Solved: Re: Cisco ISE - Posture

Oron Yaniv · ‎02-03-2020

Hi,

is there a way to get Hardware properties "Serial Number" with anyconnect agent?

pavagupt · ‎04-03-2020

By default, there is a check called “Hardware_Attributes_Check” which can give you Hardware attributes of both Windows and MAC devices. These hardware attributes includes

BIOS manufacturer, Model and Serial number
CPU Name, speed, usage, no. of cores and processors
Memory size and usage
Harddisk
UDID
OS types ..etc

Create a policy with this condition and you would be able to gather Hardware properties of windows and MAC Devices.

Once posture is done, You would be able to find the details of endpoint under Context visibility > endpoints > hardware.

View solution in original post

Colby LeMaire · ‎02-03-2020

If you can find the registry key where the information is stored, you can have ISE check that registry key as a posture condition.

Saurabh Dhakate · ‎03-14-2020

Can you please elaborate on this? Since AnyConnect agent is not hardware, but software. I don't believe that we can gather that information from the agent.

Oron Yaniv · ‎03-14-2020

Both MAC OS and windows machine have SN, can i gather the information with AC client as part of posture process?

Saurabh Dhakate · ‎03-17-2020

This would not be Posture, but Profiling of the endpoint. In Posture, we set the condition on ISE and make sure endpoint passes it in order to get compliant. It is not feasible to create multiple (registry check for SN) conditions for all the endpoints in environment. The requirement which you have is fetching SN of the endpoint which could be done in Profiling. I am not sure if this can be accomplished via Profiling feature as of now. If not, it could be a valid enhancement. Hope this helps.

Regards,

Saurabh

Cristian Matei · ‎03-14-2020

Hi,

AnyConnect Identity Extensions is available for both mobile and non-mobile platform:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

If you need thorough and detailed information about endpoints, make use of Context Visibility, but this is not done through AnyConnect:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_01.html#TheHardwareTab

Regards,

Cristian Matei.

eschwalb · ‎04-01-2020

Hi Oron, were you able to find a solution to this? I have a similar ask from a customer and have been looking into how to accomplish this.

thomas · ‎04-03-2020

Please see the ISE Posture Prescriptive Deployment Guide under the section Agent Considerations for a list of all possible Conditions that you can check for per Platform. It does show that you can get a Hardware Inventory for Windows and macOS but unclear what that does or does not include. You can see the results of your Hardware Inventory under Context Visibility:

pavagupt · ‎04-03-2020

By default, there is a check called “Hardware_Attributes_Check” which can give you Hardware attributes of both Windows and MAC devices. These hardware attributes includes

BIOS manufacturer, Model and Serial number
CPU Name, speed, usage, no. of cores and processors
Memory size and usage
Harddisk
UDID
OS types ..etc

Create a policy with this condition and you would be able to gather Hardware properties of windows and MAC Devices.

Once posture is done, You would be able to find the details of endpoint under Context visibility > endpoints > hardware.