Endpoint Compliance

Question 1

Posture Configuration flow

Answer 1

Posture Conditions (What conditions need to be met)

Posture Remediation (Actions for endpoints where Condition isn’t met)

Posture Requirement (Ties together Condition & Requirement)

Posture Policy (Tie together multiple Requirements)

Client Provisioning (Configure settings for AnyConnect)

Access Policy (Tie Posture Policy against Unknown, Non-Compliant or Compliant Authorization policy)

Question 2

Posture Condition

Answer 2

What CAN be checked & Which conditions need to be met

Question 3

Posture Remediation

Answer 3

What actions are taken if an endpoint fails the Posture Conditions

Question 4

Posture Requirement

Answer 4

Posture Condition + Posture REmediation + OS + AnyConnect Compliance Module Type/Version

Question 5

Posture Policy

Answer 5

Tie together multiple Requirements and enable

Question 6

Client Provisioning

Answer 6

Configure settings for AnyConnect agent on ISE

Question 7

Access Policy

Answer 7

Configure Unknown, Compliant & Non-Compliant authorization policies.
Unknown endpoints get re-directed to ISE Client Provisioning Portal

Question 8

What is CoA used for

Answer 8

Following initial authentication and authorization CoA allows ISE to initiate a request to a NAD to disconnect user session, bounce the port or have endpoint or user perform re-authentication

Question 9

CoA Types

Answer 9

No CoA: Device remains in Unknown state until next re-authentication
Port Bounce / Session Bounce: ISE forces NAD to reset switchport (wired) or bounce session (Wireles)
Reauth: Forces user/endpoint to re-authenticate

Question 10

What is MAB

Answer 10

MAC Authentication Bypass

Device without 802.1x supplicant uses MAC address to authenticate.

Question 11

MAB RADIUS Service-Type

Answer 11

Call-Check

Question 12

How MAB Works

Answer 12

MAC address of endpoint is added to Endpoint Identity Group in ISE.
AuthZ Policy configured for MAB devices.
Device authenticates using MAC address
ISE does Lookup against Endpoint Identity Group
If MAC is present AuthC is granted and AuthZ policy applied.
Access-Accept Returned to NAD

Question 13

MAC address length

Answer 13

48-bit Hexadecimal

e.g 1A:2B:3B:4D:5E:6F

1A:2B:3C = Organization Unique Identifier

Question 14

Devices which often lack Supplicants

Answer 14

Printers, Scanners, IP Cameras, Door Card readers

Question 15

What can Posture Assessment check for

Answer 15

Files including existence, version, date
Registry conditions on Windows OS
If service is running on Windows OS

Question 16

What Posture Status types are available

Answer 16

Compliant, Non-Compliant, Unknown

Question 17

What happens to Non-Compliant endpoints

Answer 17

redirect ACL is defined as dACL and web redirection pointed to Client Profiling Portal on ISE

Question 18

Components of Posture Requirement

Answer 18

Conditions & Remediation

Question 19

Ports used in Posture between ISE and endpoint

Answer 19

TCP/80

TCP/8905

Question 20

Profiling Probe which collects User-Agent string

Answer 20

HTTP

Question 21

ISE service which allows endpoint compliance to be checked

Answer 21

Posture

Question 22

Endpoint Identity Group which holds devices which dint match any profile

Answer 22

Unknown

Question 23

Which probes need to be used to allow Profile service to bind IP and MAC address

Answer 23

RADIUS & DHCP Probes

Question 24

Portal used by endpoint to download Compliance Module

Answer 24

Client Provisioning Portal

Question 25

Service used to Identify endpoint device types connecting to network

Answer 25

Profiling