03-01-2021 02:13 AM
Hello Experts,
ISE Setup:
2.7 with patch 3
Use case:
Run a certain posture checks only for laptops.
Configuration:
To accomplish this, I have created a profiling policy, which segregates laptops based on hostnames (as naming convention is different for laptops and desktops).
And in the profiling policy I have seleccted the option to create an endpoint group as well.
Which has created this endpoint group and is populating the laptop endpoints fine
Issue
Now, I go to the Policy -> Posture -> Posture Policy -> create or edit a policy and click Identity Group, I do not see this newly created group. But if I create an identity group manually, then it is visible under it.
Is this something supported or another method is needed?
Solved! Go to Solution.
03-01-2021 08:09 AM
Hi @dgaikwad
answering your question about "Then can the logical profiles be used in posture policies?" and beyond what @Mike.Cifelli said ...
You are not able to use Logical Profiles at Identity Groups column, but you can use at Other Conditions column ... in other words:
If Identity Groups = Any and Operating Systems = Windows All and Compliace Module = 4x. or later and Posture Type = Any Connect and Other Conditions:
Add Attribute/Value
EndPoints:LogicalProfile = <Logical Profile Name>
Hope this helps !!!
03-01-2021 04:28 AM
Hi @dgaikwad ,
you have two options: User Identity Groups or Endpoint Identity Groups.
You can find the Groups at: Administration > Identity Management > Groups > User Identity Groups | Endpoint Identity Groups.
In the Endpoint Identity Groups, if the Parent Group is profiled, then you are unable to check this Identity Group on Posture Policy - Identity Groups column.
Note: at Policy > Profiling > Profiling Policies, you are able to check that this Endpoint Identity Group has the Yes, create matching Identity Group checkbox marked.
Hope this helps !!!
03-01-2021 06:02 AM
So, that means if the devices are profiled using a profiling policy then I would not able be able to use them with posture policy.
But, then how shall I use devices uses profiled using a policy? As there are already thousands of devices, which will be tedious job to add them manually to endpoint identity group...
Then can the logical profiles be used in posture policies?
03-01-2021 08:09 AM
Hi @dgaikwad
answering your question about "Then can the logical profiles be used in posture policies?" and beyond what @Mike.Cifelli said ...
You are not able to use Logical Profiles at Identity Groups column, but you can use at Other Conditions column ... in other words:
If Identity Groups = Any and Operating Systems = Windows All and Compliace Module = 4x. or later and Posture Type = Any Connect and Other Conditions:
Add Attribute/Value
EndPoints:LogicalProfile = <Logical Profile Name>
Hope this helps !!!
03-01-2021 06:47 AM
AFAIK you cant specifically match on profiled endpoint groups as you mentioned in posture policies. However, there is something you could test to see if it meets your needs. Continue profiling as you wish, and reference the profiled endpoint group in the other conditions utilizing the 'EndPointPolicy' condition. Essentially this would test posturing only against devices that have been assigned the respective profiling policy. Under context visibility you can search on this attribute to ensure things are aligned/profiled properly. HTH!
03-10-2021 09:58 PM
Yes, this was the exact method that I had used to profile the endpoints. As initially I under the impression, that I could call these profiled endpoint groups directly in the posture policies.
But, then using the logical profile solved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide