edit.

Step 3 From the File conditions list page, choose Edit.

Here, you can edit a file condition of FileVersion type.

Step 4 Click Save to save the changes to the file condition of FileVersion type.

A file condition of FileVersion type will be available on the File conditions list page after editing on the edit page.

Step 5 Click the File Condition List link from the edit page to return to the File conditions list page.


To delete a file condition of FileVersion type, complete the following steps:


Step 1 From the Posture menu, choose File Condition.

The File conditions list page appears, which lists predefined Cisco file conditions and all the file conditions that you have already created.

Step 2 Choose the file condition that you want to delete.

Step 3 From the File conditions list page, choose Delete.

Here, you can delete a file condition of FileVersion type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-10 describes the fields on the New File Condition page that allow you to create, duplicate, or edit a file condition on its edit page of FileVersion type condition.

Table 19-10 File Condition of FileVersion Type 

Field Name
Field Description

Name

From the Name field, enter the name of a file condition that you want to create.

Description

From the Description field, enter the description of a file condition that you want to create

File Path

From the File Path field, this option allows you to check the existence of a file in the location you specify. Click the drop-down arrow to view the following predefined settings:

ABSOLUTE_PATH—checks the file in the fully qualified path of the file. For example, C:\<directory>\file name. For other settings, enter only the file name.

SYSTEM_32—checks the file in the C:\WINDOWS\system32 directory. Enter the file name.

SYSTEM_DRIVE—checks the file in the C:\ drive. Enter the file name.

SYSTEM_PROGRAMS—checks the file in the C:\Program Files. Enter the file name.

SYSTEM_ROOT—checks the file in the root path for Windows system. Enter the file name.

File Type

From the File Type field, selecting a File Type allows you to check a file for the existence of the file on the client, file-created or file-modified date of the file, and its version. Click the drop-down arrow to view the following predefined settings:

FileExistence—checks whether a file exists on the system.

FileDate—checks whether a file with a particular file-created or file-modified date exists on the system.

FileVersion—checks whether a particular version of a file exists on the system.

Operator

From the Operator field, selecting an operator allows you to check the existence of a file with a particular date or version. Click the drop-down arrow to view the following predefined settings:

EarlierThan

LaterThan

EqualTo

File Version

From the File Version field, enter the version of the file that allows you to check the existence of a file with a particular version of the file.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Filtering File Conditions

A quick filter is a simple and quick filter that can be used to filter file conditions on the File conditions list page. It filters file conditions based on the field description such as the name of the file condition, description, and the file to be checked on the File conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File conditions list page. It filters file conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the File conditions list page.

To filter file conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose File Condition.

The File conditions list page appears.

Step 5 From the File conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-11.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the File conditions list page.


Note To return to the File conditions list page, choose All from the Show drop-down to display all the file conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters file conditions based on each field description on the File conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File conditions list page. If you clear the field, it displays the list of all the file conditions on the File conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter file conditions by using variables that are more complex. It contains one or more filters, which filter file conditions based on the values that match the field description. A filter on a single row filters file conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove a filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-11 describes the fields that allow you to filter file conditions on the File conditions list page.

Table 19-11 Filtering File Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter file conditions by the condition name.

Description

This field enables you to filter file conditions by the condition description.

Field Name

This field enables you to filter file conditions by the filename.

Condition Type

This field enables you to filter file conditions by Cisco predefined and not Cisco predefined conditions.

Advanced Filter

Choose the field description from the following:

Name

Description

File Name

Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter file conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter file conditions.


Registry Condition

A registry condition is a simple (single) condition that checks a registry key or the value of the registry on the client. You can create RegistryKey, RegistryKeyValue, and RegistryValueDefault types of registry conditions to check the compliance of the client on a registry. The RegistryKey type checks the existence of a registry on the client, and the RegistryKeyValue type checks the data of the registry key on the client. The RegistryValueDefault is the same as the RegistryKeyValue except that the former checks for the default value. When you create a registry condition on the Registry list page, you can see the fields change to provide details according to your input.

The Registry conditions list page displays registry conditions along with their names, description on the Registry conditions list, and the type of registry conditions.


Note Cisco predefined registry conditions which are listed on the Registry conditions list page are not editable.


This section provides the procedure that you can use to configure registry conditions.

Configuring Registry Conditions

Configuring Registry Conditions

You can create any one of the following types of a registry condition on the Registry conditions page: RegistryKey, RegistryKeyValue, and RegistryValueDefault types. You can also duplicate, edit, delete, or filter the registry conditions from the Registry conditions list page.

This section covers the following procedures:

Viewing Registry Conditions

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type

Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type

Filtering Registry Conditions

Viewing Registry Conditions

You can use the Registry conditions list page to view registry conditions.

To view registry conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.

Step 5 Choose a registry condition from the registry conditions list.

Step 6 Click View.

Here, you can choose a registry condition to view the details.

Step 7 Click the Registry Condition List link to return to the Registry conditions list page.


Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryKey Type

You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryKey type, which allows you to check the existence of a registry on the client.

To create a registry condition of RegistryKey type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 19-12.

Here, you can create to add a registry condition of RegistryKey type, which appears on the Registry conditions list page.

Step 7 Click Submit to create a file condition of RegistryKey type.


To duplicate a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry conditions list page, choose Duplicate.

Here, you can create a copy of the registry condition of RegistryKey type.

Step 4 Click Submit to create a copy of the file condition of RegistryKey type.


To edit a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry conditions list page, choose Edit.

Here, you can edit a registry condition of RegistryKey type.

Step 4 Click Save to save the changes to the registry condition of RegistryKey type.

A registry condition of RegistryKey type will appear on the Registry conditions list page after editing on the edit page.

Step 5 Click the Registry Condition List link from the edit page to return to the Registry conditions list page.


To delete a registry condition of RegistryKey type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists predefined Cisco registry conditions and all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry conditions list page, choose Delete.

Here, you can delete a file condition of RegistryKey type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-12 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryKey type condition.

Table 19-12 Registry Condition for RegistryKey 

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

RegistryKey—Checks whether a specific registry key exists in the registry.

RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.

RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

HKEY_LOCAL_MACHINE (HKLM)

HKEY_CURRENT_CONFIG (HKCC)

HKEY_CURRENT_USER (HKCU)

HKEY_USERS (HKU)

HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash ("\") allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of the registry key and the registry key value.

Click the drop-down arrow to view the following settings:

Exists

DoesNotExist

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValue Type

You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryValue type.

To create a registry condition of RegistryValue type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 19-13.

Here, you can create to add a Registry Condition of RegistryValue type, which appears on the Registry conditions list page.

Step 7 Click Submit to create a file condition of RegistryValue type


To duplicate a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry conditions list page, choose Duplicate.

Here, you can create a copy of the registry condition of RegistryValue type.

Step 4 Click Submit to create a copy of the file condition of RegistryValue type.


To edit a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry conditions list page, choose Edit.

Here, you can edit a registry condition of RegistryValue type.

Step 4 Click Save to save the changes to the registry condition of RegistryValue type.

A registry condition of RegistryValue type appears on the Registry conditions list page after editing on the edit page.

Step 5 Click the Registry Condition List link from the edit page to return to the Registry conditions list page.


To delete a registry condition of RegistryValue type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry conditions list page, choose Delete.

Here, you can delete a file condition of RegistryValue type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-13 describes the fields on the New Registry Condition page that allow you to create, duplicate, or edit a registry condition on its edit page of RegistryValue type condition.

Table 19-13 Registry Condition for RegistryValue 

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

RegistryKey—Checks whether a specific registry key exists in the registry.

RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.

RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

HKEY_LOCAL_MACHINE (HKLM)

HKEY_CURRENT_CONFIG (HKCC)

HKEY_CURRENT_USER (HKCU)

HKEY_USERS (HKU)

HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash ("\") allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Name

From the Value Name field, enter the name of the registry key value against which you want to check in the client registry.

Value Data Type

From the Value Data Type field, selecting the data type allows you to check the registry key value data type, and its value using an operator. Click the drop-down arrow to view the predefined settings:

Unspecified—choose one of the operators in the drop-down list to check the existence of the registry key value

Number—choose one of the operators in the drop-down list to check the registry key value using a number in the registry key value

String—choose one of the operators in the drop-down list to check the registry key value using a string in the registry key value

Version—choose one of the operators in the drop-down list to check the registry key value using its version

Date—choose one of the operators in the drop-down list to check the registry key value using the date and time of the client machine in mm/dd/yyyy hh:MM:ss format

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of data type of the registry key value using an operator.

Click the drop-down arrow to view the following settings:

Exists

DoesNotExist

Value Data

From the Value Data field, enter the value of the registry key for the data type of the registry that you select.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Creating, Duplicating, Editing, and Deleting a Registry Condition of RegistryValueDefault Type

You can use the Registry conditions list page to create, duplicate, edit, or delete a registry condition of RegistryValueDefault type.

To create a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the registry condition is not editable.

Step 6 Modify the values on the New Registry Condition page, as shown in Table 19-14.

Here, you can create to add a Registry Condition of RegistryValueDefault type, which appears on the Registry conditions list page.

Step 7 Click Submit to create a file condition of RegistryValueDefault type.


To duplicate a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to duplicate.

Step 3 From the Registry conditions list page, choose Duplicate.

Here, you can create a copy of the registry condition of RegistryValueDefault type.

Step 4 Click Submit to create a copy of the file condition of RegistryValueDefault type.


To edit a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to edit.

Step 3 From the Registry conditions list page, choose Edit.

Here, you can edit a registry condition of RegistryValueDefault type.

Step 4 Click Save to save the changes to the registry condition of RegistryValueDefault type.

A registry condition of RegistryValueDefault type appears on the Registry conditions list page after editing on the edit page.

Step 5 Click the Registry Condition List link from the edit page to return to the Registry conditions list page.


To delete a registry condition of RegistryValueDefault type, complete the following steps:


Step 1 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears, which lists all the registry conditions that you have already created.

Step 2 Choose the registry condition that you want to delete.

Step 3 From the Registry conditions list page, choose Delete.

Here, you can delete a file condition of RegistryValueDefault type.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-14 describes the fields on the New Registry Condition page that allow you to create, or edit a registry condition on its edit page of RegistryValueDefault type condition.

Table 19-14 Registry Condition for RegistryValueDefault 

Field Name
Field Description

Name

From the Name field, enter the name of the registry condition that you want to create.

Description

From the Description field, enter the description of the registry condition that you want to create.

Registry Type

From the Registry Type field, selecting a Registry Type allows you to check the existence of the registry key in the client registry, or the value of the registry key. Click the drop-down arrow to view the following predefined settings:

RegistryKey—Checks whether a specific registry key exists in the registry.

RegistryValue—Checks whether a named registry key exists or has a particular value, version, or modification date.

RegistryValueDefault—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Root Key

From the Registry Root Key field, selecting a Registry Root Key allows you to check the registry key, or the value of the registry key in the client registry from the root. Click the drop-down arrow to view the following Registry Root Key locations:

HKEY_LOCAL_MACHINE (HKLM)

HKEY_CURRENT_CONFIG (HKCC)

HKEY_CURRENT_USER (HKCU)

HKEY_USERS (HKU)

HKEY_CLASSES_ROOT (HKCR)

Sub Key

From the Sub Key field, selecting a sub key without the leading backslash ("\") allows you to check the registry key and the registry key value in the path specified in the sub key.

For example, SOFTWARE\Symantec\Norton AntiVirus\version from HKLM\SOFTWARE\Symantec\Norton AntiVirus\version

Value Name

(Default)

Value Data Type

From the Value Data Type field, selecting the data type allows you to check the registry key value data type, and its value using an operator. Click the drop-down arrow to view the predefined settings:

Number—choose one of the operators in the drop-down list to check the registry key value using a number in the registry key value

String—choose one of the operators in the drop-down list to check the registry key value using a string in the registry key value

Version—choose one of the operators in the drop-down list to check the registry key value using its version

Date—choose one of the operators in the drop-down list to check the registry key value using the date and time of the client machine in mm/dd/yyyy hh:MM:ss format

Value Operator

From the Value Operator field, selecting an operator allows you to check the existence or nonexistence of data type of the registry key value using an operator.

Click the drop-down arrow to view the following settings:

Exists

DoesNotExist

Value Data

From the Value Data field, enter the value of the registry key for the data type of the registry that you select.

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Filtering Registry Conditions

A quick filter is a simple and quick filter that can be used to filter registry conditions on the Registry conditions list page. It filters registry conditions based on the field description such as the name of the registry condition, description, and the type of registry conditions on the Registry conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Registry conditions list page. It filters registry conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Registry conditions list page.

To filter registry conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Registry Condition.

The Registry conditions list page appears.

Step 5 From the Registry conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-15.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Registry conditions list page.


Note To return to the Registry conditions list page, choose All from the Show drop-down to display all the registry conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters registry conditions based on each field description on the Registry conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Registry conditions list page. If you clear the field, it displays the list of all the registry conditions on the Registry conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter registry conditions by using variables that are more complex. It contains one or more filters, which filter registry conditions based on the values that match the field description. A filter on a single row filters registry conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter registry conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-15 describes the fields that allow you to filter registry conditions on the Registry conditions list page.

Table 19-15 Filtering Registry Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter registry conditions by the condition name.

Description

This field enables you to filter registry conditions by the condition description.

Registry Type

This field enables you to filter registry conditions by the registry type.

Condition Type

This field enables you to filter registry conditions by Cisco predefined and not Cisco predefined conditions

Advanced Filter

Choose the field description from the following:

Name

Description

Registry Type

Condition type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter registry conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter registry conditions.


Application Condition

An application condition is a simple (single) condition, which checks applications that are running, and are not running on the client. The application condition can check for various application processes that are typically viewable under Windows Task Manager.

The Application conditions list page displays application conditions along with their names, description, and as well as of the applications that are running and are not running on the client. It also shows the status of applications whether they are running, or are not running on the client.


Note Cisco predefined application conditions which are listed on the Application conditions list page are not editable.


This section provides the procedure that you can use to configure application conditions.

Configuring Application Conditions

Configuring Application Conditions

You can create an application condition to check that an application is running, or not running on the client. You can also duplicate, edit, delete, or filter application conditions from the Application conditions list page.

This section covers the following procedures:

Viewing Application Conditions

Creating, Duplicating, Editing, and Deleting an Application Condition

Filtering Application Conditions

Viewing Application Conditions

You can use the Application conditions list page to view application conditions.

To view application conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition.

The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you create.

Step 5 Choose an application condition from the application conditions list.

Step 6 Click View.

Here, you can choose an application condition to view the details.

Step 7 Click the Application Condition List link to return to the Application conditions list page.


Creating, Duplicating, Editing, and Deleting an Application Condition

You can use the Application conditions list page to create, duplicate, edit, or delete an application condition, which allows you to check various application processes that are running, or are not running on the client.

To create an application condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition.

The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the application condition is not editable.

Step 6 Modify the values on the New Application Condition page, as shown in Table 19-16.

Here, you can create to add an application condition, which appears on the Application conditions list page.

Step 7 Click Submit to create an application condition.


To duplicate an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition.

The Applications conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to duplicate.

Step 3 From the Application conditions list page, choose Duplicate.

Here, you can create a copy of the application condition.

Step 4 Click Submit to create a copy of the application condition.


To edit an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition.

The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to edit.

Step 3 From the Application conditions list page, choose Edit.

Here, you can edit an application condition.

Step 4 Click Save to save the changes to the application condition.

The application condition will appear on the Application conditions list page after editing on the edit page.

Step 5 Click the Application Condition List link from the edit page to return to the Application conditions list page.


To delete an application condition, complete the following steps:


Step 1 From the Posture menu, choose Application Condition.

The Application conditions list page appears, which lists predefined Cisco application conditions and all the application conditions that you have already created.

Step 2 Choose the application condition that you want to delete.

Step 3 From the Application conditions list page, choose Delete.

Here, you can delete an application condition.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-16 describes the fields on the New Application Condition list page that allow you to create, duplicate, or edit an application condition on its edit page.

Table 19-16 Application Condition

Field Name
Field Description

Name

From the Name field, enter the name of the application condition that you want to create.

Description

From the Description field, enter the description of the application condition that you want to create.

Process Name

From the Process Name field, enter the name of the application that you want to check whether it is running, or not running on the client.

Application Operator

From the Application Operator field, selecting the status of an application allows you to check whether that application is running, or not running on the client. Click the drop-down arrow to view the following predefined settings:

Running

NotRunning

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Filtering Application Conditions

A quick filter is a simple and quick filter that can be used to filter application conditions on the Application conditions list page. It filters application conditions based on the field description such as the name of the file condition, description, and that shows the status whether applications are running, or not running on the client on the Application conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Application conditions list page. It filters application conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Application conditions list page.

To filter application conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Application Condition.

The Application conditions list page appears.

Step 5 From the Application conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-17.

Step 6 From the Filter menu, choose the filter option.

Step 7 For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 8 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Application conditions list page.


Note To return to the Application conditions list page, choose All from the Show drop-down to display all the application conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters application conditions based on each field description on the Application conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Application conditions list page. If you clear the field, it displays the list of all the application conditions on the Application conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter application conditions by using variables that are more complex. It contains one or more filters, which filter application conditions based on the values that match the field description. A filter on a single row filters application conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter application conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-17 describes the fields that allow you to filter application conditions on the Application conditions list page.

Table 19-17 Filtering Application Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter application conditions by the condition name.

Description

This field enables you to filter application conditions by the condition description.

Status

This field enables you to filter application conditions by checking the status of applications whether they are running or not running.

Condition Type

This field enables you to filter application conditions by Cisco defined and not Cisco defined conditions.

Advanced Filter

Choose the field description from the following:

Name

Description

Status

Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter application conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter application conditions.


Service Condition

A service condition is a simple (single) condition, which checks services that are running, and are not running on the client. The service condition can check for various services such as security, or application agents that are typically viewable from the Windows Services console.

The Service conditions list page displays service conditions along with their names and description of the service conditions. It also shows the status of the services whether they are, or are not running on the client.

Cisco Predefined Checks

The Service conditions list page displays predefined Cisco checks as well as service conditions that you create on the Service Condition page. The predefined Cisco checks are downloaded on your Cisco ISE deployment as a result of dynamic posture updates. The pc_AutoUpdateCheck is one of the predefined Cisco checks, which is downloaded to the service conditions list (simple conditions).

For information on downloading Posture updates through the web, see the "Dynamic Posture Updates" section.

pc_AutoUpdateCheck

The pc_AutoUpdateCheck is a single (simple) condition, which can be used in a compound condition. The pr_AutoUpdateCheck_Rule is a compound condition that uses the pc_AutoUpdateCheck simple condition.

For information on how the pr_AutoUpdateCheck_Rule is used in a Windows Updates remediation, see the "pr_AutoUpdateCheck_Rule" section.


Note Cisco predefined service conditions which are listed on the Service conditions list page are not editable.


This section provides the procedure that you can use to configure service conditions.

Configuring Service Conditions

Configuring Service Conditions

You can create a service condition to check that a service is running, or not running on the client. You can also duplicate, edit, delete, or filter service conditions from the Services conditions list page.

This section covers the following procedures:

Viewing Service Conditions

Creating, Duplicating, Editing, and Deleting a Service Condition

Filtering Service Conditions

Viewing Service Conditions

You can use the Service conditions list page to view service conditions.

To view service conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition.

The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you create.

Step 5 Choose a service condition from the service conditions list.

Step 6 Click View.

Here, you can choose a service condition to view the details.

Step 7 Click the Service Condition List link to return to the Service conditions list page.


Creating, Duplicating, Editing, and Deleting a Service Condition

You can use the Service conditions list page to create, duplicate, edit, or delete a service condition, which allows you to check various services that are running or not running on the client.

To create a service condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition.

The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the service condition is not editable.

Step 6 Modify the values on the New Service Condition page, as shown in Table 19-18.

Here, you can create to add a service condition, which appears on the Service conditions list page.

Step 7 Click Submit to create a Service condition.


To duplicate a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition.

The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to duplicate.

Step 3 From the Service conditions list page, choose Duplicate.

Here, you can create a copy of the service condition.

Step 4 Click Submit to create a copy of the service condition.


To edit a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition.

The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to edit.

Step 3 From the Service conditions list page, choose Edit.

Here, you can edit a service condition.

Step 4 Click Save to save the changes to the service condition.

The service condition will appear on the Service conditions list page after editing on the edit page.

Step 5 Click the Service Condition List link from the edit page to return to the Service conditions list page.


To delete a service condition, complete the following steps:


Step 1 From the Posture menu, choose Service Condition.

The Service conditions list page appears, which lists predefined Cisco service conditions and all the service conditions that you have already created.

Step 2 Choose the service condition that you want to delete.

Step 3 From the Service conditions list page, choose Delete.

Here, you can delete a service condition.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-18 describes the fields on the New Service Condition page that allow you to create, duplicate, or edit a service condition on its edit page.

Table 19-18 Service Condition 

Field Name
Field Description

Name

From the Name field, enter the name of the service condition that you want to create.

Description

From the Description field, enter the description of the service condition that you want to create.

Service Name

From the Service Name field, enter the name of the service that you want to check whether it is running, or not running on the client.

Service Operator

From the Service Operator field, selecting the status of a service allows you to check whether that service is running, or not running on the client. Click the drop-down arrow to view the following predefined settings.

Running

NotRunning

Operating System

From the Operating System field, selecting an operating system allows you to specify a Windows operating system to which the condition is applied.


Filtering Service Conditions

A quick filter is a simple and quick filter that can be used to filter service conditions on the Service conditions list page. It filters service conditions based on the field description such as the name of the file condition, description, and that checks for services that are running, or not running on the client on the Service conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Service conditions list page. It filters service conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Service conditions list page.

To filter service conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Service Condition.

The Service conditions list page appears.

Step 5 From the Service conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-19.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To view compound conditions, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Service conditions list page.


Note To return to the Service conditions list page, choose All from the Show drop-down to display all the service conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters service conditions based on each field description on the Service conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Service conditions list page. If you clear the field, it displays the list of all the service conditions on the Service conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter service conditions by using variables that are more complex. It contains one or more filters, which filter service conditions based on the values that match the field description. A filter on a single row filters service conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter service conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-19 describes the fields that allow you to filter service conditions on the Service conditions list page.

Table 19-19 Filtering Service Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter service conditions by the condition name.

Description

This field enables you to filter service conditions by the condition description.

Check for

This field enables you to filter service conditions by checking the status of applications whether it is running or not.

Condition Type

This field enables you to filter service conditions by Cisco predefined and not Cisco predefined conditions.

Advanced Filter

Choose the field description from the following:

Name

Description

Check for

Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter service conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter service conditions.


Compound Condition

A compound condition includes one or more simple conditions, or compound conditions of the type file, registry, application, service, or dictionary conditions. You can combine one or more conditions using an AND (ampersand [ & ]), an OR (horizontal bar [ | ]), or a NOT (exclamation point [ ! ]) operator to create a compound condition.

Cisco Predefined Rules

The Compound condition list page displays predefined Cisco rules, as well as compound conditions that you create on the Compound condition list page. The predefined Cisco rules are downloaded on your Cisco ISE deployment as a result of dynamic posture updates through the web.

For information on downloading Posture updates through the web, see the "Dynamic Posture Updates" section.

pr_AutoUpdateCheck_Rule

The pr_AutoUpdateCheck_Rule is a predefined Cisco Rule, which is downloaded to the Compound conditions list page. It contains only the pc_AutoUpdateCheck, a single (simple) condition.

When used in a posture requirement, the pr_AutoUpdateCheck_Rule compound condition allows you to check whether Windows clients are enabled with the automatic updates feature. If the Windows clients fail to meet the requirement, then the NAC Agents enforce Windows clients to be enabled (remediate) with the automatic updates feature, and upon which the clients are postured compliant. The Windows updates remediation that you associate in the posture requirement overrides the Windows administrator setting, if the automatic updates feature is not enabled on Windows clients.

The Compound conditions list page displays compound conditions along with their names and description according to their operating systems. The compound conditions list page allows you to filter the conditions based on the operating systems, as every condition is associated with one or more operating systems. The filtering options allow you to quickly pick the right set of conditions for a specific operating system.


Note Cisco predefined compound conditions which are listed on the Compound conditions list page are not editable.


This section provides the procedure that you can use to configure compound conditions.

Configuring Compound Conditions

Configuring Compound Conditions

You can create, duplicate, edit, delete, or filter compound conditions from the Compound conditions list page.

This section covers the following procedures:

Viewing Compound Conditions

Creating, Duplicating, Editing, and Deleting a Compound Condition

Filtering Compound Conditions

Viewing Compound Conditions

You can use the Compound conditions list page to view compound conditions.

To view compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears, which lists predefined Cisco compound conditions and all the service conditions that you create.

Step 5 Choose a compound condition from the compound conditions list.

Step 6 Click View.

Here, you can choose a compound condition to view the details.

Step 7 Click the Compound Condition List link to return to the Compound conditions list page.


Creating, Duplicating, Editing, and Deleting a Compound Condition

You can use the Compound conditions list page to create, duplicate, edit, or delete a compound condition.

To add a compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you create.

Step 5 Click Add.


Warning Once created and saved, the name of the compound condition is not editable. The operating system is also not editable on the compound condition after you have associated the newly created compound condition to a requirement. In order to edit the operating system on the compound condition, you need to remove the compound condition association from the posture requirement.

Step 6 Modify the values on the New Compound Conditions page, as shown in Table 19-20.

Here, you can create an expression by using logical operators to form a compound condition by combining simple conditions. You can use the Condition list (an object selector) to choose one or more simple conditions.

a. Choose a simple condition from any one of file, registry, application, and service condition types from the Condition list.

b. Choose an AND (ampersand [ & ]), an OR (horizontal bar [ | ]), or a NOT (exclamation point [ ! ]) operator to combine simple conditions. Use the parentheses [ ( ) ], and the logical operators to create a compound condition.

c. Choose a simple condition from any one of file, registry, application, and service condition types from the Conditions list to the previously chosen simple conditions to create a compound condition.

Step 7 Click the Validate Expression button to validate the compound condition.

Step 8 Click Submit to create a compound condition.


To duplicate a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears, which lists predefined Cisco ISE compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to duplicate.

Step 3 From the Compound conditions list page, choose Duplicate.

Here, you can create a copy of the compound condition.

Step 4 Click Submit to create a copy of the compound condition


To edit a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to edit.

Step 3 From the Compound conditions list page, choose Edit.

Here, you can edit a compound condition, which you have already created, and saved on the Compound conditions list page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to the compound condition.

The compound condition will appear on the Compound conditions list page after editing on the edit page.

Step 5 Click the Compound Condition List link to return to the Compound conditions list page.


To delete a compound condition, complete the following steps:


Step 1 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears, which lists predefined Cisco compound conditions and compound conditions that you have already created.

Step 2 Choose the compound condition that you want to delete.

Step 3 From the Compound conditions list page, choose Delete.

Here, you can delete a compound condition.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-20 describes the fields on the New Compound Condition page that allow you to create, duplicate, or edit a compound condition on its edit page.

Table 19-20 Compound Condition

Field Name
Field Description

Name

From the Name field, enter the name of the compound condition that you want to create.

Description

From the Description field, enter the description of the compound condition that you want to create.

Operating System

From the Operating System field, selecting one or more Windows operating systems allow you to associate Windows operating systems to which the condition is applied.

Expression

An area in the Compound condition list page where you can create compound conditions using logical operators.

Parentheses ( )

Within the parentheses, you can combine two simple conditions from the following simple condition types: file, registry, application, and service conditions.

( & )—AND operator (use "&" for an AND operator, without the quotes)

You can use the AND operator (ampersand [ & ]) in a compound condition. For example, enter Condition1 & Condition2.

( | )—OR operator (use "|" for an OR operator, without the quotes)

You can use the OR operator (horizontal bar [  | ]) in a compound condition. For example, enter Condition1 | Condition2.

( ! )—NOT operator (use "!" for a NOT operator, without the quotes)

You can use the NOT operator (exclamation point [ ! ]) in a compound conditions. For example, enter Condition1 & (!Condition2).

Condition list

The Condition list provides you the list of simple conditions of the following types: file, registry, application, and service.

Choose simple conditions from the Condition list.


Filtering Compound Conditions

A quick filter is a simple and quick filter that can be used to filter compound conditions on the Compound conditions list page. It filters compound conditions based on the field description such as the name and description of the compound condition on the Compound conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Compound conditions list page. It filters compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Compound conditions list page.

To filter compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Compound Condition.

The Compound conditions list page appears.

Step 5 From the Compound conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-21.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Compound conditions list page.


Note To return to the Compound conditions list page, choose All from the Show drop-down to display all the compound conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters compound conditions based on each field description on the Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the compound conditions on the Compound conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter compound conditions by using variables that are more complex. It contains one or more filters, which filter compound conditions based on the values that match the field description. A filter on a single row filters compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-21 describes the fields that allow you to filter compound conditions on the Compound conditions list page.

Table 19-21 Filtering Compound Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter compound conditions by the condition name.

Description

This field enables you to filter compound conditions by the condition description.

Condition Type

This filed enables you to filter compound conditions by Cisco defined and not Cisco defined conditions.

Advanced Filter

Choose the field description from the following:

Name

Description

Condition Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter compound conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter compound conditions.


Antivirus and Antispyware Compound Conditions

Prerequisites:

Before you begin, you should read and understand the following antivirus and antispyware topics:

Antivirus and Antispyware Support Charts, which explain antivirus and antispyware support.

Antivirus and Antispyware Definition Updates, which explain updating antivirus and antispyware definition files.

An Antivirus Compound Condition

Cisco ISE loads preconfigured antivirus compound conditions on the AV Compound conditions list, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antivirus compound conditions can check for antivirus products for their existence on all the clients. You can also create new antivirus compound conditions on the New AV Compound Condition page.

The New AV Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.

An Antispyware Compound Condition

Cisco ISE loads preconfigured antispyware compound conditions on the AS Compound conditions list, which are defined in the antivirus and antispyware support charts for Windows and Macintosh operating systems. These antispyware compound conditions can check for antispyware products for their existence on all the clients. You can also create new antispyware compound conditions on the New AS Compound Condition page.

The New AS Compound Condition page displays the Products for Selected Vendor table, which provides information on antivirus products for a selected vendor.

Antivirus and Antispyware Support Charts

Cisco ISE uses an antivirus and antispyware support chart, which provides the latest version and date on the definition files for each vendor product. Users need to frequently poll antivirus and antispyware support charts for updates. The antivirus and antispyware vendors frequently update antivirus and antispyware definition files, and the antivirus and antispyware chart provides them the latest version and date on the definition files for each vendor product.

Each time the antivirus and antispyware support chart is updated to reflect support for new antivirus and antispyware vendors, products, and their releases, the NAC Agents receive a new antivirus and antispyware library. It helps NAC Agents to support newer additions. Once the NAC Agents retrieve this support information, they check the latest definition information from the periodically updated se-checks.xml file (which is published along with the se-rules.xml file in the se-templates.tar.gz archive), and determine whether clients are compliant with the posture policies. Depending upon what is supported by the antivirus and antispyware library for a particular antivirus, or antispyware product, the appropriate requirements will be sent to the NAC Agents for validating their existence, and the status of particular antivirus and antispyware products on the clients during posture validation.

Antivirus and Antispyware Definition Updates

The New AV Compound Condition and New AS Compound Condition configuration pages allow you to use the information from the av-chart archive files, which display the list of vendors, supported products, and their releases to configure client remediations on the AVAS remediations list page.

In the New AV Compound Condition and New AS Compound Condition configuration pages, you have an option to check for antivirus and antispyware definition file date, or version on all the clients for the following: a particular vendor product, or any product from a vendor, or for any vendor any product. In addition, you also have an option to specify that the definition files can be older than a specified certain number of days. It gives users a certain amount of time to enforce security policies with respect to how old the definition files can be on their system.

Antivirus and antispyware compound conditions allow you to verify that the virus definition files for a specified vendor are up-to-date on your clients. You can optionally configure antivirus and antispyware definition files of antivirus and antispyware compound conditions to be older by a number of days than the definition files, which are updated in the Cisco ISE servers. Even if the definition files have not been updated by the vendor, this option allows you to configure antivirus and antispyware compound conditions so that clients are validated for compliance with older versions by a few days.

For antivirus definition file updates, you can specify the number of days either from the latest antivirus definition file updates for a specified vendor, or from the current system date on Cisco ISE. For antispyware definition file updates, you must specify the number of days from the current system date. You do not have the option to specify the number of days from the latest antispyware definition file updates. The default number of days is zero (0), indicating that the antivirus and antispyware file definition date cannot predate the latest file or current system date.

You can also associate antivirus and antispyware compound conditions to the AVAS remediation actions. If your clients fail to meet antivirus and antispyware compound conditions, then the NAC Agents that are installed on your clients communicate directly with the installed antivirus and antispyware software on the clients. The NAC Agents display a dialog with an update, or remediate button on it for end users to use them to remediate clients automatically with the latest antivirus and antispyware definition files.

Related Topics

Antivirus Compound Condition

Antispyware Compound Condition

Antivirus Compound Condition

An antivirus compound condition contains one or more antivirus conditions (simple conditions), or antivirus compound conditions. An antivirus compound condition checks an antivirus installation, or checks for an antivirus signature definition version/date on a client. You can create an antivirus compound condition to check for an antivirus installation, or definition updates on the client for any vendor.

This section provides the procedure that you can use to configure antivirus compound conditions.

Configuring Antivirus Compound Conditions

Configuring Antivirus Compound Conditions

The AV Compound conditions list page displays antivirus compound conditions along with their names and description.

You can create an AV compound condition to check that an antivirus installation exists on your clients, or check that the latest antivirus signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter AV compound conditions from the AV Compound conditions list page.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition

Filtering Antivirus Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antivirus Compound Condition

You can use the AV Compound conditions list page to create, duplicate, edit, or delete an AV compound condition.

To create an antivirus compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AV Compound Condition.

The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you create on the New Anti-virus Compound Condition page.

Step 5 Click Add.


Warning Once created and saved, the name of the antivirus compound condition is not editable.

Step 6 Modify the values on the AV Compound conditions list page, as shown in Table 19-22.

Here, you can create an antivirus compound condition to check the installation of an antivirus program, or check that an antivirus definition file is up-to-date.


Note Choose a product from the Products for Selected Vendor table.


Step 7 Click Submit to create an antivirus compound condition.


To duplicate an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition.

The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.

Step 2 Choose the antivirus compound condition that you want to duplicate.

Step 3 From the antivirus Compound conditions list page, choose Duplicate.

Here, you can create a copy of the antivirus compound condition.

Step 4 Click Submit to create a copy of the AV compound condition.


To edit an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition.

The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also antivirus compound conditions that you have already created.

Step 2 Choose the antivirus compound condition that you want to edit.

Step 3 From the antivirus Compound conditions list page, choose Edit.

Here, you can edit an antivirus compound condition, which you have already created and saved on the AV Compound conditions list page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to the antivirus compound condition.

The antivirus compound condition will appear on the AV Compound conditions list page after editing on the edit page.

Step 5 Click the AV Compound Condition List link to return to the AV Compound conditions list page.


To delete an antivirus compound condition, complete the following steps:


Step 1 From the Posture menu, choose AV Compound Condition.

The AV Compound conditions list page appears, which lists all the Cisco predefined rules, and also AV compound conditions that you have already created.

Step 2 Choose the antivirus compound condition that you want to delete.

Step 3 From the AV Compound conditions list page, choose Delete.

Here, you can delete an antivirus compound condition.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-22 describes the fields on the AV Compound conditions list page that allow you to create, duplicate, or edit an antivirus compound condition.

Table 19-22 AV Compound Condition 

Field Name
Field Description

Name

The name of the antivirus compound condition that you want to create.

Description

The description of the antivirus compound condition that you want to create.

Operating System

The field selection of Operating System allows you to check the installation of an antivirus programs on your client, or check the latest antivirus definition file updates to which the condition is applied.

Vendor

Choose a vendor from the drop-down list. The selection of Vendor retrieves their antivirus products and versions, which are displayed in a table (Products for Selected Vendor) on the New Anti-virus Compound Condition page.

Check Type

The field selection of Check Type allows you to choose whether to check an installation or check the latest definition file update on the client.

Installation radio button

The field selection of Installation radio button allows you to check only the installation of an antivirus program on the client.

Definition radio button

The field selection of Definition radio button allows you to check only the latest definition file update of an antivirus product on the client.

Allow virus definition file to be check box (Enabled)

The Allow virus definition file to be check box is enabled only when creating antivirus definition check types, and disabled when creating antivirus installation check types.

If checked, the selection allows you to check the antivirus definition file version and the latest antivirus definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the latest antivirus definition file date of the product or the current system date.

If unchecked, the selection allows you to check only the version of the antivirus definition file as the Allow virus definition file to be check box is not checked.

days older than

The field defines the number of days that the latest antivirus definition file date on the client can be older from the latest antivirus definition file date of the product or the current system date. The default value is zero (0).

The latest file date radio button

When selected, the latest file date option checks that the antivirus definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the latest antivirus definition file date of the product.

The current system date radio button

When selected, the current system date option checks that the antivirus definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antivirus definition file date on the client should not be older than the current system date.

Products for Selected Vendor table

Choose an antivirus product from the table. Based on the vendor that you select in the New Anti-virus Compound Condition page, the table retrieves information on their antivirus products and their version, remediation support that they provide, latest definition file date and its version.

The selection of a product from the table allows you to check for the installation of an antivirus program, or check for the latest antivirus definition file date, and its latest version.


Filtering Antivirus Compound Conditions

A quick filter is a simple and quick filter that can be used to filter antivirus compound conditions on the AV Compound conditions list page. It filters antivirus compound conditions based on the field description such as the name and description of the antivirus compound condition on the AV Compound conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AV Compound conditions list page. It filters antivirus compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AV Compound conditions list page.

To filter antivirus compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AV Compound Condition.

The AV Compound conditions list page appears.

Step 5 From the AV Compound conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-23.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the AV Compound conditions list page.


Note To return to the AV Compound conditions list page, choose All from the Show drop-down to display all the antivirus compound conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters antivirus compound conditions based on each field description on the AV Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the antivirus compound conditions on the AV Compound conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antivirus compound conditions by using variables that are more complex. It contains one or more filters, which filter antivirus compound conditions based on the values that match the field description. A filter on a single row filters antivirus compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-23 describes the fields that allow you to filter antivirus compound conditions on the AV Compound conditions list page.

Table 19-23 Filtering Antivirus Compound Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter conditions by the condition name.

Description

This field enables you to filter conditions by the condition description.

Advanced Filter

Choose the field description from the following:

Name

Description

Click the drop-down arrow to choose the field description.

Operator

Click the drop-down arrow to choose a value that can be used to filter in the Operator field.

Value

Enter the value for the field description that you selected against to filter the conditions.


Antispyware Compound Condition

An antispyware compound condition contains one or more antispyware conditions (simple conditions), or antispyware compound conditions. An antispyware compound condition checks an antispyware installation, or checks for an antispyware signature definition version/date on a client against the current system date. You can create an antispyware compound condition to check for an antivirus installation, or definition updates on the client for any vendor.

When you create an antispyware definition file update condition, the antispyware definition file date can be older than the current system date by the number of days that you specify for checking the definition file date on the client. The default value is zero (0) days.

Here, you must enable (check) the Allow virus definition file to be check box to check that the latest antispyware definition file date on the client. It can be older than the current system date by the number of days, which you define in the days older than field.

This section provides the procedure that you can use to configure antispyware compound conditions.

Configuring Antispyware Compound Conditions

Configuring Antispyware Compound Conditions

The AS Compound conditions list page displays antispyware compound conditions along with their names and description.

You can create an antispyware compound condition to check that an antispyware installation exists on your clients, or check that the latest antispyware signature definition version/date on the client for a selected vendor. You can duplicate, edit, delete, or filter antispyware compound conditions from the AS Compound conditions list page.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition

Filtering Antispyware Compound Conditions

Creating, Duplicating, Editing, and Deleting an Antispyware Compound Condition

You can use the AS Compound conditions list page to create, duplicate, edit, or delete an antispyware compound condition.

To create an antispyware compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AS Compound Condition.

The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you create on the New Anti-spyware Compound Condition page.

Step 5 Click Add.


Warning Once created and saved, the name of the antispyware compound condition is not editable.

Step 6 Modify the values on the AS Compound conditions list page, as shown in Table 19-24.

Here, you can create an antispyware compound condition to check the installation of an antispyware program, or check that an antispyware definition file is up-to-date.


Note Choose a product from the Products for Selected Vendor table.


Step 7 Click Submit to create an antispyware compound condition.


To duplicate an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition.

The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.

Step 2 Choose the antispyware compound condition that you want to duplicate.

Step 3 From the AS Compound conditions list page, choose Duplicate.

Here, you can create a copy of the antispyware compound condition.

Step 4 Click Submit to create a copy of the antispyware compound condition.


To edit an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition.

The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also antispyware compound conditions that you have already created.

Step 2 Choose the antispyware compound condition that you want to edit.

Step 3 From the AS Compound conditions list page, choose Edit.

Here, you can edit an antispyware compound condition, which you have already created and saved on the AS Compound conditions list page. The predefined Cisco rules are not editable.

Step 4 Click Save to save the changes to the antispyware compound condition.

The antispyware compound condition will appear on the AS Compound conditions list page after editing on the edit page.

Step 5 Click the AS Compound Condition List link to return to the AS Compound conditions list page.


To delete an antispyware compound condition, complete the following steps:


Step 1 From the Posture menu, choose AS Compound Condition.

The AS Compound conditions list page appears, which lists all the Cisco predefined rules, and also AS compound conditions that you have already created.

Step 2 Choose the antispyware compound condition that you want to delete.

Step 3 From the AS Compound conditions list page, choose Delete.

Here, you can delete an antispyware compound condition.


Warning Cisco predefined conditions cannot be deleted. Please select conditions that are not defined by Cisco to delete.

Table 19-24 describes the fields on the AS Compound conditions list page that allow you to create, duplicate, or edit an antispyware compound condition.

Table 19-24 Antispyware Compound Condition 

Field Name
Field Description

Name

The name of the antispyware compound condition that you want to create.

Description

The description of the antispyware compound condition that you want to create.

Operating System

The field selection of Operating System allows you to check the installation of an antispyware programs on your client, or check the latest antispyware definition file updates to which the condition is applied.

Vendor

Choose a vendor from the drop-down list. The selection of Vendor retrieves their antispyware products and versions, which are displayed in a table (Products for Selected Vendor) on the New AV Compound Condition page.

Check Type

The field selection of Check Type allows you to choose a type whether to check an installation, or check the latest definition file update on the client.

Installation radio button

The field selection of Installation radio button allows you to check only the installation of an antispyware program on the client.

Definition radio button

The field selection of Definition radio button allows you to check only the latest definition file update of an antispyware product on the client.

Allow virus definition file to be check box (Enabled)

The Allow virus definition file to be check box is enabled only when creating antispyware definition check types, and disabled when creating antispyware installation check types.

If checked, the selection allows you to check antispyware definition file version and the latest antispyware definition file date on the client. The latest definition file date cannot be older than that you define in the next field (days older than field) from the current system date.

If unchecked, the selection allows you to check only the version of the antispyware definition file as the Allow virus definition file to be check box is not checked.

days older than

The field defines the number of days that the latest antispyware definition file date on the client can be older from the current system date. The default value is zero (0).

The current system date radio button

When selected, the current system date option checks that the antispyware definition file date on the client, which can be older by the number of days that you define in the next field (days older than field).

If you set the number of days to the default value (0), then the antispyware definition file date on the client should not be older than the current system date.

Products for Selected Vendor table

Choose an antispyware product from the table. Based on the vendor that you select in the New Anti-spyware Compound Condition page, the table retrieves information on their antispyware products and their version, remediation support that they provide, latest definition file date and its version.

The selection of a product from the table allows you to check for the installation of an antispyware program, or check for the latest antispyware definition file date, and its latest version.


Filtering Antispyware Compound Conditions

A quick filter is a simple and quick filter that can be used to filter antispyware compound conditions on the AS Compound conditions list page. It filters antispyware compound conditions based on the field description such as the name and description of the antispyware compound condition on the AS Compound conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AS Compound conditions list page. It filters antispyware compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AS Compound conditions list page.

To filter antispyware compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose AS Compound Condition.

The AS Compound conditions list page appears.

Step 5 From the AS Compound conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-25.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the AV Compound conditions list page.


Note To return to the AS Compound conditions list page, choose All from the Show drop-down to display all the antispyware compound conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters antispyware compound conditions based on each field description on the AS Compound conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Compound conditions list page. If you clear the field, it displays the list of all the antispyware compound conditions on the AS Compound conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antispyware compound conditions by using variables that are more complex. It contains one or more filters, which filter antispyware compound conditions based on the values that match the field description. A filter on a single row filters antispyware compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antispyware compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-25 describes the fields that allow you to filter antispyware compound conditions on the AS Compound conditions list page.

Table 19-25 Filtering Antispyware Compound Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter conditions by the condition name.

Description

This field enables you to filter conditions by the condition description.

Advanced Filter

Choose the field description from the following:

Name

Description

Click the drop-down arrow to choose the field description.

Operator

Click the drop-down arrow to choose a value that can be used to filter in the Operator field.

Value

Enter the value for the field description that you selected against to filter the conditions.


Dictionary Simple Condition

A Dictionary simple condition is a simple (single) condition, where you can associate a value to a dictionary attribute. Once created and saved, the dictionary simple conditions are added to a library. You can use these dictionary simple conditions to form a dictionary compound condition on the Dictionary Compound Conditions page.

This section provides the procedure that you can use to configure dictionary simple conditions.

Configuring Dictionary Simple Conditions

Configuring Dictionary Simple Conditions

You can create a dictionary simple condition to check the value of an attribute that you associate to the dictionary attribute in the dictionary simple condition. You can also duplicate, edit, delete, or filter dictionary simple conditions from the Dictionary Simple Conditions list page.

The Dictionary Simple Conditions list page displays dictionary simple conditions along with their names and description, as well as the conditions in detail that you define in the dictionary simple conditions.

This section covers the following procedures:

Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition

Filtering Dictionary Simple Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Simple Condition

You can use the Dictionary Simple Conditions list page to create, duplicate, edit, or delete a dictionary simple condition.

To create a dictionary simple condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions list page appears.

Step 5 Click Add.


Warning Once created and saved, the name of the dictionary simple condition is not editable.

Step 6 Modify the values on the New Dictionary Condition page, as shown in Table 19-26.

Here, you can create a dictionary simple condition where you can associate a value to a dictionary attribute.

Step 7 Click Submit to create a dictionary simple condition.


To duplicate a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose the dictionary simple condition that you want to duplicate.

Step 3 From the Dictionary Simple Conditions list page, choose Duplicate.

Here, you can create a copy of the dictionary simple condition.

Step 4 Click Submit to create a copy of the dictionary simple condition.


To edit a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose the dictionary simple condition that you want to edit.

Step 3 From the Dictionary Simple Conditions list page, choose Edit.

Here, you can edit a dictionary simple condition.

Step 4 Click Save to save the changes to the dictionary simple condition.

The dictionary simple condition will appear on the Dictionary Simple Conditions list page after editing on the edit page.

Step 5 Click the Dictionary Condition List link to return to the Dictionary Simple Conditions list page.


You cannot delete a dictionary simple condition, which is associated to a dictionary compound condition. To delete, you must first remove the association from the dictionary compound condition, and then delete it.

To delete a dictionary simple condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions list page appears, which lists all the dictionary simple conditions that you have already created.

Step 2 Choose the dictionary simple condition that you want to delete.

Step 3 From the Dictionary Simple Conditions list page, choose Delete.

Here, you can delete a dictionary simple condition.


Table 19-26 describes the fields on the Dictionary Simple Conditions list page that allow you to create, duplicate a dictionary simple condition, or edit a dictionary simple condition on its edit page.

Table 19-26 Dictionary Simple Condition 

Field Name
Field Description

Name

From the Name field, enter the name of the dictionary simple condition that you want to create.

Description

From the Description field, enter the description of the dictionary simple condition that you want to create.

Attribute

From the Attribute field, you can choose an attribute from a dictionary in the dictionaries widget.

Operator

From the Operator field, you can choose an operator to associate a value to an attribute that you have selected.

Click the drop-down arrow to choose an operator from the predefined settings for each of the dictionary attribute that you have selected.

Value

From the Value field, enter a value that you want to associate to the dictionary attribute, or choose a predefined value from the drop-down list.


Filtering Dictionary Simple Conditions

A quick filter is a simple and quick filter that can be used to filter dictionary simple conditions on the Dictionary Simple Conditions list page. It filters dictionary simple conditions based on the field description such as the name of the dictionary simple condition, condition that you define in the dictionary simple condition, and description on the Dictionary Simple Conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Simple Conditions list page. It filters dictionary simple conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Dictionary Simple Conditions list page.

To filter dictionary simple conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Simple Condition.

The Dictionary Simple Conditions list page appears.

Step 5 From the Dictionary Simple Conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-27.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Dictionary Simple Conditions list page.


Note To return to the Dictionary Simple Conditions list page, choose All from the Show drop-down to display all the dictionary simple conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters dictionary simple conditions based on each field description on the Dictionary Simple Conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Simple Conditions list page. If you clear the field, it displays the list of all the dictionary simple conditions on the Dictionary Simple Conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter dictionary simple conditions by using variables that are more complex. It contains one or more filters, which filter dictionary simple conditions based on the values that match the field description. A filter on a single row filters dictionary simple conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-27 describes the fields on the Dictionary Simple Conditions list page that allow you to filter dictionary simple conditions.

Table 19-27 Filtering Dictionary Simple Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter dictionary simple conditions by the condition name.

Condition

This field enables you to filter dictionary simple conditions by the condition that you define in the dictionary simple condition.

Description

This field enables you to filter dictionary simple conditions by the condition description.

Advanced Filter

Choose the field description from the following:

Name

Condition

Description

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter dictionary simple conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter dictionary simple conditions.


Dictionary Compound Condition

A dictionary compound condition is a logical combination of more than one dictionary simple condition (a dictionary attribute that is associated with a value). It is a set of dictionary simple conditions (dictionary attributes that are associated with values) that are logically combined with an AND, or an OR operator. You can save a dictionary compound condition, only when you define more than one dictionary simple condition, and then combine them on the Dictionary Compound Conditions page. One or more dictionary simple conditions that you create on the Dictionary Compound Conditions page must be saved to a library first, which can be added later from the library to form a dictionary compound condition.

This section provides the procedure that you can use to configure dictionary compound conditions.

Configuring Dictionary Compound Conditions

Configuring Dictionary Compound Conditions

The Dictionary Compound Conditions page displays the list of dictionary compound conditions along with their names and description, as well as dictionary simple conditions that are logically combined.

This section covers the following procedure:

Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition

Filtering Dictionary Compound Conditions

Creating, Duplicating, Editing, and Deleting a Dictionary Compound Condition

You can create, duplicate, edit, or delete a dictionary compound condition from the Dictionary Compound Conditions page.

To create a dictionary compound condition, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions menu window, choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions list page appears.

Step 5 Click Add.


Warning Once created and saved, the name of the dictionary compound condition is not editable.

Step 6 Modify the values on the New Dictionary Compound Condition page, as shown in Table 19-28.

Here, you can create a dictionary compound condition where you can logically combine more than one dictionary simple conditions.

Step 7 Click Submit to create a dictionary compound condition.


To duplicate a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose the dictionary compound condition that you want to duplicate.

Step 3 From the Dictionary Compound Conditions list page, choose Duplicate.

Here, you can create a copy of the dictionary compound condition.

Step 4 Click Submit to create a copy of the dictionary compound condition.


To edit a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose the dictionary compound condition that you want to edit.

Step 3 From the Dictionary Compound Conditions list page, choose Edit.

Here, you can edit a dictionary compound condition.

Step 4 Click Save to save the changes to the dictionary compound condition.

The dictionary compound condition will appear on the Dictionary Compound Conditions list page after editing on the edit page.

Step 5 Click the Dictionary Compound Condition List link to return to the Dictionary Compound Conditions list page.


To delete a dictionary compound condition, complete the following steps:


Step 1 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions list page appears, which lists all the dictionary compound conditions that you have already created.

Step 2 Choose the dictionary compound condition that you want to delete.

Step 3 From the Dictionary Compound Conditions list page, choose Delete.

Here, you can delete a dictionary compound condition.


Table 19-28 describes the fields on the Dictionary Compound Conditions page that allow you to create, duplicate a dictionary compound condition, or edit a dictionary compound condition on its edit page.

Table 19-28 Dictionary Compound Condition 

Field Name
Field Description

Name

From the Name field, enter the name of the dictionary compound condition that you want to create.

Description

From the Description field, enter the description of the dictionary compound condition that you want to create.

Select Existing Condition from Library

You can define an expression by selecting pre-defined conditions from the policy elements library.

Click the Action Icon button to do the following:

Add Attribute/Value

Add Condition from Library

Delete

You can add ad-hoc attribute/value pairs to your expression in the subsequent steps.

Click the Action Icon button to do the following:

Add Attribute/Value—allows you to create a dictionary simple condition

Add Condition from Library—allows you to choose a dictionary simple, or dictionary compound condition from the library that are already created and saved

Duplicate—allows to duplicate a condition that you create or choose on this page.

Add Condition to Library—allows you to save new dictionary simple, and dictionary compound conditions that you create here to the library for use later

Delete—allows to remove the association of a dictionary simple or dictionary compound condition from the dictionary compound condition.

Condition Name

From the Condition Name field, you can choose dictionary simple conditions that you have already created from the policy elements library.

Expression

The Expression field is updated based on your selection from the Condition Name field.

AND or OR operator

Either an AND operator, or an OR operator allows you to logically combine dictionary simple conditions, which can be added from the library.

Click the Action Icon button to do the following:

Add Attribute/Value

Add Condition from Library

Delete

Create New Condition (Advance Option)

You can define an expression by selecting attributes from various system or user-defined dictionaries.

Click the Action Icon button to do the following:

Add Attribute/Value

Add Condition from Library

Duplicate

Add Condition to Library

Delete

You can add pre-defined conditions from the policy elements library in the subsequent steps.

Condition Name

From the Condition Name field, you can create a new dictionary simple condition and then save it to the library, or choose dictionary simple conditions that you have already created from the library.

Expression

From the Expression field, you can create a dictionary simple condition by choosing an attribute from a dictionary in the dictionaries widget to which you can associate a value.

Operator

From the Operator field, you can choose an operator to associate a value to an attribute.

Click the drop-down arrow to choose an operator from the predefined settings for each of the dictionary attribute that you select.

Value

From the Value field, enter a value that you want to associate to the dictionary attribute, or choose a value from the drop-down list.

AND or OR operator

Either an AND operator, or an OR operator allows you to logically combine dictionary simple conditions, which can be added from the library.


Filtering Dictionary Compound Conditions

A quick filter is a simple and quick filter that can be used to filter dictionary compound conditions on the Dictionary Compound Conditions list page. It filters dictionary compound conditions based on the field description such as the name of the dictionary compound condition, conditions that you define in the dictionary compound condition, and description on the Dictionary Compound Conditions list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Dictionary Compound Conditions list page. It filters dictionary compound conditions based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Dictionary Compound Conditions list page.

To filter compound conditions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Conditions (menu window).

Step 2 From the Conditions (menu window), choose Posture.

Step 3 Click the Quick Picker (right arrow) icon to navigate to the list of posture conditions.

The Posture menu appears, which lists all the posture condition types.

Step 4 From the Posture menu, choose Dictionary Compound Condition.

The Dictionary Compound Conditions list page appears.

Step 5 From the Dictionary Compound Conditions list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-29.

Step 6 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 7 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Dictionary Compound Conditions list page.


Note To return to the Dictionary Compound Conditions list page, choose All from the Show drop-down to display all the dictionary compound conditions without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters dictionary compound conditions based on each field description on the Dictionary Compound Conditions list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Dictionary Compound Conditions list page. If you clear the field, it displays the list of all the compound conditions on the Dictionary Compound Conditions list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter dictionary compound conditions by using variables that are more complex. It contains one or more filters, which filter dictionary compound conditions based on the values that match the field description. A filter on a single row filters dictionary compound conditions based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter compound conditions by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-29 describes the fields on the Dictionary Compound Conditions list page that allow you to filter dictionary compound conditions.

Table 19-29 Filtering Dictionary Compound Conditions 

Filtering Method
Filtering Field
Filtering Field Description

Quick Filter

Name

This field enables you to filter compound conditions by the condition name.

Condition

This field enables you to filter dictionary compound conditions by the condition that you define in the dictionary compound condition.

Description

This field enables you to filter compound conditions by the condition description.

Advanced Filter

Choose the field description from the following:

Name

Condition

Description

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter dictionary compound conditions.

Value

From the Value field, choose the value for the field description that you selected against which to filter dictionary compound conditions.


Posture Results

Posture results are associated mandatory requirements to posture policies that all clients must meet their requirements during posture evaluation, and associated remediation actions to requirements that are required by clients to remediate themselves to meet failed requirements in order to become compliant on your network.

Posture results in posture requirements which all clients must meet for compliance with your organization security policies during policy evaluation of endpoints, The posture requirements can be set to mandatory, optional or audit types in posture policies during posture evaluation of endpoints.

Mandatory Requirements

If clients fail to meet mandatory requirements as defined in posture policies, then they are provided with remediation options in order for clients to meet them during policy evaluation. When clients fail to meet mandatory requirements during policy evaluation, it results in remediation actions that are associated to requirements, and end users are given remediation time within minutes specified in the remediation timer settings to remediate failed requirements.

If a client machine is unable to remediate a mandatory requirement, the session posture status changes to "non-compliant" and the agent session is quarantined. The only way to get the client machine past this "non-compliant" state is by initiating a new RADIUS or posture session where the agent starts posture assessment on the client machine again.

You can restart posture assessment on the client machine by doing one of the following:

For wired and wireless CoA in an 802.1X environment—You can configure the Reauthentication Timer for the specific authorization policy in the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. When you have the authorization policy page open, enable the Reauthentication function under Common Tasks and set the Maintain Connectivity During Reauthentication option to "Default." The result is that the timer expires and a brand new session launches, thus restarting posture assessment. For more details, see Modifying an Existing Authorization Profile, page 16-30. (This method is not supported in Inline Posture deployments.)

Alternatively, wired users can get out of the quarantine state once they disconnect and reconnect to the network. In a wireless environment, the user must disconnect from the WLC and wait until the user idle timeout period has expired before attempting to reconnect to the network.

In a VPN environment—The only option is to disconnect and reconnect the VPN tunnel.

Optional Requirements

If client machines fail to meet optional requirements during policy evaluation, then the agents prompt end users with an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.

Audit Requirements

Audit requirements are not shown to end users even though they pass, or fail during policy evaluation.

Related Topics

Custom Posture Remediation Actions

Configuring Custom Posture Remediation Actions

Client Posture Assessment Requirements

Troubleshooting Topics

Agent Fails to Initiate Posture Assessment, page D-27

Custom Posture Remediation Actions

A custom posture remediation action can take the form of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types. Here, you also have a text box for all the remediation types that can be used to communicate to the Agent users. In addition to remediation actions, you can also communicate to Agent users of non compliance of clients only with messages. Here, the NAC Agent does not trigger any remediation action.

When you create a posture requirement on the Requirements page, you can associate any one of a file, a link, an antivirus or antispyware definition updates, launching programs, Windows updates, or Windows Server Update Services (WSUS) types to the requirement.

Message Text Only

The Message Text Only option informs Agent users about noncompliance of clients. It also provides optional instructions to the user to contact the Help desk for more information, or to remediate the client manually.

You can use the Posture Remediation Actions menu to manage the following remediations for a posture in Cisco ISE:

A file remediation—downloads the required file version on your client for compliance

A link remediation—provides a URL link for the client to click for access to a remediation page or resource

An antivirus or antispyware remediation—updates antivirus or antispyware signature definitions on the client for compliance

Launch programs remediation—launches one or more programs on the client for compliance

Windows updates remediation—changes the Windows Automatic Update configuration (System Properties) on the client per customer security policy, and helps to ensure Windows Update remediates the client for compliance

Windows Server Update Services (WSUS) remediation—remediates the Windows client from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest WSUS updates for compliance

To manage the posture remediation actions, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to view the posture results.

The following results appear:

Remediation Actions—associated to requirements, which are required by clients to remediate themselves to meet failed requirements during policy evaluation

Requirements—associated to posture policies that all clients must meet during policy evaluation

Step 4 Choose Remediation Actions.

The following remediation types appear:

File Remediation

Link Remediation

AVAS Remediation

Launch Program Remediation

Windows Update Remediation

Windows Server Update Services Remediation

Step 5 Choose a remediation type to view the remediations list.


Configuring Custom Posture Remediation Actions

This section describes the custom remediation types that you can define in Cisco ISE.

This section covers the following procedures for managing remediation actions for a posture:

Viewing, Adding, and Deleting a File Remediation

Filtering File Remediations

Adding, Duplicating, Editing, and Deleting a Link Remediation

Filtering Link Remediations

Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation

Filtering Antivirus or Antispyware Remediations

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

Filtering Launch Program Remediations

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

Filtering Windows Update Remediations

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

Filtering Windows Server Update Services Remediations

Troubleshooting Topics

Agent Fails to Initiate Posture Assessment, page D-27

File Remediation

A file remediation allows clients to download the required file version for compliance. You are only allowed to create a file remediation, where the NAC Agent and Web Agent can remediate an endpoint with a file that is required by the client for compliance. You can also view, duplicate, or delete file remediations on the File remediations list page, but not edit file remediations as you are allowed to edit other remediation types.

The File remediations list page displays all the file remediations along with their names, description, and as well as the files that are required for remediation.

This section describes the following procedures to configure and filter file remediations.

Viewing, Adding, and Deleting a File Remediation

Filtering File Remediations

Viewing, Adding, and Deleting a File Remediation

This section describes the procedures to view, add, duplicate, or delete file remediations from the File remediations list page.

To view a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation.

The File remediations list page appears, which lists all the file remediations on the File remediations list page.

Step 7 Click the check box to choose a file remediation from the File remediations list page.

Step 8 From the File remediations list page, choose View.

Here, you can view a file remediation.

Step 9 Click the File Remediation List link to return back to the File remediations list page.


To add a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation.

The File remediations list page appears, which lists all the file remediations on the File remediations list page.

Step 7 From the File remediations list page, choose Add.

The New File Remediation page appears. Here, you can create to add a new file remediation.


Warning Once created and saved, the name of the file remediation is not editable.

Step 8 Modify the values on the New File Remediation page, as shown in Table 19-30.

Step 9 Click Submit to save the file remediation.

The new file remediation appears on the File remediations list page.


To delete a file remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation.

The File remediations list page appears, which lists all the file remediations on the File remediations list page.

Step 7 Click the check box to choose a file remediation from the File remediations list page.

Step 8 From the File remediations list page, choose Delete.

Here, you can delete a file remediation from the File remediations list page.


Table 19-30 describes the fields that allow you to create a file remediation on the New File Remediation page.

Table 19-30 File Remediation 

Field Name
Field Description

File Remediation Name

From the File Remediation Name field, enter the name of the file remediation that you want to create.

File Remediation Description

from the File Remediation Description field, enter the description of the file remediation.

Version

From the Version field, add the version of the file.

File to upload

From the File to upload field, browse to the name of the file to be uploaded to the Cisco ISE server. This is in turn the file that is downloaded to the client, if file remediation action is triggered.


Filtering File Remediations

A quick filter is a simple and quick filter that can be used to filter file remediations on the File remediations list page. It filters file remediations based on the field description such as the name of the file remediation, description, and the file to be uploaded that is required for remediation on the File remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the File remediations list page. It filters file remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the File remediations list page.

To filter file remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose File Remediation.

Step 7 From the File remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-30.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the File remediations list page.


Note To return to the File remediations list page, choose All from the Show drop-down to display all the file remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters file remediations based on each field description on the File remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the File remediations list page. If you clear the field, it displays the list of all the file remediations on the File remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter file remediations by using variables that are more complex. It contains one or more filters, which filter file remediations based on the values that match the field description. A filter on a single row filters file remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter file remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-31 describes the fields that allow you to filter file remediations.

Table 19-31 Filtering File Remediations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter file remediations by the name of the file remediation.

Description

This field enables you to filter file remediations by the description of the file remediation.

File Name

This field enables you to filter file remediations by the file name.

Advanced Filter

Choose the field description from the following:

Name

Description

File Name

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter file remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter file remediations.


Link Remediation

A link remediation allows clients to click a URL link for access to a remediation page, or resource. You can create a link remediation, where the NAC Agents and Web Agents open a browser with a link for clients to access a remediation page or resource, and remediate themselves for compliance. You can also duplicate, edit, or delete link remediations on the Link remediations list page.

The Link remediations list page displays all the link remediations along with their names, description, and as well as their modes of remediation.

This section describes the procedures to configure and filter link remediations.

Adding, Duplicating, Editing, and Deleting a Link Remediation

Filtering Link Remediations

Adding, Duplicating, Editing, and Deleting a Link Remediation

This section describes the procedures to add, duplicate, edit, or delete link remediations from the Link remediations list page.

To add a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation.

The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.

Step 7 From the Link remediations list page, choose Add.

The New Link Remediation page appears. Here, you can create to add a new link remediation.


Warning Once created and saved, the name of the link remediation is not editable.

Step 8 Modify the values on the New Link Remediation page, as shown in Table 19-32.

Step 9 Click Submit to save the link remediation.

The new link remediation appears on the Link remediations list page.

Step 10 Click Cancel to go back to the Link remediations list page.


To duplicate a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation.

The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.

Step 7 Click the check box to choose a link remediation from the Link remediations list page.

Step 8 From the Link remediations list page, choose Duplicate.

Here, you can duplicate a link remediation on the Link remediations list page.

Step 9 Click Submit to duplicate the link remediation.

A copy of the link remediation appears on the Link remediations list page. You cannot duplicate a link remediation with the same name.

Step 10 Click the Link Remediation List link to return back to the Link remediation list page.


To edit a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation.

The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.

Step 7 Click the check box to choose a link remediation from the Link remediations list page.

Step 8 From the Link remediations list page, choose Edit.

Here, you can edit a link remediation on the edit page.

Step 9 Click Save to save the link remediation.

The link remediation will be available on the Link remediations list after editing on the edit page.

Step 10 Click the Link Remediation List link from the edit page to return to the Link remediations list page.


To delete a link remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation.

The Link remediations list page appears, which lists all the link remediations on the Link remediations list page.

Step 7 Click the check box to choose a link remediation from the Link remediations list page.

Step 8 From the Link remediations list page, choose Delete.

Here, you can delete a link remediation from the Link remediations list page.


Table 19-32 describes the fields that allow you to create a link remediation on the New Link remediation page.

Table 19-32 Link Remediation 

Field Name
Field Description

Link Remediation Name

From the Link Remediation Name field, enter the name of the link remediation that you want to create.

Link Remediation Description

From the Link Remediation Description field, enter the description of the link remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for a link remediation:

Automatic

Manual

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to remediate from the link.

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate from the link after previous attempts.

URL

A valid URL that clients can access a remediation page or resource to remediate.


Filtering Link Remediations

A quick filter is a simple and quick filter that can be used to filter link remediations on the Link remediations list page. It filters link remediations based on the field description such as the name of the link remediation, description, and the mode of remediation on the Link remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Link remediations list page. It filters link remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Link remediations list page.

To filter link remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Link Remediation.

Step 7 From the Link remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-32.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Link remediations list page.


Note To return to the Link remediations list page, choose All from the Show drop-down to display all the link remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters link remediations based on each field description on the Link remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Link remediations list page. If you clear the field, it displays the list of all the link remediations on the Link remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter link remediations by using variables that are more complex. It contains one or more filters, which filter link remediations based on the values that match the field description. A filter on a single row filters link remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter link remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-33 describes the fields that allow you to filter link remediations.

Table 19-33 Filtering Link Remediations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter link remediations by the name of the link remediation.

Description

This field enables you to filter link remediations by the description of the link remediation.

Type

This field enables you to filter link remediations by the mode of remediation.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter link remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter link remediations.


AVAS Remediation

An antivirus, or antispyware remediation (AV or AS remediation) updates clients with antivirus, or antispyware signature definitions for compliance. You can create an antivirus, or antispyware remediation, which updates clients with up-to-date file definitions for compliance after remediation. You can also duplicate, edit, or delete antivirus, or antispyware remediations on the AVAS remediations list page.

The AVAS remediations list page displays all the antivirus, or antispyware remediations along with their names, description, and as well as their modes of remediation.

This section describes the following procedures to add, duplicate, edit, or delete an antivirus, or antispyware remediations.

Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation

Filtering Antivirus or Antispyware Remediations

Adding, Duplicating, Editing, and Deleting an Antivirus or Antispyware Remediation

This section describes the procedures to add, duplicate, edit, or delete antivirus, or antispyware remediations from the AVAS remediations list page.

To add an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AVAS Remediation.

The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.

Step 7 From the AVAS remediations list page, choose Add.

The New AVAS Remediation page appears. Here, you can create to add a new antivirus, or antispyware remediation.


Warning Once created and saved, the name of the antivirus or antispyware remediation is not editable.

Step 8 Modify the values on the New AVAS Remediation page, as shown in Table 19-34.

Step 9 Click Submit to save an antivirus, or antispyware remediation.

The new antivirus, or antispyware remediation appears on the AVAS remediations list page.


To duplicate an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AVAS Remediation.

The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.

Step 7 Click the check box to choose an antivirus, or antispyware remediation from the AVAS remediations list page.

Step 8 From the AVAS remediations list page, choose Duplicate.

Here, you can duplicate an antivirus, or antispyware remediation on the AVAS remediations list page.

Step 9 Click Submit to duplicate an antivirus, or antispyware remediation.

A copy of an antivirus, or antispyware remediation appears on the AVAS remediations list page. You cannot duplicate an antivirus, or antispyware remediation with the same name.


To edit an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AVAS Remediation.

The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.

Step 7 Click the check box to choose an antivirus, or antispyware remediation from the AVAS remediations list page.

Step 8 From the AVAS remediations list page, choose Edit.

Here, you can edit an antivirus, or antispyware remediation on the edit page.

Step 9 Click Save to save the antivirus, or antispyware remediation.

The antivirus, or antispyware remediation will be available on the AVAS remediations list after editing on the edit page.

Step 10 Click the AVAS Remediation List link from the edit page to return to the AVAS remediations list page.


To delete an antivirus or antispyware remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AVAS Remediation.

The AVAS remediations list page appears, which lists all the antivirus, or antispyware remediations on the AVAS remediations list page.

Step 7 Click the check box to choose an antivirus, or antispyware remediation from the AVAS remediations list page.

Step 8 From the AVAS remediations list page, choose Delete.

Here, you can delete an antivirus, or antispyware remediation from the AVAS remediations list page.


Table 19-34 describes the fields that allow you to create an antivirus, or antispyware remediation:

Table 19-34 Antivirus or Antispyware Remediation 

Field Name
Field Description

Name

From the Name field, enter the name of an antivirus, or antispyware remediation that you want to create.

Description

From the Description field, enter the description of an antivirus, or antispyware remediation.

AV/AS Remediation Type

From the AV/AS Remediation Type field, click the drop-down arrow to view and choose from the following:

AV Definition Update—if selected, this field populates the AV Vendor Name field with antivirus vendors.

AS Definition Update—if selected, this field populates the AS Vendor Name field with antispyware vendors.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for an antivirus, or antispyware remediation:

Automatic

Manual

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to update an antivirus, or antispyware definition.

Operating System

From the Operating System field, choose one of the following options:

Windows

Macintosh

This option specifies the operating system to which AVAS remediations apply to.

AV, or AS Vendor Name

Click the drop-down arrow to view the predefined values for antivirus, or antispyware vendors based on the Remediation Type field.


Filtering Antivirus or Antispyware Remediations

A quick filter is a simple and quick filter that can be used to filter antivirus, or antispyware remediations on the AVAS remediations list page. It filters antivirus, or antispyware remediations based on the field description such as the name of the antivirus, or antispyware remediation, description, and as well as the mode of remediation on the AVAS remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the AVAS remediations list page. It filters antivirus, or antispyware remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the AVAS remediations list page.

To filter antivirus or antispyware remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose AVAS Remediation.

Step 7 From the AVAS remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear Table 19-35.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the AVAS remediations list page.


Note To return to the AVAS remediations list page, choose All from the Show drop-down to display all the antivirus, or antispyware remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters antivirus, or antispyware remediations based on each field description on the AVAS remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the AVAS remediations list page. If you clear the field, it displays the list of all the antivirus, or antispyware remediations on the AVAS remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter antivirus, or antispyware remediations by using variables that are more complex. It contains one or more filters, which filter antivirus, or antispyware remediations based on the values that match the field description. A filter on a single row filters antivirus, or antispyware remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter antivirus, or antispyware remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-35 describes the fields that allow you to filter antivirus, or antispyware remediations.

Table 19-35 Filtering AVAS Remediations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter antivirus, or antispyware remediations by the name of an antivirus, or antispyware remediation.

Description

This field enables you to filter antivirus, or antispyware remediations by the description of an antivirus, or antispyware remediation.

Type

This field enables you to filter antivirus, or antispyware remediations by the mode of remediation.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter antivirus, or antispyware remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter antivirus, or antispyware remediations.


Launch Program Remediation

A launch program remediation launches one, or more programs on clients for compliance. You can create a launch program remediation, where the NAC Agents and Web Agents remediate clients by launching one, or more applications on clients for compliance. You can also duplicate, edit, or delete launch program remediations on the Launch Program remediations list page.

The Launch Program remediations list page displays all the launch program remediations along with their names, description, and as well as their modes of remediation.

This section describes the following procedures to configure and filter launch program remediations.

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

Filtering Launch Program Remediations

Adding, Duplicating, Editing, and Deleting a Launch Program Remediation

This section describes the procedures to add, duplicate, edit, delete launch program remediations from the Launch Program remediations list page.

To add a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation.

The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.

Step 7 From the Launch Program remediations list page, choose Add.

The New Launch program Remediation page appears. Here, you can create to add a new launch program remediation.


Warning Once created and saved, the name of the launch program remediation is not editable.

Step 8 Modify the values on the New Launch program Remediation page, as shown in Table 19-36.

Step 9 Click Submit to save the launch program remediation.

The new launch program remediation appears on the Launch Program remediations list page.


To duplicate a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation.

The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program remediations list page.

Step 8 From the Launch Program remediations list page, choose Duplicate.

Here, you can duplicate a launch program remediation on the Launch Program remediations list page.

Step 9 Click Submit to duplicate the launch program remediation.

A copy of the launch program remediation appears on the Launch Program remediations list page. You cannot duplicate a launch program remediation with the same name.

Step 10 Click the Launch program Remediation List link to return back to the Launch Program remediation list page.


To edit a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation.

The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program remediations list page.

Step 8 From the Launch Program remediations list page, choose Edit.

Here, you can edit a launch program remediation on the edit page.

Step 9 Click Save to save the launch program remediation.

The launch program remediation will be available on the Launch Program remediations list after editing on the edit page.

Step 10 Click the Launch program Remediation List link from the edit page to return to the Launch Program remediations list page.


To delete a launch program remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Launch Program Remediation.

The Launch Program remediations list page appears, which lists all the launch program remediations on the Launch Program remediations list page.

Step 7 Click the check box to choose a launch program remediation from the Launch Program remediations list page.

Step 8 From the Launch Program remediations list page, choose Delete.

Here, you can delete a launch program remediation from the Launch Program remediations list page.


Table 19-36 describes the fields that allow you to create a launch program remediation.

Table 19-36 Launch Program Remediation 

Field Name
Field Description

Name

From the Name field, enter the name of the launch program remediation that you want to create.

Description

From the Description field, enter the description of the launch program remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined to launch programs:

Automatic

Manual

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that clients can try to launch required programs.

Program Installation Path

From the Program Installation Path field, choose the path in which a remediation program has to be installed.

Click the drop-down arrow to view the following predefined paths to installing programs:

ABSOLUTE_PATH—remediation program is installed in the fully qualified path of the file. For example, C:\<directory>\

SYSTEM_32—remediation program is installed in the C:\WINDOWS\system32 directory

SYSTEM_DRIVE—remediation program is installed in the C:\ drive

SYSTEM_PROGRAMS—remediation program is installed in the C:\Program Files

SYSTEM_ROOT—remediation program is installed in the root path for Windows system

Program Executable

From the Program Executable field, enter the name of the remediation program executable, or an installation file.

Program Parameters

From the Program Parameters field, enter (optional) required parameters for the remediation programs.

Existing Programs

An area to display the installation paths of existing remediation programs, the name of the remediation programs installed, and parameters if any.


Filtering Launch Program Remediations

A quick filter is a simple and quick filter that can be used to filter launch program remediations on the Launch Program remediations list page. It filters launch program remediations based on the field description such as the name of the launch program remediation, description, and as well as the mode of remediation on the Launch Program remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Launch Program remediations list page. It filters launch program remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Launch Program remediations list page.

To filter launch program remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Step 6 Choose Launch Program Remediation.

The Launch Program remediations list page appears.

Step 7 From the Launch Programs Remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. Table 19-37.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Launch Program remediations list page.


Note To return to the Launch Program remediations list page, choose All from the Show drop-down to display all the launch program remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters launch program remediations based on each field description on the Launch Program remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Launch Program remediations list page. If you clear the field, it displays the list of all the launch program remediations on the Launch Program remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter launch program remediations by using variables that are more complex. It contains one or more filters, which filter launch program remediations based on the values that match the field description. A filter on a single row filters launch program remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter launch program remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-37 describes the fields that allow you to filter launch program remediations.

Table 19-37 Filtering Launch Program Remediations 

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter launch program remediations by the name of the program remediation.

Description

This field enables you to filter launch program remediations by the description of the program remediation.

Type

This field enables you to filter launch program remediations by type.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter launch program remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter launch program remediations.


Windows Update Remediation

A Windows update remediation ensures that Automatic Updates configuration is turned on Windows clients per your security policy, and helps you to ensure that Automatic Updates remediates Windows clients to result in successful posture assessments for compliance.

Windows Automatic Updates

The Windows administrators have an option to turn on or turn off Automatic Updates on Windows clients. The Microsoft Windows uses this feature to regularly check for important updates and install them on your clients. If the Automatic Updates feature is turned on, then the Windows automatically updates Windows-recommended updates before any other updates.

Windows XP provides the following settings for configuring Automatic Updates:

Automatic (recommended)—Windows allows clients automatically download recommended Windows updates for their computers and install them

Download updates for me, but let me choose when to install them—Windows downloads updates for clients, and allows clients to choose when to install them

Notify me but don't automatically download or install them—Windows only notifies clients, but does not automatically download, or install them

Turn off Automatic Updates—Windows allows clients to turn off Windows Automatic Updates feature. Here, clients are vulnerable unless clients install updates regularly. They can install updates from the Windows Update Web site link.


Note The Windows Automatic Updates setting will differ for different Windows operating systems.


You can create a Windows update remediation to check for the Windows updates service (wuaserv) whether the service is started or stopped in any Windows client by using the pr_AutoUpdateCheck_Rule. It is a predefined Cisco rule, which can be used to create a posture requirement. If the posture requirement fails, the remediation action (Windows update remediation) that you associate to the requirement enforces the Windows client to remediate by using one of the automatic updates options.

Override User's Windows Update Setting With Administrator's Option in Windows Update Remediations

You can enable the "Override User's Windows Update setting with administrator's" option to override the user's with remediation settings, or else you can disable the option.


Note The users setting are not restored back here to their original setting even after they exit from NAC Agents, or when they reboot their Windows clients, or when they restart the Windows Automatic Updates service on their Windows clients.


If "Override User's Windows update setting with administrator's" option is disabled, Windows update remediations will not be enforced except for "Turn Off Automatic Updates" settings on Windows clients.

Windows update remediations will fail when you want to change the Windows Automatic Updates setting:

From Automatic (recommended) to Download updates for me, but let me choose when to install them and vice versa.

From Automatic (recommended) to Notify me but don't automatically download or install them and vice versa.

From Notify me but don't automatically download or install them to Download updates for me, but let me choose when to install them and vice versa.

This section describes the following procedures to configure and filter Windows update remediations.

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

Filtering Windows Update Remediations

Adding, Duplicating, Editing, and Deleting a Windows Update Remediation

The Windows updates remediations list page displays all the Windows update remediations along with their names, description, and as well as their modes of remediation. You can add, duplicate, edit, or delete Windows updates remediations from the Windows updates remediation list page.

This section describes the procedures to add, duplicate, edit, or delete Windows update remediation from the Windows updates remediations list page.

To add a Windows updates remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation.

The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.

Step 7 From the Windows updates remediations list page, choose Add.

The New Windows update Remediation page appears. Here, you can create to add a new Windows updates remediation.


Warning Once created and saved, the name of the Windows updates remediation is not editable.

Step 8 Modify the values on the New Windows update Remediation page, as shown in Table 19-38.

Step 9 Click Submit to save the Windows updates remediation.

The new Windows updates remediation appears on the Windows updates remediations list page.


To duplicate a Windows updates remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation.

The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.

Step 7 Click the check box to choose a Windows updates remediation from the Windows updates remediations list page.

Step 8 From the Windows updates remediations list page, choose Duplicate.

Here, you can duplicate a Windows updates remediation on the Windows updates remediations list page.

Step 9 Click Submit to duplicate the Windows updates remediation.

A copy of the Windows updates remediation appears on the Windows updates remediations list page. You cannot duplicate a Windows updates remediation with the same name.

Step 10 Click the Windows update Remediation List link to return back to the Windows updates remediation list page.


To edit a Windows updates remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation.

The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.

Step 7 Click the check box to choose a Windows updates remediation from the Windows updates remediations list page.

Step 8 From the Windows updates remediations list page, choose Edit.

Here, you can edit a Windows updates remediation on the edit page.

Step 9 Click Save to save the Windows updates remediation.

The Windows updates remediation will be available on the Windows updates remediations list after editing on the edit page.

Step 10 Click the Windows update Remediation List link from the edit page to return to the Windows updates remediations list page.


To delete a Windows updates remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Update Remediation.

The Windows updates remediations list page appears, which lists all the Windows updates remediations on the Windows updates remediations list page.

Step 7 Click the check box to choose a Windows updates remediation from the Windows updates remediations list page.

Step 8 From the Windows updates remediations list page, choose Delete.

Here, you can delete a Windows updates remediation from the Windows updates remediations list page.


Table 19-38 describes the fields that allow you to create a Windows updates remediation:

Table 19-38 Windows Update Remediation 

Field Name
Field Description

Name

From the Name field, enter the name of the Windows updates remediation that you want to create.

Description

From the Description field, enter the description of the Windows updates remediation.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for Windows updates:

Automatic

Manual

Interval (in seconds)

From the Interval field, enter the time interval in seconds that clients can try to remediate after previous attempts.

Retry Count

From the Retry Count field, enter the number of attempts that Windows clients can try for Windows updates.

Windows Update Setting

Cisco ISE provides the following four options for Windows updates remediations:

a. Do not change setting—If selected, the Windows Automatic Updates client configuration does not change during, or after Windows updates remediation.

b. Notify to download and install—Windows only notifies clients, but does not automatically download, or install them. If selected, Windows only notifies clients to download, or install Windows updates.

c. Automatically download and notify to install—Windows downloads updates for clients, and allows them to choose when to install them. If selected, Windows automatically downloads, and notifies clients to install Windows updates.

d. Automatically download and install—Windows allows clients automatically download recommended Windows updates for their computers and install them. If selected, Windows automatically downloads, and installs Windows updates. This is the highly recommended setting from Windows for Windows clients.

Click the drop-down arrow to choose an option for Automatic Updates setting on Windows clients.

Override User's Windows Update setting with administrator's check box.

A check box, which allows Cisco ISE administrators to override Automatic Updates configuration of Windows clients.

If checked, the setting enforces the Cisco ISE administrator-specified setting for Windows Automatic Updates on all the client machines during, and after Windows updates remediation.

If unchecked, the setting enforces the following:

The Cisco ISE administrator-specified setting only when Automatic Updates are disabled on Windows clients.

The Windows clients-specified setting only when Windows Automatic Updates are enabled on the client.


Filtering Windows Update Remediations

A quick filter is a simple and quick filter that can be used to filter Windows updates remediations on the Windows updates remediations list page. It filters Windows updates remediations based on the field description such as the name of the Windows updates remediation, description, and as well as the mode of remediation on the Windows updates remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows updates remediations list page. It filters Windows updates remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Windows updates remediations list page.

To filter Windows updates remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Step 6 Choose Windows Update Remediation.

The Windows updates remediations list page appears.

Step 7 From the Windows updates remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-39.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Windows updates remediations list page.


Note To return to the Windows updates remediations list page, choose All from the Show drop-down to display all the Windows updates remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters Windows updates remediations based on each field description on the Windows updates remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows updates remediations list page. If you clear the field, it displays the list of all the Windows updates remediations on the Windows updates remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter Windows updates remediations by using variables that are more complex. It contains one or more filters, which filter Windows updates remediations based on the values that match the field description. A filter on a single row filters Windows updates remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter Windows updates remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-39 describes the fields that allow you to filter Windows updates remediations:

Table 19-39 Filtering Windows Update Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter Windows updates remediations by the name of the Windows updates remediation.

Description

This field enables you to filter Windows updates remediations by the description of the Windows updates remediation.

Type

This field enables you to filter Windows updates remediations by type.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter Windows updates remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter Windows updates remediations.


Windows Server Update Services Remediation

A Windows Server Update Services (WSUS) remediation remediates Windows clients from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest Windows service packs, hotfixes, and patches (WSUS updates) for compliance. You can create a WSUS remediation where a NAC Agent integrates with the local WSUS Agent to check whether the endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete WSUS remediations from the remediations list.

You can configure Windows clients to receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally administered WSUS server for compliance.

The Windows server update services (WSUS) remediations list page displays all the WSUS remediations along with their names, description, and as well as their modes of remediation.


Note When you associate a WSUS remediation action to a posture requirement to validate Windows updates by using the severity level option, you must choose the pr_WSUSRule (a dummy compound condition) compound condition in the posture requirement. When the posture requirement fails, the NAC Agent enforces the remediation action (Windows updates) based on the severity level that you define in the WSUS remediation.


This section describes the following procedures to configure and filter WSUS remediations.

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

Filtering Windows Server Update Services Remediations

Adding, Duplicating, Editing, and Deleting a Windows Server Update Services Remediation

This section describes the procedures to add, duplicate, edit, or delete WSUS remediations from the Windows server update services remediations list page.

To add a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation.

The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.

Step 7 From the Windows server update services remediations list page, choose Add.

The New Windows Server Update Services Remediation page appears. Here, you can create to add a new WSUS remediation.


Warning Once created and saved, the name of the Windows server update services remediation is not editable.

Step 8 Modify the values on the New Windows Server Update Services Remediation page, as shown in Table 19-40.

Step 9 Click Submit to save the WSUS remediation.

The new WSUS remediation appears on the Windows server update services remediations list page.


To duplicate a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation.

The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.

Step 7 Click the check box to choose a WSUS remediation from the Windows server update services remediations list page.

Step 8 From the Windows server update services remediations list page, choose Duplicate.

Here, you can duplicate a WSUS remediation on the Windows server update services remediations list page.

Step 9 Click Submit to duplicate the WSUS remediation.

A copy of the WSUS remediation appears on the Windows server update services remediations list page. You cannot duplicate a WSUS remediation with the same name.

Step 10 Click the Windows Server Update Services Remediation List link to return back to the WSUS remediation list page.


To edit a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation.

The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.

Step 7 Click the check box to choose a WSUS remediation from the Windows server update services remediations list page.

Step 8 From the Windows server update services remediations list page, choose Edit.

Here, you can edit a WSUS remediation on the edit page.

Step 9 Click Save to save the WSUS remediation.

The WSUS remediation will be available on the Windows server update services remediations list after editing on the edit page.

Step 10 Click the Windows update Remediation List link from the edit page to return to the Windows server update services remediations list page.


To delete a Windows server update services remediation, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Remediation Actions menu window displays the choices for remediation actions.

Step 6 Choose Windows Server Update Services Remediation.

The Windows server update services remediations list page appears, which lists all the WSUS remediations on the Windows server update services remediations list page.

Step 7 Click the check box to choose a WSUS remediation from the Windows server update services remediations list page.

Step 8 From the Windows server update services remediations list page, choose Delete.

Here, you can delete a WSUS remediation from the Windows server update services remediations list page.


Table 19-40 describes the fields that allow you to create a WSUS remediation.

Table 19-40 WSUS Remediation 

Field Name
Field Description

Name

From the Name field, enter the name of the WSUS remediation that you want to create.

Description

From the Description field, enter the description of the WSUS remediation that you want to create.

Remediation Type

From the Remediation Type field, choose the mode that are predefined for WSUS remediations.

The following options are available:

Automatic—The NAC Agents automatically updates Windows clients with the latest WSUS updates.

Manual—The user manually updates the Windows client with the latest WSUS updates from a Microsoft-managed WSUS server, or from the locally administered WSUS server for compliance.

Interval (in seconds)

From the Interval field, you can specify the interval in seconds (the default interval is 0) to delay WSUS updates before the NAC Agents and Web Agents attempt to retry after the previous attempt.

Retry Count

From the Retry Count field, you can set a limit on the number of attempts that the NAC Agents and web Agents retry to update Windows clients with WSUS updates.

Validate Windows updates using

The validation method that you use to check the Windows operating system that is installed on the client for Windows updates.

The available options are:

Cisco Rules

Severity Level

Cisco Rules radio button

The validation method that you will use to check the client Windows operating system to meet minimum security standards as a result of dynamic posture updates downloaded to the Cisco ISE server.

Click the Cisco Rules radio button to validate WSUS updates using Cisco Rules. If selected, custom or pre-configured rules must be selected as conditions in the posture requirement.

Severity Level radio button

The validation method that you will use to check the client Windows operating system to meet minimum security standards by using a Microsoft-managed WSUS server, or locally administered WSUS server.

Click the Security Level radio button to validate WSUS updates based on the Security Level set on the WSUS server. If selected, custom or pre-configured rules can be selected as conditions in the posture requirement, but they are not used. For this purpose, the pr_WSUSRule can be used as a placeholder condition (a dummy condition) in the posture requirement that specifies a WSUS remediation.

Windows Updates Severity Level

The severity level of Windows updates that you select to install on Windows clients.

The following are the severity levels of WSUS updates that you can install on Windows clients:

Critical—Installs only critical Windows updates

Express—Installs important and critical Windows updates

Medium—Installs all critical, important and moderate Windows updates

All—Installs all critical, important, moderate and low Windows updates

Update to latest OS Service Pack check box

If checked, then the WSUS remediation installs the latest service pack available for the client's operating system automatically.

Note The operating system service packs are updated automatically irrespective of the Medium and All severity level options selected in WSUS remediation.

Windows Updates Installation Source

This selection specifies the source from where you install WSUS updates on Windows clients:

Microsoft server—Microsoft-managed WSUS server

Managed server—Locally administered WSUS server

Installation Wizard Interface Setting

An option to display the installation wizard on the client during WSUS updates:

Show UI—an option to display the Windows Update Installation Wizard progress on Windows clients. (Users must have Administrator privileges on client machines in order to see the installation wizard user interface during WSUS updates.)

No UI—an option to hide the Windows Update Installation Wizard progress on Windows clients.


Filtering Windows Server Update Services Remediations

A quick filter is a simple and quick filter that can be used to filter WSUS remediations on the Windows server update services remediations list page. It filters WSUS remediations based on the field description such as the name of the WSUS remediation, description, and as well as the mode of remediation on the Windows server update services remediations list page.

An advanced filter is a complex filter that can also be preset for use later and retrieved, along with the results on the Windows server update services remediations list page. It filters WSUS remediations based on a specific value associated with the field description. You can add or remove filters, as well as combine a set of filters into a single advanced filter. Once created and saved, the Show drop-down lists all the preset filters. You can choose a preset filter and view the results on the Windows server update services remediations list page.

To filter WSUS remediations, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results.

Step 2 From the Results menu window, choose Posture.

Step 3 Click the Quick Picker icon to navigate to posture result types.

Remediation Actions and Requirements appear for posture result types.

Step 4 Choose Remediation Actions.

Step 5 Click the Quick Picker icon to navigate to Remediation Actions types.

Step 6 Choose WSUS Server Update Services Remediation.

The Windows server update services remediations list page appears.

Step 7 From the Windows server update services remediations list page, choose Filter.

The Quick Filter and Advanced Filter options appear. See Table 19-41.

Step 8 From the Filter menu, choose the filter option.

For more information, see the "To filter using the Quick Filter option, complete the following steps:" section and "To filter using the Advanced Filter option, complete the following steps:" section.

Step 9 From the Show drop-down, choose a preset filter.

The preset filter displays the filtered results on the Windows updates remediations list page.


Note To return to the Windows server update services remediations list page, choose All from the Show drop-down to display all the WSUS remediations without filtering.



To filter using the Quick Filter option, complete the following steps:

A quick filter filters WSUS remediations based on each field description on the Windows server update services remediations list page. When you click inside in any field, and as you enter the search criteria in the field, it refreshes the page with the results on the Windows server update services remediations list page. If you clear the field, it displays the list of all the WSUS remediations on the Windows server update services remediations list page.


Step 1 To filter, click the Go button in each field.

Step 2 To clear the field, click the Clear button in each field.


To filter using the Advanced Filter option, complete the following steps:

An advanced filter enables you to filter WSUS remediations by using variables that are more complex. It contains one or more filters, which filter WSUS remediations based on the values that match the field description. A filter on a single row filters WSUS remediations based on each field description and the value that you define in the filter. Multiple filters can be used to match the value(s) and filter WSUS remediations by using any one or all the filters within a single advanced filter.


Step 1 To view and choose the field description, click the drop-down arrow.

Step 2 To view and choose the operator, click the drop-down arrow.

Step 3 Enter the value for the field description that you selected.

Step 4 Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button to remove the filter.

Step 5 Choose All to match the value in each filter, or Any to match the value in any one of the filters.

Step 6 Click Go to start filtering.

Step 7 Click the Save icon to save the filter.

The Save Preset Filter dialog appears. Enter a file name to save the filter and click Save, or Cancel to clear the filter.


Table 19-41 describes the fields that allow you to filter WSUS remediations.

Table 19-41 Filtering Windows Server Update Services Remediations

Filtering Method
Filtering Field
Field Description

Quick Filter

Name

This field enables you to filter WSUS remediations by the name of the WSUS remediation.

Description

This field enables you to filter WSUS remediations by the description of the WSUS remediation.

Type

This field enables you to filter WSUS remediations by type.

Advanced Filter

Choose the field description from the following:

Name

Description

Type

Click the drop-down arrow to choose the field description.

Operator

From the Operator field, click the drop-down arrow to choose an operator that can be used to filter WSUS remediations.

Value

From the Value field, choose the value for the field description that you selected against which to filter WSUS remediations.


Client Posture Assessment Requirements

Prerequisite

You must have an understanding of Acceptable Use Policy (AUP) for a posture as you create posture requirements. Refer to the following location on AUP with respect to posture compliance:

Administration > System > Settings > Posture > Acceptable Use policy.

For more information on AUP, see Posture Acceptable Use Policy.

A posture requirement is a set of compound conditions with an associated remediation action that can be linked with a role in conjunction with an operating system. All the clients that are connecting to your network must meet mandatory requirements during posture policies evaluation, which are associated to posture policies in order to become compliant on your network. If requirements are optional and clients fail these requirements, then the clients have an option to continue further so that end users can skip optional requirements even though they fail during policy evaluation.

If clients fail to meet mandatory requirements during posture policies evaluation, then they are denied network access to your network, and they are moved into a quarantine state forever. If clients are moved into the quarantine state, they will not be to reauthenticate again in order to be postured successfully for compliance again. If clients need to come out of the quarantine state in order to become compliant, then the network access devices must be configured to restart a new RADIUS session after the session times out so that clients can reauthenticate again in order to meet mandatory requirements for compliance.

For information on configuration guidance of posture clients quarantine state, see "Authorization Profile Configuration Guidance for Posture Clients Quarantine State" section.

pr_WSUSRule

The pr_WSUSRule is a dummy compound condition, which is used in a posture requirement with a Windows Server Update Services (WSUS) remediation associated to it. The associated WSUS remediation action must be configured to validate Windows updates by using the severity level option. When this requirement fails, the NAC Agent that is installed on the Windows client enforces the WSUS remediation action based on the severity level that you define in the WSUS remediation.


Note The pr_WSUSRule cannot be viewed in the Compound conditions list page. You can only select the pr_WSUSRule from the Conditions widget.


You can use the Posture Requirements page to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement.

Table 19-42 describes the fields on the Posture Requirements page that allow you to insert a new posture requirement, or duplicate an existing requirement or delete an existing posture requirement.

Table 19-42 Posture Requirement

Field
Field Description

Name

From the Name field, enter the name of the requirement that you want to create.

Operating Systems

From the Operating Systems field, choose an operating system. It allows you to select all, or specific Windows, or Macintosh operating systems to which the posture requirement is applied.

Conditions

From the Conditions field, choose one or more dictionary simple conditions, and dictionary compound conditions to which the posture requirement should apply.

If more than one condition is selected, then all the conditions must be met (a logical AND operation) to form a compound condition. The system uses "&" as the AND operator.

Remediation Actions

The remediation action defines the action to be taken when the posture requirement fails on the client.

The remediation actions are defined in the following location:

Policy > Policy Elements > Results > Posture > Remediation Actions.

For information on the posture remediation actions, see the Custom Posture Remediation Actions


For more information on how to manage posture requirements, see the "Creating, Duplicating, and Deleting Client Posture Requirements" section

Related Topics

Client Posture Assessment Policies

Custom Posture Remediation Actions

Creating, Duplicating, and Deleting Client Posture Requirements

This section describes the following procedures on how to insert (create) a new requirement, or duplicate an existing requirement, or delete an existing requirement on the Posture Requirements page.

Creating a New Posture Requirement

Duplicating a Posture Requirement

Deleting a Posture Requirement

Creating a New Posture Requirement

You can create a new posture requirement on the Requirements page.

To insert a new requirement, complete the following steps:


Step 1 Choose Policy > Policy Elements > Results > Posture > Requirements.

Step 2 Choose Requirements.

The Posture Requirements page appears.

Step 3 Enter the requirement name.


Warning The operating system is also not editable on the posture requirement after you have associated the newly created requirement to a posture policy. In order to edit the operating system on the requirement, you need to remove the posture requirement association from the posture policy.

Step 4 From the Operating Systems field, choose Select Operating Systems.

The operating system anchored overlay appears.

To choose an operating system, complete the following steps:

a. From the Select Operating System field, click the plus [+] sign to expand the operating system anchored overlay.

The operating system anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Select Operating System Quick Picker (down arrow) icon.

The Operating System Groups widget appears.

c. From the Operating System Groups widget, choose All.

Here, click the Quick Picker (right arrow) icon to view the operating system groups.

d. From the All widget, choose the operating system group.

The parent groups for the operating system appears.

e. Choose the parent operating system group.

For Mac OS X (Macintosh), the group has two underlying versions.

For Windows All, the group has the Windows 7 (All), Windows Vista (All), and Windows XP (All) groups that contain underlying versions for each of the groups.

f. From the Mac OS X (Macintosh) group, choose the underlying Macintosh operating system.

g. From the Windows All group, choose the underlying Windows group and the Windows version.

Each Windows group contains its own underlying versions.

h. Click the Add (plus [+] sign) button to associate more than one operating system to the policy.

i. Click the Remove (minus [-] sign) button to remove the operating system from the policy.

Step 5 From the Conditions field, choose Select Conditions.

The conditions anchored overlay appears.

To choose a simple condition, complete the following steps:

a. From the Conditions field, click the plus [+] sign to expand the conditions anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

b. Click the Condition Quick Picker (down arrow) icon.

The Conditions widget appears that lists the simple conditions and the compound conditions.

c. From the Conditions widget, choose Simple Conditions.

The Table view button shows the list of simple conditions in a row format in the right pane of the widget. The Tree view button shows the list of simple conditions in a tree format under the simple conditions.

d. Click the Quick Picker (right arrow) to view the list of simple conditions.

Here, you can choose one of the following simple conditions:

File Conditions

Registry Conditions

Service Conditions

Application Conditions

e. Click the Quick Picker (right arrow) to view the list of each simple condition.

Here, you can choose a simple condition from the list.

To choose a compound condition, complete the following steps:

a. From the Conditions widget, choose Compound Conditions.

The Table view button shows the list of compound conditions in a row format in the right pane of the widget. The Tree view button shows the list of compound conditions in a tree format under the compound conditions.

b. Click the Quick Picker (right arrow) to view the compound conditions.

Here, you can choose one of the following compound conditions:

pr_WSUSRule

c. Click the Add (plus [+] sign) button to associate more than one condition to the requirement.

The conditions use the logical operators to form a compound condition.

d. Click the Remove (minus [-] sign) button to remove the condition from the requirement.

Step 6 From the Remediations Actions field, choose Select Remediations.

The select remediations anchored overlay appears.

To choose a remediation, complete the following steps:

a. From the Remediation Actions field, click the plus [+] sign to expand the select remediations anchored overlay.

b. Click the Select Remediations Quick Picker (down arrow) icon.

The Remediations widget appears.

c. Choose the remediation action.

Step 7 Click Save to save the posture requirement.


Duplicating a Posture Requirement

You can create a copy of a posture requirement that you want to duplicate on the Requirements page.

To duplicate a requirement, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Duplicate.

Here, you can create a copy of the requirement that you want to duplicate on the Requirements page.


Deleting a Posture Requirement

You can also delete a posture requirement from the Requirements page.

To delete a requirement, complete the following steps:


Step 1 Click the Action Icon button.

Step 2 Choose Delete.

Here, you can delete a requirement from the Requirements page.


Custom Authorization Policies for Posture

This section describes the authorization policies that you define for posture in the Cisco ISE appliance.

The authorization policies that you define on the Authorization page are two types, namely the standard authorization policies and the exceptions authorization policies. The standard authorization policies that are specific to posture on the Authorization page are used to make policy decisions (enforce policies) based on the compliance status. The standard authorization profiles (permissions) that you define on the Authorization Profiles page set access privileges based on the matching compliance status.

First Matched Rule Applies

With this option selected, one or more authorization profiles (permissions) that are defined in the authorization policy set the access privileges (authorization) for an end user based on the first matching authorization policy during evaluation.

The selection of First Matched Rule Applies option allows you to configure authorization profiles for an end user by applying the first matching authorization policy from the standard authorization policies that are enabled on the Authorization page. The Cisco ISE evaluates the standard authorization policies that are enabled on the Authorization page and then determines the authorization profile, or authorization profiles that are associated in the standard authorization policies. Once the first matching authorization policy is found, the Cisco ISE stops evaluating the rest of the standard authorization policies on the Authorization page.

Multiple Matched Rule Applies

With this option selected, one or more authorization profiles that are defined in the authorization policies determine the access privileges for an end user based on multiple matching authorization policies during evaluation.

The selection of Multiple Matched Rule Applies option allows you to configure authorization for an end user by applying multiple matching authorization policies from the standard authorization policies that are enabled on the Authorization page. The Cisco ISE evaluates all the standard authorization policies that are enabled on the Authorization page and finds all the matching authorization policies on the Authorization page. Once multiple matching authorization policies are found, the Cisco ISE determines the authorization profile or profiles for the end user.

Prerequisites:

Before you begin, you should have an understanding of authorization policies in Cisco ISE.

For information on the authorization policies, see Chapter 16, "Managing Authorization Policies and Profiles."

This section covers the following procedures:

Standard Authorization Policies for a Posture

Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture

Standard Authorization Policies for a Posture

This section describes the basic operations that allow you to manage the standard authorization policies that are specific to posture service.

The Authorization page displays the list of exceptions authorization policies and the standard authorization policies. The Authorization page allows you to configure the standard authorization policies that can be applied to the first matching rule (authorization policy) or multiple matching rules (authorization policies) on the Authorization page.

Once created and saved, you can also prioritize the standard authorization policies by moving the standard authorization policy widgets up and down on the Authorization page. If the policies are set to be enabled within the standard authorization policy widget, then the standard authorization policies enforce policies based on the compliance status of the endpoints. If they are set to be disabled, then the standard authorization policies do not enforce policies on the endpoints. You can also configure the standard authorization policies that can be set to monitor policies based on the compliance status.

To create a standard authorization policy, complete the following steps:


Step 1 Choose Policy > Authorization.

The Authorization page appears. This page displays the list of authorization policies for standard and exceptions types.

Step 2 Click the drop-down arrow to view the matching rule option.

Step 3 Choose the First Matched Rule Applies option, or choose the Multiple Matched Rule Applies option.

The first matched rule applies option sets access privileges (standard authorization profiles) with a single authorization policy that is first matched during evaluation from the list of standard authorization policies.

The multiple matched rule applies option sets access privileges (standard authorization profiles) with multiple authorization policies that are matched during evaluation from the list of all the standard authorization policies.

Step 4 Click the Action Icon button to insert a new authorization policy, duplicate an existing authorization policy, or delete an existing authorization policy.

Here, you can do the following:

Insert New Rule Above

Insert New Rule Below

Duplicate Above

Duplicate Below

Delete

Step 5 Click Save to create a new standard authorization policy.

The standard authorization policy appears on the Authorization page.

Step 6 Click Reset without saving the current input data.

A confirmation dialog appears with the following message:

"Are you sure you want to reset the data? (current input data will be lost)"

Step 7 Click Yes to discard the current input data, or click No to continue.


Creating, Duplicating, and Deleting a Standard Authorization Policy for a Posture

You can create a new authorization policy, duplicate an existing authorization policy or delete an existing authorization policy on the Authorization page. Exceptions and Standard items on the Authorization page display the authorization policy widgets.

To create (insert) a standard authorization policy for posture, complete the following steps:


Step 1 Choose Policy > Authorization.

Here, you can find the list of authorization policies displayed for standard and exceptions types on the Authorization page. The Exceptions page displays the list of exceptions authorization policies and the Standard page displays the list of standard authorization policies.

Step 2 From the Authorization page, click Standard to display the Standard page.

The standard authorization policy widget appears on the Authorization page. Click Standard to close the Standard page.

Step 3 From the standard authorization policy widget, click the drop-down arrow to view the predefined settings to enforce policies.

Here, you can choose one of the following options to enforce the policies based on the compliance status. The following are the options available:

Enabled—The standard authorization policies enforce policies based on the compliance status of the endpoints

Disabled—The standard authorization policies do not enforce policies

Monitor—The standard authorization policies monitor enforced policies on endpoints

Step 4 Choose Enabled, or Disabled, or Monitor.

Step 5 Enter the rule (standard authorization policy) name.

To choose an identity group, complete the following steps:

Step 6 From the Identity Groups field, click the plus [+] sign to expand the anchored overlay.

The identity groups anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. From the identity groups anchored overlay, click the Quick Picker (down arrow) icon.

The Identity Groups widget appears.

b. From the Identity Groups widget, choose the identity group.

c. Click the plus [+] sign to associate more than one identity group.

To choose a condition, complete the following steps:

Step 7 From the Conditions field, click the plus [+] sign to expand the anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. Click the Select Conditions Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the time and date conditions, dictionary simple conditions, and dictionary compound conditions.

b. Choose the condition.

c. Choose an AND operator or an OR operator from the drop-down list.

d. Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, or delete the existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Delete

To choose an attribute, complete the following steps:

Step 8 From the Conditions field, click the plus [+] sign to expand the conditions anchored overlay.

The conditions anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

Step 9 Choose Select Existing Condition from Library or Create new Condition (Advance Option).

For information on selecting an existing condition, see the "To select an existing condition from the library, choose Select Existing Condition from Library:" section.

For information on creating a new condition, see the "To create a new condition, choose Create new Condition (Advance Option)." section.

To choose a permission (standard authorization profile), complete the following steps:

Step 10 From the Permissions field, click the plus [+] sign to expand the authzprofile(s) anchored overlay.

The authzprofile(s) anchored overlay appears. Click the minus [-] sign, or click outside the anchored overlay to close it.

a. From the authzprofile(s) field, click the Quick Picker (down arrow) icon.

The Profiles widget appears. From the Profiles widget, click the navigation arrow to view the authorization profiles in each category. The Profiles widget displays the following authorization profile categories:

Inline Posture Node

Security Group

Standard

b. Choose Standard.

c. Click the navigation arrow to view the authorization profiles in the standard authorization profile category.

d. Choose an authorization profile from the standard category.

e. Click the plus [+] sign to associate more than one authorization profile from the standard category

Step 11 Click Save to create a new standard authorization policy.

The standard authorization policy appears on the Authorization page.


To select an existing condition from the library, choose Select Existing Condition from Library:

Here, you can choose a condition from the library that is already saved.


Step 1 From the Conditions field, click the Select Condition Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the available dictionaries.

Step 2 From the Dictionaries widget, click the navigation arrow to view the available dictionary conditions.

The following options appear:

Simple Conditions

Compound Conditions

Time and Date Conditions

Step 3 Choose a condition.

Step 4 Choose an AND operator, or an OR operator from the drop-down list.

Step 5 Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, or delete existing conditions or dictionary attributes.


To create a new condition, choose Create new Condition (Advance Option).

Here, you can create new conditions. You can use the Save icon to add all the new conditions to the library.


Step 1 From the Attribute field, click the Select Attribute Quick Picker (down arrow) icon.

The Dictionaries widget appears that lists the available dictionaries.

Step 2 From the Dictionaries widget, click the navigation arrow to view the available dictionary attributes.

The dictionary attributes appear for the dictionary.

Step 3 Choose the dictionary attribute, an operator and a value for the attribute.

For the posture status, you can use the PostureStatus attribute, an operator, and the values such as Pending, Compliant and Noncompliant.

Step 4 Choose an AND operator, or an OR operator from the drop-down list.

Step 5 Click the Action Icon button to add a dictionary attribute and its value, add a condition from the library, duplicate a condition, add a condition to the library, or delete existing conditions or dictionary attributes.

Here, you can do the following:

Add Attribute/Value

Add Condition from Library

Duplicate

Add Condition to Library

Here, you can save new conditions that you create. You can choose a condition that is already saved by using the Add Condition from Library option.

Delete


You can create a copy of a standard authorization policy on the Authorization page above or below the current policy selection.

To duplicate a standard authorization policy, complete the following steps:


Step 1 Click the Action Icon button to create a copy (duplicate) of a standard authorization policy.

Step 2 Choose Duplicate Above to duplicate a standard authorization policy above the current policy, or choose Duplicate Below to duplicate a standard authorization policy below the current policy.

Step 3 Click Save to create a copy of the standard authorization policy.


You can also delete a standard authorization policy on the Authorization page.

To delete a standard authorization policy, complete the following steps:


Step 1 Click the Action Icon button to delete a standard authorization policy.

Step 2 Choose Delete.


Custom Permissions for Posture

A custom permission is an authorization profile (standard authorization profile) that you define in the Cisco ISE appliance. The standard authorization profiles set access privileges based on the matching compliance status of the endpoints. The posture service broadly classifies the posture into pending, compliant, and noncompliant profiles. The posture policies and the posture requirements determine the compliance status of the endpoint.

This section describes the standard authorization profiles that you define in the Cisco ISE appliance.

Prerequisites:

Before you begin, you should have an understanding of the states for a posture.

Review the following states:

Pending Profile

Compliant Profile

Noncompliant Profile

Pending Profile

If no matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint may be set to pending. A posture compliance status of pending can also apply to an endpoint where a matching posture policy is enabled, but posture assessment has not yet occurred for that endpoint, and therefore no compliance report has been provided to Cisco ISE by a NAC Agent. For an endpoint to have privileged network access on your network, the compliant status of the endpoint should be compliant.

Compliant Profile

If a matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint is set to compliant. When the posture assessment occurs, the endpoint meets all the mandatory requirements that are defined in the matching posture policy. For an endpoint that is postured compliant, it can be granted privileged network access on your network.

Noncompliant Profile

The posture compliance status of an endpoint is set to noncompliant when a matching posture policy is defined for that endpoint, but the endpoint fails to meet all the mandatory requirements that are defined in the matching posture policy during posture assessment. An endpoint that is postured noncompliant matches a posture requirement with a remediation action and it should be granted limited network access to remediation resources in order to remediate itself to be compliant.

This section provides the procedure that you can use to configure the standard authorization policies for a posture.

Configuring a Standard Authorization Profile

Configuring a Standard Authorization Profile

This section describes the basic operations that allow you to manage the authorization profiles that are specific to the Cisco ISE posture service. The standard authorization profiles help you to enforce the compliance of the endpoints. The posture policies determine the compliance status and the authorization policies enforce the posture based on the compliance status of the endpoints. Those endpoints that are postured complaint after initial authentication, are permitted access. Those endpoints that are postured pending or noncompliant, must remediate and posture again.

You can use the Standard Authorization Profiles page to display, add, edit, or delete the standard authorization profiles for a posture.

Table 19-43 describes the fields in the Standard Authorization Profile page that allow you to create a standard authorization profile.

Table 19-43 Create Standard Profile

Field
Field Description

Name

The name of the standard profile that you want to create.

Description

The description of the standard profile that you want to create.

Access Type

From the Access Type field, you can choose the type of access (authorization) that you grant an end user after authentication.

Click the drop-down arrow to view the predefined settings:

ACCESS_ACCEPT—the end user is authorized (granted access) to use the requested network service on your network.

ACCESS_REJECT—the end user is denied access to all the requested network service on your network

Common Tasks

For more information, see the "Configuring Permissions for Authorization Profiles" section on page 16-26.

Advanced Attribute Settings

For more information, see the"Configuring Permissions for Authorization Profiles" section on page 16-26.

Attribute Details

For more information, see the "Configuring Permissions for Authorization Profiles" section on page 16-26.