topic Hi phosawyer,I have all these in Network Access Control

ISE - Checking Windows version

andre.ortega — Mon, 11 Mar 2019 06:06:01 GMT

Hello there,

I'd like to create an authorization rule on ISE to check the version of OS.

For example, If OS = Windows 8 then Accept_Access.

How could I do that?

I have the option "Endpoints:OperatingSystem equals" but I didn't find any OS to complete the rule.

Regards.

You can specify OS versions

Marvin Rhoads — Tue, 29 Sep 2015 11:15:21 GMT

You can specify OS versions in a posture policy. It gives you options like Windows XP, 7, 8, 8.1 10 etc.

Reference.

Hi Marvin,I need a

andre.ortega — Tue, 29 Sep 2015 18:17:28 GMT

Hi Marvin,
I need a authorization rule based on OS.
Is it possible? Or how could I create a posture policy to accomplish that?

Thank you.

Andre,Think of the Posture

Marvin Rhoads — Tue, 29 Sep 2015 20:48:11 GMT

Andre,

Think of the Posture policy as a tool to give you more information on which to base your Authorization (AuthZ) policy. The various pieces of ISE build on one another like building blocks to give you the granular context-based AuthZ policy you are talking about.

So create a Posture policy that checks for OS version. The result of that policy is then used in your AuthZ policy to grant access or perform other CoA actions.

This slide from Cisco Live shows what I'm talking about with the pieces working together from AuthC through AuthZ:

Hi Marvin,Thank you for all

andre.ortega — Wed, 30 Sep 2015 12:54:43 GMT

Hi Marvin,

Thank you for all the attention on this post and for your contribution on this community.

I am trying to figure out how to create a posture rule to check the OS. I know that is possible to specify the OS version as a conditions, but I don't know what will be the requirement.

For example, I can make a posture rule like:

If Windows 8 then AV should be OfficeScan10 (to be compliant)

Now I need a rule like:

If Windows 8 then ???? (to be compliant)

What is the requirement that I have to configure?

Best Regards.

You need to implement posture

phosawyer — Wed, 30 Sep 2015 13:05:42 GMT

You need to implement posture assessment as Martin says.

This will include either using the NAC client or most probably using the Anyconnect client with the posture module.

Then the module will report to ISE extra required information to be able to do what you want.

Hi phosawyer,could you please

andre.ortega — Wed, 30 Sep 2015 14:14:50 GMT

Hi phosawyer,

could you please give me um example of this rule?

Regards.

Here is a TAC document on

phosawyer — Wed, 30 Sep 2015 14:38:09 GMT

Here is a TAC document on integrating ISE with anyconnect

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html

And this is a TAC document on designing posture policy to be able to have remediation, in this case using WSUS to update windows.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

Hi phosawyer,I have all these

andre.ortega — Wed, 30 Sep 2015 14:39:41 GMT

Hi phosawyer,

I have all these working (ISE, AC 4, posture rules for AV and WSUS)...

I'd like just to have a rule that check the OS version.

Thanks.

Ok I understand now Andre, I

phosawyer — Wed, 30 Sep 2015 15:14:55 GMT

Ok I understand now Andre,

I had a quick look and there is a Session:Device-OS condition, which then allows you to select.

However I only am able to select Windows as opposed to a version of windows. This is odd as in the provisioning rules there are specific versions of windows (vista,7,8) and so would've thought the same would be available for the Policy.

Now you got my point

andre.ortega — Wed, 30 Sep 2015 20:15:01 GMT

Now you got my point phosawyer.

Does anyone know how to do that?

I mean, to create a rule that check the Windows version, and If it is Windows 8, then give the access.

Regards.

I am posting just to say that

andre.ortega — Thu, 01 Oct 2015 00:23:05 GMT

I am posting just to say that I found an option.

On Profiling Policies there are policies for Windows7, Windows8, Windows10,... one way to do what I was asking for is to create a "matching identity group", and then to use this identity group on authz policy.

Thanks.