Skills
skills/automateyournetwork/netclaw/ise-posture-audit

ise-posture-audit

SKILL.md

ISE Posture and Policy Audit

Comprehensive security posture assessment of Cisco Identity Services Engine (ISE) deployment. Reviews authorization policies for over-permissiveness, identifies endpoints without posture compliance, detects profiling gaps, analyzes the TrustSec SGT/SGACL matrix, and validates active session health.

When to Use

  • Periodic ISE policy compliance audit (SOC2, PCI-DSS, NIST 800-53, HIPAA)
  • Pre-deployment review before onboarding new endpoint types
  • Post-incident review to identify policy gaps that allowed lateral movement
  • TrustSec segmentation validation
  • Profiling accuracy assessment after network changes
  • Quarterly access control hygiene check

How to Call the ISE MCP Tools

All ISE tools are called via mcp-call with the ISE MCP server command:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" TOOL_NAME '{"param":"value"}'

Audit Procedure

Step 1: Clear Cache and Establish Baseline

Start every audit with a fresh cache to ensure current data:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" clear_cache '{}'

Verify connectivity and cache state:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" get_cache_stats '{}'

Step 2: Authorization Policy Review

Pull all policy sets, then drill into authorization rules:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_policy_set '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_authorization_rules '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_authentication_rules '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" network_access_conditions '{}'

Authorization Policy Checks:

Check What to Look For Severity If Found
Default Allow Default rule granting PermitAccess or DenyAccess without conditions CRITICAL
Overly permissive rules AuthZ rules with no posture condition and full network access CRITICAL
Stale rules Rules referencing deleted/unused identity groups or conditions HIGH
Rule ordering Permissive rules ranked above restrictive rules (shadowing) HIGH
Missing posture check AuthZ rules that grant access without posture assessment MEDIUM
Duplicate conditions Multiple rules with identical match criteria LOW

Step 3: Posture Compliance Assessment

Review endpoints and identity groups to identify posture gaps:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" endpoints '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" identity_groups '{}'

Posture Compliance Checks:

Check What to Look For Severity If Found
Endpoints bypassing posture Endpoints with full access but no posture assessment recorded CRITICAL
Non-compliant endpoints on network Endpoints marked non-compliant but not quarantined CRITICAL
Missing posture policy for endpoint type Endpoint categories (BYOD, IoT, contractor) without posture rules HIGH
Posture reassessment interval No periodic reassessment configured (one-time posture only) MEDIUM
Unknown endpoints with access Endpoints in "Unknown" group with network access beyond guest HIGH

Step 4: Profiling Coverage Analysis

Assess how well ISE is profiling connected endpoints:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" profiler_profiles '{}'

Cross-reference with the endpoint list from Step 3.

Profiling Checks:

Check What to Look For Severity If Found
Unknown endpoint ratio More than 10% of endpoints profiled as "Unknown" HIGH
Unmatched profiles Custom profiles with zero matched endpoints (dead profiles) LOW
Missing critical profiles No profiles for known device types on the network (printers, phones, cameras) MEDIUM
Profile certainty Endpoints with low certainty factor (< 20) receiving production access HIGH
Profiling probe coverage Insufficient probe types enabled for accurate classification MEDIUM

Step 5: TrustSec SGT Matrix Analysis

Review Security Group Tags and their access control:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_sgts '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_sgacls '{}'

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" trustsec_egress_matrix_cell '{}'

TrustSec Checks:

Check What to Look For Severity If Found
Permit-all SGACLs SGACLs with permit ip (no restrictions between segments) CRITICAL
Missing matrix cells SGT-to-SGT pairs with no defined policy (defaults to permit or deny?) HIGH
Unused SGTs SGTs defined but assigned to zero endpoints LOW
Overly broad SGTs Single SGT assigned to endpoints with different trust levels HIGH
No deny logging SGACLs with deny rules but no log keyword MEDIUM
Flat segmentation Fewer than 3 SGTs defined (minimal micro-segmentation) HIGH

Step 6: Active Session Health

Review current active sessions for anomalies:

ISE_BASE=$ISE_BASE USERNAME=$ISE_USERNAME PASSWORD=$ISE_PASSWORD python3 $MCP_CALL "python3 -u $ISE_MCP_SCRIPT" active_sessions '{}'

Session Health Checks:

Check What to Look For Severity If Found
Long-lived sessions Sessions active for > 24 hours without reauthentication MEDIUM
Failed auth spikes Multiple failed authentications from same MAC/IP in short window HIGH
Guest on production VLAN Guest-profiled endpoints on non-guest VLANs CRITICAL
Multiple MACs per port More than expected endpoints on a single switchport (hub or rogue AP) HIGH
Auth method mismatch Endpoints using MAB when 802.1X is expected for that device type MEDIUM

Severity Rating Criteria

CRITICAL -- Immediate risk of unauthorized access or data exfiltration:

  • Default permit-all authorization rules
  • Non-compliant endpoints with unrestricted access
  • Guest endpoints on production VLANs
  • Permit-all SGACLs between untrusted and trusted segments

HIGH -- Significant policy gap that could be exploited:

  • Unknown endpoints with production access
  • Missing TrustSec matrix entries
  • Stale or shadowed authorization rules
  • Low-certainty profiling with production access

MEDIUM -- Policy weakness that should be addressed this cycle:

  • Missing posture reassessment
  • Auth method mismatches
  • Insufficient profiling probes
  • Long-lived sessions without reauth

LOW -- Housekeeping and hygiene items:

  • Unused SGTs or dead profiles
  • Duplicate authorization conditions
  • Minor documentation gaps

Audit Report Format

ISE Posture Audit Report
ISE Deployment: $ISE_BASE
Audit Date: YYYY-MM-DD

CRITICAL FINDINGS (Immediate Action Required):
  1. [C-001] Default AuthZ rule grants PermitAccess — all unmatched endpoints get full access
  2. [C-002] 14 endpoints marked non-compliant but not quarantined
  3. [C-003] SGACL "Permit_All" applied to IoT-to-Server matrix cell

HIGH FINDINGS (Address This Week):
  4. [H-001] 23% of endpoints profiled as "Unknown" — profiling gap
  5. [H-002] SGT "Employees" assigned to both corporate laptops and contractor devices
  6. [H-003] 3 authorization rules shadowed by permissive rule at rank 1

MEDIUM FINDINGS (Address This Month):
  7. [M-001] No posture reassessment configured — one-time check only
  8. [M-002] 47 sessions active > 24h without reauthentication
  9. [M-003] 12 endpoints using MAB instead of expected 802.1X

LOW / INFORMATIONAL:
  10. [L-001] 5 unused SGTs: "Test_SGT", "Legacy_Printers", etc.
  11. [L-002] 3 profiler profiles with zero matched endpoints

Summary: 3 Critical | 3 High | 3 Medium | 2 Low

Policy Sets Reviewed: N
Authorization Rules Reviewed: N
Endpoints Analyzed: N
SGTs Evaluated: N
Active Sessions Checked: N

Integration with Other Skills

  • Use pyats-security to verify device-side 802.1X configuration matches ISE policy (RADIUS server config, dot1x port settings, CoPP for RADIUS traffic)
  • Use gait-session-tracking to record the full audit in the GAIT immutable audit trail
  • Use markmap-viz to visualize the ISE policy hierarchy (Policy Sets > AuthZ Rules > Conditions > Results)
  • Use ise-incident-response when a CRITICAL finding requires immediate endpoint investigation
  • Use servicenow-change-workflow to create Change Requests for ISE policy remediation

GAIT Audit Trail

After completing the audit, record the session in GAIT:

python3 $MCP_CALL "python3 -u $GAIT_MCP_SCRIPT" gait_record_turn '{"input":{"role":"assistant","content":"ISE posture audit completed. ISE: $ISE_BASE. Findings: 3 CRITICAL, 3 HIGH, 3 MEDIUM, 2 LOW. Critical items: default permit-all AuthZ rule, 14 non-compliant endpoints not quarantined, permit-all SGACL on IoT-to-Server cell.","artifacts":[]}}'

Markmap Visualization

Generate a policy hierarchy mind map for the audit report:

python3 $MCP_CALL "node $MARKMAP_MCP_SCRIPT" markmap_customize '{"markdown_content":"# ISE Policy Audit\n## CRITICAL\n### Default AuthZ permits all\n### Non-compliant endpoints active\n### Permit-all SGACL\n## HIGH\n### 23% Unknown endpoints\n### SGT overlap (employees + contractors)\n### Shadowed AuthZ rules\n## MEDIUM\n### No posture reassessment\n### Long-lived sessions\n### MAB instead of 802.1X\n## LOW\n### Unused SGTs\n### Dead profiler profiles","theme":"dark"}'
Weekly Installs
1
Repository
automateyournet…/netclaw
GitHub Stars
282
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1