Compliance Module Configuration

In order to configure Compliance module you need to configure the followin components:

1. Compliance Templates
2. Compliance Rules
3. Global Options
4. Compliance Jobs

1. Compliance Templates

Compliance Template is a configuration object which maps interface commands to a Compliance Result. The commands configured on an interface are matched against commands specified by Compliance Templates. If all the commands are matched, the template result is assigned to the interface.
Templates can have the following results:

• Compliant - The interface is configured as expected, no action is needed.
• Partially Compliant - There are minor misconfigurations on the interface which have to be there for any reason, but you want to be aware of them e.q. Incorrect access VLAN, incorrect authentication priority, order, host mode, etc. You consider partially compliant interfaces as still secured.
• Non Compliant - The interface contains configurations which should not be configured. An action should be taken to configure the interface into Compliant state.

Variables

Dynamic variables
The compliance template can have a few variables which dynamically assign the access and voice VLAN number to the template. The following code block gives you an example of how to configure the variables to access or voice command.

switchport access vlan {<vlan string>;<default value>}
switchport voice vlan {<vlan string>;<default value>}

For example:

switchport access vlan {ise_users;10}
switchport voice vlan {ise_voip;90}

The ise_users and ise_voip are the variables which are assigned based on the following rules:

1. Search for a vlan group command in a switch configuration. The following command in our example will assign No. 10.

vlan group ise_users vlan-list 10

2. Search for VLAN name in the VLAN configuration. The following configuration will assign No. 10

vlan 10
name ise_users

3. Use the default value in the variable configuration.

When the access VLAN is determined, it is replaced in the Compliance Template. This occurs on a per switch bases, Every switch can have it's own access and voice VLANs. This allows you to match or configure access and voice VLAN individually per switch.

Static variables
Another variable which can be configured in a Compliance template is static "access_vlan" variable. The term "access_vlan" is a fixed variable name and it's value is derived from the command switchport access vlan <vlan>. This variable can be used in an interface description or in the command bellow. Static and Dynamic variables can be combined.

authentication event server dead authorize vlan {access_vlan}
description Access VLAN on this port is: {access_vlan}

Compliant Template Example

The following Compliance Template shows you an example of a common compliant interface template configuration. A compliance template should contain all interface commands which should be configured a secured switch port in your network.

description >DOT1X<
switchport mode access
switchport access vlan {ise_users;10}
switchport voice vlan {ise_voip;120}
authentication host-mode multi-domain
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication event fail action next-method
authentication event server dead action reinitialize vlan 666
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication control-direction in
authentication timer restart 0
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

All the commands in a Compliance Template are compared to interface commands in the Exact Match manner except the description command, which is matched in the Starts with manner. This means that for example spanning-tree portfast command in a template will not match the spanning-tree portfast edge command on an interface.

Partially Compliant Template Example

The following example shows you a configuration of a partially compliant template. Partially compliant template works the same as compliant template and should include all commands required on an interface. Partially compliant templates does not follow your configurations standards perfectly but you still consider these configurations as secure.
In this example, the template contains the command authentication host-mode multi-auth which may not be your desired configuration.

description >DOT1X-AP<
switchport mode access
switchport access vlan {ise_users;10}
switchport voice vlan {ise_voip;120}
authentication host-mode multi-auth
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication event fail action next-method
authentication event server dead action reinitialize vlan 666
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication control-direction in
authentication timer restart 0
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

Non Compliant Template Example

The following example shows you a configuration of a non compliant temlate. Template should contains a command or a selection of commands which must not be configured on an interface. Please note that if you specify more commands in a non compliant template, then all the commands must be configured on an interface in order the non compliant template to match.

authentication open

Configuration

1. Navigate to Compliance Module -> Compliance Configuration (Page 1)
2. Click on the New button
3. Fill the name, Commands and select Result and click Save.

2. Compliance Rules

The next concept in Compliance configuration are Compliance Rules. The Compliance Rules determine which templates a switch will be evaluated to. In other words, which templates will be chosen for the switch.
The logic work in the same way as firewall rules. Compliance rules consist of conditions and a result. The configured compliance rules are evaluated from top to bottom against conditions and the first match applies. If a rule matches then the templates are assigned. The fact that a rule is matched does not mean that the switch or it's interfaces are evaluated as compliant. It only determines, which template or templates will be used for compliance evaluation. Interface state will be determined based on the compliance template result which will match the interface configuration (if any). If a switch does not match any rule then the switch is considered as non compliant.

If a rule is matched then each interface on the switch is evaluated against the templates in the rule. The templates are evaluated from the first to the last. If a match occurs, then the Template Result is assigned to the interface. Even though the templates can be configured in any order, it is recommended to configure the templates in the order: 1. Non Compliant 2. Part Compliant 3. Compliant.

The following screen shows an example of the Compliance Rules configuration

Configuration Guidelines

Every rule can contain the following conditions:

• Version - For example 15.2, 16.9 etc. Version condition is matched against the switch IOS major and minor version is located at the beginning of running configuration.
• Group - For example Location#All Locations#London, Device Type#All Device Types#Cat9200. Refers to ISE groups, the switch is a member of. The value of Location#All Locations is preconfigured as all network devices are members of this group by default but the value can be changed if needed, you can use any network device group (NDG) configured in ISE
• CLI Hostname - Refers to a hostname of a switch (Hostname which is in the switch configuration. Not a device name in ISE configuration)
• Device Model - Refers to the part number of a switch which can be found in sh version or sh inventory output

Every condition can have multiple values separated by comma which are evaluated in OR manner. Different conditions are then evaluated in AND manner.

Configuration

1. Navigate to Compliance Module -> Compliance Configuration (Page 2)
2. Click on the New button
3. Fill the Version, Group, CLI Hostname, Device Model and enter comma separated Compliance Templates. Then click Save button

3. Global Setting

The next thing to configure in Compliance Module are Global Settings which affects the behavior of Compliance Module. To configure the Global Setting, navigate to Compliance Module -> Compliance Configuration (Page 3)

Settings decription

• User Authorization - This configuration is relevant to Device Authorization. It specifies which group from ISE will be used for configuration of authorization rules.

• Protect trunk interfaces - Trunk interfaces will be protected
• Protect by interface description - Interfaces containing the entered keywords will be protected. You can enter comma separated keywords.

• Bypass all trunk interfaces - This option will automatically mark all trunk interfaces as bypass. Otherwise only the first trunk interface will be automatically evaluated as Bypass
• Soft access VLAN evaluation - This option will evaluate access ports with incorrect VLAN as Part Compliant
• Bypass MACsec interfaces - If enabled, all MACsec protected interfaces will be automatically evaluated as Bypass
• Bypass by description - If any of specified values is found in the interface description. The interface will be set as Auto Bypass thus exempted from evaluation. The comparison is made in the contains manner and is case insensitive. Enter comma-separated values
• Bypass by VLAN - Enter one or more comma-separated VLAN numbers. If the evaluated interface is configured with any of specified access VLAN numbers. The interface will be set as Auto Bypass thus exempted from evaluation

• Switch Utilization - Administrators have the ability to set thresholds for switch and switchport utilization. This directly impacts the color-coded behavior of the icons in the Device List.

4. Device Authorization

Administrators can configure authorization to network devices based on user's Active Directory group membership. Administrators are able to match devices based on network device groups from ISE (for example location) and grant access to the device only for users who are members of the proper AD group.
The following screen shows an example of the Compliance Rules configuration:

Configuration Guidelines

Every rule can contain the following conditions:

• AD Group - Active Directory group, you want to specify access to network devices
• ISE Group (Read) - Read-only access to the devices from the specified group
• ISE Group (Write) - Write access to the devices from the specified group
• ISE Group (Write and Protected) - Write access (Protected Interfaces included) to the devices from the specified group
  

There is a default rule that control access for users who haven't been explicitly configured in the subsequent rules. By default, this rule grants read-only access to all network devices.

The user authorization test provides the definitive outcome of user rights. This can be particularly useful when a user belongs to multiple Active Directory groups. The final result is a combination of all rules that are applied to the individual user.

Configuration

1. Navigate to Compliance Module -> Compliance Configuration (Page 2)

2. Under the User Authorization select which ISE groups you want to use for Device Authorization
   

3. Navigate to Compliance Module -> Compliance Configuration (Page 3)

4. Click on the New button

5. Fill the AD Group and choose from the menu correct groups for the level of access you want to grant to the user. Then click Save button
   

5. Compliance Jobs

Compliance Module consists of two jobs, which are responsible for the Compliance Module runtime.

• Device Synchronization
• Device Evaluation

In the default configuration, the Device Synchronization job is enabled but the Device Evaluation job is disabled. This means that in the Compliance Module is disabled by default.

Device Synchronization

Device synchronization is responsible for synchronization of Network Devices (Network switches) from ISE to XTENDISE. XTENDISE periodically downloads the list of Network Devices configured in ISE and stores it in internal database.

To enable Device Synchronization job, navigate to Compliance Module -> Compliance Configuration (Page 4) and click the Device Sync button.

You can check the job status on the Maintenance page. Device Synchronization job runs every Saturday at 1 a.m. or can be initiated manually.

Device Evaluation

Device evaluation job is responsible for compliance evaluation of each network device synchronized from ISE. During the evaluation, XTENDISE connects to every switch and evaluates its configuration. This means that every interface in each switch is compared against Compliance Templates and given a result.

To enable Compliance Evaluation job, navigate to Compliance Module -> Compliance Configuration (Page 4) and click the Run Compliance button.

You can check the job status on the Maintenance page. Compliance Evaluation job runs every Sunday at 1 a.m. or can be initiated manually.