topic Re: ISE posture for Active Directory join in Network Access Control

ISE posture for Active Directory join

manvik — Mon, 27 Jan 2025 08:15:58 GMT

Other than checking in registry condition, any mechanism to identify whether a windows PC is joined to AD domain?
ISE version 3.4, secure client 5.1

Re: ISE posture for Active Directory join

Rob Ingram — Mon, 27 Jan 2025 10:07:51 GMT

@manvik the recommended way to identify a domain joined corporate asset by checking the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

Value=domain.name is your domain name

Re: ISE posture for Active Directory join

manvik — Mon, 27 Jan 2025 09:57:58 GMT

Other than checking in registry condition??

Re: ISE posture for Active Directory join

Rob Ingram — Mon, 27 Jan 2025 10:07:07 GMT

@manvik checking the registry is the primary way to determine if joined to the domain.

Else, not posture related, but use EAP Chaining (EAP-FAST/TEAP) that would check to see if the computer has a domain issued certificate + user certificate. Typically a computer won't have a certificate unless joined to the domain.

Or with posture you can check to see whether a specific application (i.e the Corporate installed AV or other software) is installed on a computer.

Re: ISE posture for Active Directory join

Jonatan Jonasson — Mon, 27 Jan 2025 10:10:51 GMT

There are a few command-line ways to identify the domain.

For example:

systeminfo | findstr /B "Domain"

^^- will show "Domain: WORKGROUP" if not in domain

And: dsregcmd /status
^^- the first section shows if the computer is AD or AAD joined:
(see screenshot example)

And the powershell command: Get-CimInstance win32_computersystem
^^- will show under the Domain column which domain (if any) the computer is joined.

There may be other ways as well if you just google for how to check this via powershell.
And with this info you should be able to craft a .ps1 script for the posture evaluation.

Just keep in mind that if your company is moving to EntraID(Azure) joined machines, the results will not be the same as when checking for on-premises AD joined.

Re: ISE posture for Active Directory join

manvik — Mon, 27 Jan 2025 10:17:15 GMT

thanks, how to check if the computer has a domain issued certificate + user certificate.

Re: ISE posture for Active Directory join

Danny Dulin — Wed, 26 Mar 2025 12:53:41 GMT

Can this be done for VPN connections?

Re: ISE posture for Active Directory join

manvik — Thu, 27 Mar 2025 04:36:41 GMT

if you're referring to posture, yes it can be done for Anyconnect VPN.

Re: ISE posture for Active Directory join

Azizi123 — Thu, 27 Mar 2025 06:11:59 GMT

@manvik

run i nthe CMD command

systeminfo | findstr /B /C:"Domain"

wmic computersystem get domain

(Get-WmiObject Win32_ComputerSystem).PartOfDomain

(Get-WmiObject Win32_ComputerSystem).Domain

net config workstation

other then that:

Press Win + R, type sysdm.cpl, and press Enter.

Re: ISE posture for Active Directory join

manvik — Thu, 27 Mar 2025 06:18:54 GMT

thank you @Azizi123 commands looks helpful, but how to do Posture from ISE with these commands other powershell script.
Powershell might be disabled in most systems.

Re: ISE posture for Active Directory join

Azizi123 — Thu, 27 Mar 2025 06:32:28 GMT

Dear manvik:

you'll need to rely on Cisco's built-in agents (like the ISE Posture Agent) for a more automated approach. This agent performs checks on the endpoint's compliance with your ISE security policies.

Requirements:

You need a Cisco ISE license to use the posture functionality.

Cisco AnyConnect must be licensed, and the Posture module needs to be enabled on the Cisco ISE platform.

How to Get the AnyConnect Client with the Posture Module:

Step 1: Ensure you have a Cisco account and the necessary licensing for Cisco AnyConnect and ISE.

Step 2: Log in to the Cisco Software Download page.

Step 3: Search for Cisco AnyConnect Secure Mobility Client.

Step 4: Choose the version you want to download.

Step 5: Select the Posture module as part of the AnyConnect package during installation. Make sure your Cisco ISE is properly configured to interact with the posture agent.