解決済み: Cisco ISE のプロファイリングにおいて、Windows Server OS を識別したい

cja56910tf · ‎2021-09-16

Cisco ISE 3.1 を使用しています。

プロファイリング機能を利用して可能な限り端末情報を識別できるようにしているのですが、Windows Server 2012/2016/2019だけは上手く識別出来ません。

※その他のWindows WorkStationは Windows xp/7/8/Vista/10 が識別出来ます。

「ポリシー --> プロファイリング --> プロファイリングポリシー」の一覧を確認した所、Windows Server 2012/2016/2019に該当するものが事前設定(PreDefine)されていませんでした。

どうやら一覧に期待するProfileが無い場合は､Profiling Policyなどで独自にConditionやPolicyを作成して定義する必要があるようなのですが、具体的にはどのように設定したら良いかが分からずに困っております。

もしWindows Server OS を識別できるようなカスタムProfiling Policy を作成された事のある方がおられましたら、それをご開示/ご提供いただけませんでしょうか。

なお、ISE Profiling Design Guideは読んでみたのですが、難しい＆長すぎて恥ずかしながら理解が出来ませんでした・・・

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Rain_CiscoFun · ‎2021-09-29

こんにちは

Profilling ポリシーはCiscoが提供したの既存のルールは以下あると思います。

Windows10-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 10 workstation

Windows7-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 7 workstation

Windows8-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 8 workstation

WindowsXP-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows XP workstation

上記ルールは以下のConditionを参照したので、その既存ルールを真似してWindows Server 2012/2016/2019 の条件をカスタマイズしてみていただければ、動きますでしょうか。

Windows10-Workstation-Rule2-Check1

Cisco Provided

User-Agent CONTAINS Windows NT 10.0

Condition for Windows10-Workstation based on IP:User-Agent

Windows10-Workstation-Rule3-Check1

Cisco Provided

device-platform-version STARTSWITH 10.0

Condition for Windows10-Workstation based on ACIDEX:device-platform-version

Windows10-Workstation-Rule4-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 10

Condition for Windows10-Workstation, based on NMAP:SMB.operating-system

Windows10-Workstation-Rule5-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 10

Condition for Windows10-Workstation, based on ACTIVEDIRECTORY:AD-Operating-System

Windows10-Workstation-Rule6-Check1

Cisco Provided

User-Agent CONTAINS WINDOWS_10

Condition for Windows10-Workstation, based on IP:User-Agent

Windows10-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.4

Windows10-WorkstationRule1Check1

Windows7-Workstation-Rule2-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 7

Condition for Windows7-Workstation, based on NMAP:SMB.operating-system

Windows7-Workstation-Rule3-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 7

Condition for Windows7-Workstation, based on ACTIVEDIRECTORY:AD-Operating-System

Windows7-Workstation-Rule6-Check1

Cisco Provided

User-Agent CONTAINS WINDOWS_7

Condition for Windows7-Workstation, based on IP:User-Agent

Windows7-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.1

Windows7-WorkstationRule1Check1

Windows8-Workstation-Rule4-Check1

Cisco Provided

device-platform-version STARTSWITH 6.2

Condition for Windows8-Workstation based on ACIDEX:device-platform-version

Windows8-Workstation-Rule5-Check1

Cisco Provided

device-platform-version STARTSWITH 6.3

Condition for Windows8-Workstation based on ACIDEX:device-platform-version

Windows8-Workstation-Rule6-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 8

Condition for Windows8-Workstation, based on NMAP:SMB.operating-system

Windows8-Workstation-Rule7-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 8

Condition for Windows8-Workstation, based on ACTIVEDIRECTORY_PROBE:AD-Operating-System

Windows8-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.2

Windows8-WorkstationRule1Check1

Windows8-WorkstationRule2Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.3

Windows8-WorkstationRule2Check1

WindowsXP-Workstation-Rule2-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows XP

Condition for WindowsXP-Workstation, based on NMAP:SMB.operating-system

WindowsXP-Workstation-Rule3-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows XP

Condition for WindowsXP-Workstation, based on ACTIVEDIRECTORY_PROBE:AD-Operating-System

WindowsXP-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 5.1

WindowsXP-WorkstationRule1Check1

元の投稿で解決策を見る

Rain_CiscoFun · ‎2021-09-29

こんにちは

Profilling ポリシーはCiscoが提供したの既存のルールは以下あると思います。

Windows10-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 10 workstation

Windows7-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 7 workstation

Windows8-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows 8 workstation

WindowsXP-Workstation

Enabled

Cisco Provided

Policy for Microsoft Windows XP workstation

上記ルールは以下のConditionを参照したので、その既存ルールを真似してWindows Server 2012/2016/2019 の条件をカスタマイズしてみていただければ、動きますでしょうか。

Windows10-Workstation-Rule2-Check1

Cisco Provided

User-Agent CONTAINS Windows NT 10.0

Condition for Windows10-Workstation based on IP:User-Agent

Windows10-Workstation-Rule3-Check1

Cisco Provided

device-platform-version STARTSWITH 10.0

Condition for Windows10-Workstation based on ACIDEX:device-platform-version

Windows10-Workstation-Rule4-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 10

Condition for Windows10-Workstation, based on NMAP:SMB.operating-system

Windows10-Workstation-Rule5-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 10

Condition for Windows10-Workstation, based on ACTIVEDIRECTORY:AD-Operating-System

Windows10-Workstation-Rule6-Check1

Cisco Provided

User-Agent CONTAINS WINDOWS_10

Condition for Windows10-Workstation, based on IP:User-Agent

Windows10-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.4

Windows10-WorkstationRule1Check1

Windows7-Workstation-Rule2-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 7

Condition for Windows7-Workstation, based on NMAP:SMB.operating-system

Windows7-Workstation-Rule3-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 7

Condition for Windows7-Workstation, based on ACTIVEDIRECTORY:AD-Operating-System

Windows7-Workstation-Rule6-Check1

Cisco Provided

User-Agent CONTAINS WINDOWS_7

Condition for Windows7-Workstation, based on IP:User-Agent

Windows7-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.1

Windows7-WorkstationRule1Check1

Windows8-Workstation-Rule4-Check1

Cisco Provided

device-platform-version STARTSWITH 6.2

Condition for Windows8-Workstation based on ACIDEX:device-platform-version

Windows8-Workstation-Rule5-Check1

Cisco Provided

device-platform-version STARTSWITH 6.3

Condition for Windows8-Workstation based on ACIDEX:device-platform-version

Windows8-Workstation-Rule6-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows 8

Condition for Windows8-Workstation, based on NMAP:SMB.operating-system

Windows8-Workstation-Rule7-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows 8

Condition for Windows8-Workstation, based on ACTIVEDIRECTORY_PROBE:AD-Operating-System

Windows8-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.2

Windows8-WorkstationRule1Check1

Windows8-WorkstationRule2Check1

Cisco Provided

User-Agent CONTAINS Windows NT 6.3

Windows8-WorkstationRule2Check1

WindowsXP-Workstation-Rule2-Check1

Cisco Provided

SMB.operating-system CONTAINS Windows XP

Condition for WindowsXP-Workstation, based on NMAP:SMB.operating-system

WindowsXP-Workstation-Rule3-Check1

Cisco Provided

AD-Operating-System CONTAINS Windows XP

Condition for WindowsXP-Workstation, based on ACTIVEDIRECTORY_PROBE:AD-Operating-System

WindowsXP-WorkstationRule1Check1

Cisco Provided

User-Agent CONTAINS Windows NT 5.1

WindowsXP-WorkstationRule1Check1

cja56910tf · ‎2021-09-29

こんにちは

ご回答ありがとうございます。

ご教授いただいた内容のおかげで、既存ルールをベースにどこを修正してカスタムプロファイルポリシーを作成すれば良いのか、何となく朧げに見えてきました。

ただ、Windows Server の場合はどの項目をどの条件にしたら良いかがやはり分かりません。

そのあたりについては何かご存知ないでしょうか。