Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1831
Views
10
Helpful
5
Replies

Calling endpoint groups in posture conditions

Go to solution
dgaikwad
Level 5
Level 5

‎03-01-2021 02:13 AM

Hello Experts,

ISE Setup:
2.7 with patch 3

Use case:
Run a certain posture checks only for laptops.

Configuration:
To accomplish this, I have created a profiling policy, which segregates laptops based on hostnames (as naming convention is different for laptops and desktops).
And in the profiling policy I have seleccted the option to create an endpoint group as well.
Which has created this endpoint group and is populating the laptop endpoints fine

Issue
Now, I go to the Policy -> Posture -> Posture Policy -> create or edit a policy and click Identity Group, I do not see this newly created group. But if I create an identity group manually, then it is visible under it.

Is this something supported or another method is needed?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to dgaikwad

‎03-01-2021 08:09 AM

Hi @dgaikwad 

 answering your question about "Then can the logical profiles be used in posture policies?" and beyond what @Mike.Cifelli said ...

 You are not able to use Logical Profiles at Identity Groups column, but you can use at Other Conditions column ... in other words:

 

If Identity Groups = Any and Operating Systems = Windows All and Compliace Module = 4x. or later and Posture Type = Any Connect and Other Conditions: 
Add Attribute/Value
EndPoints:LogicalProfile = <Logical Profile Name>

Hope this helps !!!

View solution in original post

5 Replies 5

Go to solution
Marcelo Morais
VIP
VIP

‎03-01-2021 04:28 AM

Hi @dgaikwad ,

 you have two options: User Identity Groups or Endpoint Identity Groups.

 You can find the Groups at: Administration > Identity Management > Groups > User Identity Groups | Endpoint Identity Groups.

 In the Endpoint Identity Groups, if the Parent Group is profiled, then you are unable to check this Identity Group on Posture Policy - Identity Groups column.

 Note: at Policy > Profiling > Profiling Policies, you are able to check that this Endpoint Identity Group has the Yes, create matching Identity Group checkbox marked.

 

Hope this helps !!!

Go to solution
dgaikwad
Level 5
Level 5
In response to Marcelo Morais

‎03-01-2021 06:02 AM

So, that means if the devices are profiled using a profiling policy then I would not able be able to use them with posture policy.
But, then how shall I use devices uses profiled using a policy? As there are already thousands of devices, which will be tedious job to add them manually to endpoint identity group...

Then can the logical profiles be used in posture policies?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to dgaikwad

‎03-01-2021 08:09 AM

Hi @dgaikwad 

 answering your question about "Then can the logical profiles be used in posture policies?" and beyond what @Mike.Cifelli said ...

 You are not able to use Logical Profiles at Identity Groups column, but you can use at Other Conditions column ... in other words:

 

If Identity Groups = Any and Operating Systems = Windows All and Compliace Module = 4x. or later and Posture Type = Any Connect and Other Conditions: 
Add Attribute/Value
EndPoints:LogicalProfile = <Logical Profile Name>

Hope this helps !!!

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-01-2021 06:47 AM

AFAIK you cant specifically match on profiled endpoint groups as you mentioned in posture policies.  However, there is something you could test to see if it meets your needs.  Continue profiling as you wish, and reference the profiled endpoint group in the other conditions utilizing the 'EndPointPolicy' condition.  Essentially this would test posturing only against devices that have been assigned the respective profiling policy.  Under context visibility you can search on this attribute to ensure things are aligned/profiled properly.  HTH!

 

 

0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to Mike.Cifelli

‎03-10-2021 09:58 PM

Yes, this was the exact method that I had used to profile the endpoints. As initially I under the impression, that I could call these profiled endpoint groups directly in the posture policies.
But, then using the logical profile solved the issue.

0 Helpful
Customers Also Viewed These Support Documents