Solved: Re: Enforcing OS version using ISE

VipulAgr · ‎05-18-2021

Folks,

Is there is anyway to verify minimum OS version in ISE policy set , e.g. allowing only

Windows10 1903 (build 18362) or higher
Mac OS - 10.14 or higher

Marcelo Morais · ‎05-18-2021

at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)

Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362

BUILD 18362.png

At Logical Profiles, create the following Logical Profile (for ex.)

Name: Windows10-Builds
Assigned Policies: Build18362

BUILD 18362.png

At Policy > Policy Set you are able to create an Authorization Policy like this:

BUILD 18362.png

Hope this helps !!!

View solution in original post

balaji.bandi · ‎05-18-2021

is this BYOD or pre-deployed equiment ?

ISE with Posture check do this for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎05-18-2021

Hi @VipulAgr ,

at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)

Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362

BUILD 18362.png

At Logical Profiles, create the following Logical Profile (for ex.)

Name: Windows10-Builds
Assigned Policies: Build18362

BUILD 18362.png

At Policy > Policy Set you are able to create an Authorization Policy like this:

BUILD 18362.png

Hope this helps !!!

VipulAgr · ‎05-18-2021

Thanks Marcelo, That's really helpful. I was hoping to have a straight forward profile which allows OS versions higher than specific, but looks like I need to create multiple logical profiles for each version which I need to allow. But that works.

Peter Koltl · ‎05-19-2021

~~Surprisingly, this cannot be enforced in a posture policy .~~

VipulAgr · ‎05-20-2021

Yeah True, very surprising when Posture policies are so feature rich but doesn't support this basic requirement.

Marcelo Morais · ‎05-20-2021

Hi @Peter Koltl and @VipulAgr ,

to "enforce" in a Posture Policy, try this:

In Work Centers > Posture > Policy Elements > Conditions > Registry:

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Value Data: 10

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild
Value Data: 18362

In Work Centers > Posture > Policy Elements > Requirements, create the following:

Name: Req-Check-WindowsOSVersion
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOSVersion | Message Text Only

Name: Req-Check-WindowsOS_Build
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOS_Build | Message Text Only

In Work Centers > Posture > Posture Policy:

Rule Name: SO-Mandatory
Identity Groups: Any
Operating Systems: Windows All
Compliance Module: 4.x or later
Posture Type: Any Connect
Other Conditions: <choose your condition>
Requirements: Mandatory - Check-WindowsOSVersion and Mandatory - Check-WindowsOS_Build

Hope this helps !!!

VipulAgr · ‎05-21-2021

Thanks much again Marcelo,

But I guess it would work only with Windows machine, not for any other OS e.g. MAC and generally enterprise will have various Client OSs to look at.

Enforcing OS version using ISE

ISE: Security settingsのTLS versionに関して

Introducing new ZTA policy enforcement with multi-app matching

[原创故障案例分享]Nexus5k 7.3 nx-os version, routing over vPC

Cisco ISE version upgrade

Re: ISE BYOD Flow Using Azure AD