topic Re: Enforcing OS version using ISE in Network Access Control

Enforcing OS version using ISE

VipulAgr — Tue, 18 May 2021 08:14:46 GMT

Folks,

Is there is anyway to verify minimum OS version in ISE policy set , e.g. allowing only

Windows10 1903 (build 18362) or higher
Mac OS - 10.14 or higher

Re: Enforcing OS version using ISE

balaji.bandi — Tue, 18 May 2021 08:58:56 GMT

is this BYOD or pre-deployed equiment ?

ISE with Posture check do this for you.

Re: Enforcing OS version using ISE

Marcelo Morais — Tue, 18 May 2021 10:55:58 GMT

Hi @VipulAgr ,

at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)

Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362

At Logical Profiles, create the following Logical Profile (for ex.)

Name: Windows10-Builds
Assigned Policies: Build18362

At Policy > Policy Set you are able to create an Authorization Policy like this:

Hope this helps !!!

Re: Enforcing OS version using ISE

VipulAgr — Tue, 18 May 2021 12:14:20 GMT

Thanks Marcelo, That's really helpful. I was hoping to have a straight forward profile which allows OS versions higher than specific, but looks like I need to create multiple logical profiles for each version which I need to allow. But that works.

Re: Enforcing OS version using ISE

Peter Koltl — Thu, 20 May 2021 11:58:20 GMT

~~Surprisingly, this cannot be enforced in a posture policy .~~

Re: Enforcing OS version using ISE

VipulAgr — Thu, 20 May 2021 08:00:36 GMT

Yeah True, very surprising when Posture policies are so feature rich but doesn't support this basic requirement.

Re: Enforcing OS version using ISE

Marcelo Morais — Thu, 20 May 2021 11:25:19 GMT

Hi @Peter Koltl and @VipulAgr ,

to "enforce" in a Posture Policy, try this:

In Work Centers > Posture > Policy Elements > Conditions > Registry:

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Value Data: 10

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild
Value Data: 18362

In Work Centers > Posture > Policy Elements > Requirements, create the following:

Name: Req-Check-WindowsOSVersion
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOSVersion | Message Text Only

Name: Req-Check-WindowsOS_Build
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOS_Build | Message Text Only

In Work Centers > Posture > Posture Policy:

Rule Name: SO-Mandatory
Identity Groups: Any
Operating Systems: Windows All
Compliance Module: 4.x or later
Posture Type: Any Connect
Other Conditions: <choose your condition>
Requirements: Mandatory - Check-WindowsOSVersion and Mandatory - Check-WindowsOS_Build

Hope this helps !!!

Re: Enforcing OS version using ISE

VipulAgr — Fri, 21 May 2021 08:03:35 GMT

Thanks much again Marcelo,

But I guess it would work only with Windows machine, not for any other OS e.g. MAC and generally enterprise will have various Client OSs to look at.