ISE Posture and Policy Audit
Comprehensive security posture assessment of Cisco Identity Services Engine (ISE) deployment. Reviews authorization policies for over-permissiveness, identifies endpoints without posture compliance, detects profiling gaps, analyzes the TrustSec SGT/SGACL matrix, and validates active session health.
When to Use
- •Periodic ISE policy compliance audit (SOC2, PCI-DSS, NIST 800-53, HIPAA)
- •Pre-deployment review before onboarding new endpoint types
- •Post-incident review to identify policy gaps that allowed lateral movement
- •TrustSec segmentation validation
- •Profiling accuracy assessment after network changes
- •Quarterly access control hygiene check
How to Call the ISE MCP Tools
All ISE tools are called via mcp-call with the ISE MCP server command:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" TOOL_NAME '{"param":"value"}'
Audit Procedure
Step 1: Clear Cache and Establish Baseline
Start every audit with a fresh cache to ensure current data:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" clear_cache '{}'
Verify connectivity and cache state:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" get_cache_stats '{}'
Step 2: Authorization Policy Review
Pull all policy sets, then drill into authorization rules:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_policy_set '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_authorization_rules '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_authentication_rules '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_conditions '{}'
Authorization Policy Checks:
| Check | What to Look For | Severity If Found |
|---|---|---|
| Default Allow | Default rule granting PermitAccess or DenyAccess without conditions | CRITICAL |
| Overly permissive rules | AuthZ rules with no posture condition and full network access | CRITICAL |
| Stale rules | Rules referencing deleted/unused identity groups or conditions | HIGH |
| Rule ordering | Permissive rules ranked above restrictive rules (shadowing) | HIGH |
| Missing posture check | AuthZ rules that grant access without posture assessment | MEDIUM |
| Duplicate conditions | Multiple rules with identical match criteria | LOW |
Step 3: Posture Compliance Assessment
Review endpoints and identity groups to identify posture gaps:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" endpoints '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" identity_groups '{}'
Posture Compliance Checks:
| Check | What to Look For | Severity If Found |
|---|---|---|
| Endpoints bypassing posture | Endpoints with full access but no posture assessment recorded | CRITICAL |
| Non-compliant endpoints on network | Endpoints marked non-compliant but not quarantined | CRITICAL |
| Missing posture policy for endpoint type | Endpoint categories (BYOD, IoT, contractor) without posture rules | HIGH |
| Posture reassessment interval | No periodic reassessment configured (one-time posture only) | MEDIUM |
| Unknown endpoints with access | Endpoints in "Unknown" group with network access beyond guest | HIGH |
Step 4: Profiling Coverage Analysis
Assess how well ISE is profiling connected endpoints:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" profiler_profiles '{}'
Cross-reference with the endpoint list from Step 3.
Profiling Checks:
| Check | What to Look For | Severity If Found |
|---|---|---|
| Unknown endpoint ratio | More than 10% of endpoints profiled as "Unknown" | HIGH |
| Unmatched profiles | Custom profiles with zero matched endpoints (dead profiles) | LOW |
| Missing critical profiles | No profiles for known device types on the network (printers, phones, cameras) | MEDIUM |
| Profile certainty | Endpoints with low certainty factor (< 20) receiving production access | HIGH |
| Profiling probe coverage | Insufficient probe types enabled for accurate classification | MEDIUM |
Step 5: TrustSec SGT Matrix Analysis
Review Security Group Tags and their access control:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_sgts '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_sgacls '{}'
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_egress_matrix_cell '{}'
TrustSec Checks:
| Check | What to Look For | Severity If Found |
|---|---|---|
| Permit-all SGACLs | SGACLs with permit ip (no restrictions between segments) | CRITICAL |
| Missing matrix cells | SGT-to-SGT pairs with no defined policy (defaults to permit or deny?) | HIGH |
| Unused SGTs | SGTs defined but assigned to zero endpoints | LOW |
| Overly broad SGTs | Single SGT assigned to endpoints with different trust levels | HIGH |
| No deny logging | SGACLs with deny rules but no log keyword | MEDIUM |
| Flat segmentation | Fewer than 3 SGTs defined (minimal micro-segmentation) | HIGH |
Step 6: Active Session Health
Review current active sessions for anomalies:
ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" active_sessions '{}'
Session Health Checks:
| Check | What to Look For | Severity If Found |
|---|---|---|
| Long-lived sessions | Sessions active for > 24 hours without reauthentication | MEDIUM |
| Failed auth spikes | Multiple failed authentications from same MAC/IP in short window | HIGH |
| Guest on production VLAN | Guest-profiled endpoints on non-guest VLANs | CRITICAL |
| Multiple MACs per port | More than expected endpoints on a single switchport (hub or rogue AP) | HIGH |
| Auth method mismatch | Endpoints using MAB when 802.1X is expected for that device type | MEDIUM |
Severity Rating Criteria
CRITICAL -- Immediate risk of unauthorized access or data exfiltration:
- •Default permit-all authorization rules
- •Non-compliant endpoints with unrestricted access
- •Guest endpoints on production VLANs
- •Permit-all SGACLs between untrusted and trusted segments
HIGH -- Significant policy gap that could be exploited:
- •Unknown endpoints with production access
- •Missing TrustSec matrix entries
- •Stale or shadowed authorization rules
- •Low-certainty profiling with production access
MEDIUM -- Policy weakness that should be addressed this cycle:
- •Missing posture reassessment
- •Auth method mismatches
- •Insufficient profiling probes
- •Long-lived sessions without reauth
LOW -- Housekeeping and hygiene items:
- •Unused SGTs or dead profiles
- •Duplicate authorization conditions
- •Minor documentation gaps
Audit Report Format
ISE Posture Audit Report ISE Deployment: $ISE_BASE Audit Date: YYYY-MM-DD CRITICAL FINDINGS (Immediate Action Required): 1. [C-001] Default AuthZ rule grants PermitAccess — all unmatched endpoints get full access 2. [C-002] 14 endpoints marked non-compliant but not quarantined 3. [C-003] SGACL "Permit_All" applied to IoT-to-Server matrix cell HIGH FINDINGS (Address This Week): 4. [H-001] 23% of endpoints profiled as "Unknown" — profiling gap 5. [H-002] SGT "Employees" assigned to both corporate laptops and contractor devices 6. [H-003] 3 authorization rules shadowed by permissive rule at rank 1 MEDIUM FINDINGS (Address This Month): 7. [M-001] No posture reassessment configured — one-time check only 8. [M-002] 47 sessions active > 24h without reauthentication 9. [M-003] 12 endpoints using MAB instead of expected 802.1X LOW / INFORMATIONAL: 10. [L-001] 5 unused SGTs: "Test_SGT", "Legacy_Printers", etc. 11. [L-002] 3 profiler profiles with zero matched endpoints Summary: 3 Critical | 3 High | 3 Medium | 2 Low Policy Sets Reviewed: N Authorization Rules Reviewed: N Endpoints Analyzed: N SGTs Evaluated: N Active Sessions Checked: N
Integration with Other Skills
- •Use pyats-security to verify device-side 802.1X configuration matches ISE policy (RADIUS server config, dot1x port settings, CoPP for RADIUS traffic)
- •Use gait-session-tracking to record the full audit in the GAIT immutable audit trail
- •Use markmap-viz to visualize the ISE policy hierarchy (Policy Sets > AuthZ Rules > Conditions > Results)
- •Use ise-incident-response when a CRITICAL finding requires immediate endpoint investigation
- •Use servicenow-change-workflow to create Change Requests for ISE policy remediation
GAIT Audit Trail
After completing the audit, record the session in GAIT:
python3 $MCP_CALL "python3 -u $GAIT_MCP_SCRIPT" gait_record_turn '{"input":{"role":"assistant","content":"ISE posture audit completed. ISE: $ISE_BASE. Findings: 3 CRITICAL, 3 HIGH, 3 MEDIUM, 2 LOW. Critical items: default permit-all AuthZ rule, 14 non-compliant endpoints not quarantined, permit-all SGACL on IoT-to-Server cell.","artifacts":[]}}'
Markmap Visualization
Generate a policy hierarchy mind map for the audit report:
python3 $MCP_CALL "node $MARKMAP_MCP_SCRIPT" markmap_customize '{"markdown_content":"# ISE Policy Audit\n## CRITICAL\n### Default AuthZ permits all\n### Non-compliant endpoints active\n### Permit-all SGACL\n## HIGH\n### 23% Unknown endpoints\n### SGT overlap (employees + contractors)\n### Shadowed AuthZ rules\n## MEDIUM\n### No posture reassessment\n### Long-lived sessions\n### MAB instead of 802.1X\n## LOW\n### Unused SGTs\n### Dead profiler profiles","theme":"dark"}'