https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352371#M112903 <P>Hi,</P><P>I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?</P><P></P><P></P><P>Appreciate your input.</P><P></P><P></P><P>Mike</P> Mon, 11 Mar 2019 04:09:32 GMT ccie16351 2019-03-11T04:09:32Z https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352371#M112903 <P>Hi,</P><P>I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?</P><P></P><P></P><P>Appreciate your input.</P><P></P><P></P><P>Mike</P> Mon, 11 Mar 2019 04:09:32 GMT https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352371#M112903 ccie16351 2019-03-11T04:09:32Z https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352372#M112922 <HTML><HEAD></HEAD><BODY><P>If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.</P><P></P><P>Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.</P><P></P><P>You would have to create a New Posture Condition and Remediations.</P><P></P><P>The condition that I will use in this example is a Registry Key. </P><P></P><P>If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.&nbsp; A value of 4 is disabled.</P><P></P><P>So set a Posture Condition:</P><P></P><P><STRONG>Click Policy &gt; Policy Elements &gt; Conditions</STRONG></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/7/9/168970-USB_1.GIF" class="jive-image" /></P><P></P><P>Choose <STRONG>Posture</STRONG> from the left menu:</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/7/9/168974-USB_2.GIF" class="jive-image" /></P><P></P><P>Then choose <STRONG>Registry Condition</STRONG> from the left menu.</P><P></P><P>Click <STRONG>+Add</STRONG> to add a new Posture Condition:</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/7/9/168975-USB_End.GIF" class="jive-image" /></P><P></P><P>Then you have to create Remediation Actions.&nbsp; Click the <STRONG>Results</STRONG> button at the top of the left Menu:</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/6/7/9/168976-REMED_1.GIF" class="jive-image" /></P><P></P><P>Choose <STRONG>Remediation Actions</STRONG> and choose the Remediation you want to use.&nbsp; I chose <STRONG>Link Remediation</STRONG>.</P><P></P><P><STRONG>+Add</STRONG> to add a new Link Remediation:</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/8/9/168980-REMED_2.GIF" class="jive-image" /></P><P></P><P>Then choose <STRONG>Requirements</STRONG> from the left menu and create a new Remediation Result:</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/8/9/168981-REMED_3.GIF" class="jive-image" /></P><P></P><P>Of course, you can choose different remediations as necessary for your environment.</P><P></P><P>Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.&nbsp; Otherwise, feel free to post follow-up questions.</P><P></P><P>Charles Moreton</P></BODY></HTML> Thu, 05 Dec 2013 16:17:42 GMT https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352372#M112922 Charlie Moreton 2013-12-05T16:17:42Z https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352373#M112932 <HTML><HEAD></HEAD><BODY><P>Hi Charles,</P><P>&nbsp;&nbsp;&nbsp; I hasn't tried the solution, yet, but what you have said, with the pictorial detailed steps, I am quite confident, it will work.</P><P></P><P>Very much appreciated</P></BODY></HTML> Thu, 05 Dec 2013 17:15:02 GMT https://community.cisco.com/t5/network-access-control/ise-posture-requirement-to-check-if-endpoint-s-usp-port-is/m-p/2352373#M112932 ccie16351 2013-12-05T17:15:02Z