Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
1
Replies

Differentiated posture assessment based on AD machine membership.

Go to solution
ggalteroo
Level 1
Level 1

‎06-23-2015 07:57 AM - edited ‎03-10-2019 10:50 PM

Hello Everyone

 Do you guys have a document or an idea on how to begin configuring a policy to assess a host based on its membership? Basically two groups, desktops and notebooks, and both have different requirements to be considered compliant.

 Machine and user authentications are working fine, and so is user-based posture. The requirements for desktop and notebooks were created already but I cannot figure out how to tie them to machine OUs. User accounts don't have any machine-related attribute.
 Can posture run at the machine level?

Advices, ideas and docs are always welcome.

Running distributed ISE 1.3.

Thanks!
Guido

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-23-2015 10:13 AM

Hi again Guido, what you can do is this:

- Place all laptops in their own security group in AD

- Place all desktops in their own security group in AD

- In ISE, under Policy > Posture: You can create different rules that are matched against the specific AD group membership

As far as documentation here is an older guide written by TAC:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Also, the Cisco Press ISE book is a very good resource:

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9780133103656

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-23-2015 10:13 AM

Hi again Guido, what you can do is this:

- Place all laptops in their own security group in AD

- Place all desktops in their own security group in AD

- In ISE, under Policy > Posture: You can create different rules that are matched against the specific AD group membership

As far as documentation here is an older guide written by TAC:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Also, the Cisco Press ISE book is a very good resource:

http://www.ciscopress.com/store/cisco-ise-for-byod-and-secure-unified-access-9780133103656

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents