Solved: Re: Ability to use endpoint TC-NAC attributes in authorization

Devrat Kamath · ‎10-18-2017

Hi Team,

As of now our TC-NAC integration guides mention that we need to run the initial authorization and trigger a threat scan which will then hit an exception/authorization based on results returned by Qualys/Tenable. The returned results are stored as endpoint attributes (in redis I believe) but are not available for authorization lookup as a dictionary attribute under Endpoints. Now i know this is most likely since we don't want to authorize based on stale information and require a current result for authorization via TC-NAC but I had a customer ask if this is something we can do. Essentially they want to set it up in a way that whenever a scan result is returned, they want to be able to use a previously returned result for a CVSS score or a result from the scheduled scans as an Endpoint dictionary attribute that ISE can look up during authorization. I wanted to run this by the experts before filing an enhancement request so I can set the customers expectations right with regard to the feature.

- Devrat

hariholla · ‎10-19-2017

Yes, ISE wouldn't track the scan result if it hasn't asked for it.

(a) Typically, ISE would initially authorize an endpoint for VA scan and then apply exception rule based on the scan result – This is what we have documented often.

(b) The scan results that the VA vendor returns may/need not be current, but must be in response to ISE’s request.

(c) If ISE had requested a scan previously and has a CVSS score for the endpoint in the context visibility, then that endpoint can be authorized based on that (stale) CVSS score. Starting from ISE 2.2, we provide option to author regular (not exception) authorization policies based on endpoint’s CVSS.

View solution in original post

Jason Kunst · ‎10-18-2017

researching

paul · ‎10-18-2017

Great question I have the same issue going on with my first Qualys integration. We were hoping to see CVSS score information for endpoints that ISE didn't kick off scans for. We have ISE integrated with the Qualys cloud and we have a test device we know has been scanned by Qualys, but the CVSS score is not showing up under the Endpoint.

I am guessing it is because ISE didn't initiate the scan, but I was hoping ISE would read the CVSS score from the Qualys Cloud even if it didn't initiate the scan.

Jason Kunst · ‎10-18-2017

I am doubting that’s the case, we only have info on what we have scanned, not all endpoints.

I have reached out to the experts to verify as well.

paul · ‎10-18-2017

It seems like a waste of scanning time if the customer is actively scanning their environment and has valid CVSS scores. Seems like we could just ask what the score is, but I guess the device behind the IP address could have changed. I am almost thinking like a pxGrid scenario where ISE feeds User to IP mappings to things like FMC. Qualys could feed in CVSS to IP mappings for consumption and viewing in ISE. I know that is not how it works, but just thinking out loud.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hariholla · ‎10-19-2017

Yes, ISE wouldn't track the scan result if it hasn't asked for it.

(a) Typically, ISE would initially authorize an endpoint for VA scan and then apply exception rule based on the scan result – This is what we have documented often.

(b) The scan results that the VA vendor returns may/need not be current, but must be in response to ISE’s request.

(c) If ISE had requested a scan previously and has a CVSS score for the endpoint in the context visibility, then that endpoint can be authorized based on that (stale) CVSS score. Starting from ISE 2.2, we provide option to author regular (not exception) authorization policies based on endpoint’s CVSS.