Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2294
Views
0
Helpful
4
Replies
nikolaie
Beginner
Beginner
‎06-28-2020 11:59 PM
‎06-28-2020 11:59 PM

Cisco ISE Posture and OS Selections

Hi, We are in the process of deploying Posture Assessment across the business but would like to target only a particular flavor of Windows 10 Operating System, i.e., Enterprise, instead of ALL Win 10 versions.   This granular selection of the OS is required because we have hundreds of thin clients running Windows 10 Embedded so we'd prefer they do not participate in posture assessment.   Cisco ISE Version 2.6.0.156, Patch 3.

 

Question: Can the Client Provisioning Policy rules around Operating Systems be modified to include more granular versions of an OS type, i.e., Windows 10 Professional, Windows 10 Enterprise, etc.  These options are available when created a Posture Policy just not when creating a Client Provisioning Policy.  Thanks in advance.

Preview file
22 KB
Preview file
20 KB
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
‎06-29-2020 05:55 AM
‎06-29-2020 05:55 AM

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!

View solution in original post

0 Helpful
4 REPLIES 4
Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
‎06-29-2020 05:55 AM
‎06-29-2020 05:55 AM

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!
0 Helpful
nikolaie
Beginner
Beginner
In response to Mike.Cifelli
‎06-30-2020 08:19 PM
‎06-30-2020 08:19 PM

Thanks for the quick response.  Was hoping to avoid using AD security group but it may be the only option available. Thanks again.

0 Helpful
manvik
Beginner
Beginner
In response to Mike.Cifelli
‎12-21-2020 09:53 PM
‎12-21-2020 09:53 PM

Is there an option to identify endpoint operating system via Endpoints:OperatingSystem condition.

direcondition.jpg

It's in the ISE posture conditions.

0 Helpful
Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
‎12-22-2020 05:36 AM
‎12-22-2020 05:36 AM

@manvik I would suggest testing that condition.  I can tell you that you can rely on the following reg key check to match on OS:

win_reg_chk.PNG

 

*SubKey = SOFTWARE\Microsoft\Windows NT\CurrentVersion\

HTH!

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
3
10
3
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube