cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

240
Views
0
Helpful
1
Replies
Highlighted
Beginner

Differentiated posture assessment based on AD machine membership.

Hello Everyone

 Do you guys have a document or an idea on how to begin configuring a policy to assess a host based on its membership? Basically two groups, desktops and notebooks, and both have different requirements to be considered compliant.

 Machine and user authentications are working fine, and so is user-based posture. The requirements for desktop and notebooks were created already but I cannot figure out how to tie them to machine OUs. User accounts don't have any machine-related attribute.
 Can posture run at the machine level?

Advices, ideas and docs are always welcome.

Running distributed ISE 1.3.

Thanks!
Guido

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi again Guido, what you can do is this:

- Place all laptops in their own security group in AD

- Place all desktops in their own security group in AD

- In ISE, under Policy > Posture: You can create different rules that are matched against the specific AD group membership

As far as documentation here is an older guide written by TAC:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Also, the Cisco Press ISE book is a very good resource:

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9780133103656

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Hi again Guido, what you can do is this:

- Place all laptops in their own security group in AD

- Place all desktops in their own security group in AD

- In ISE, under Policy > Posture: You can create different rules that are matched against the specific AD group membership

As far as documentation here is an older guide written by TAC:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Also, the Cisco Press ISE book is a very good resource:

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9780133103656

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

Content for Community-Ad