Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2467
Views
20
Helpful
5
Replies

Is there any way to deny the access if a windows services is enabled on Cisco ISE?

Go to solution
victormanuelsolis
Level 1
Level 1

‎07-07-2021 10:26 AM - edited ‎07-07-2021 10:28 AM

Hello Team,

 

I need to know if exist any way to deny the access to the network/VPN when a windows services is enabled? I mean I need to deny the access to all users who have the printer spooler enabled on Cisco ISE.

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to victormanuelsolis

‎07-20-2021 05:06 PM

One you create the conditions you integrate them into posture requirements, which the requirements are then what is assigned in the posture policy.  Posture requirements contain a set of rules.  These rules include your configured posture condition, OS type, module/agent type and remediation action.  I strongly suggest taking a peek here as this will help: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId-1324378478

HTH!

View solution in original post

5 Replies 5

Go to solution
victormanuelsolis
Level 1
Level 1
In response to balaji.bandi

‎07-20-2021 04:27 PM

Thank you for your answer, but I didn't find how to apply the created condition to the policy, in this case is a windows service created under Work Centers->Posture->Policy Elements->Conditions->Service

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to victormanuelsolis

‎07-20-2021 05:06 PM

One you create the conditions you integrate them into posture requirements, which the requirements are then what is assigned in the posture policy.  Posture requirements contain a set of rules.  These rules include your configured posture condition, OS type, module/agent type and remediation action.  I strongly suggest taking a peek here as this will help: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId-1324378478

HTH!

Go to solution
victormanuelsolis
Level 1
Level 1
In response to Mike.Cifelli

‎08-05-2021 03:19 PM

Thank you Mike,

 

Unfortunately, in my current network design I cannot apply this solution to my request, due the users are pointing to the ASA to establish the VPN instead the ISE, so I guess I need to change a little bit the design in order to proceed. Thanks to all for your time !

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-07-2021 12:01 PM - edited ‎07-07-2021 12:01 PM

You can absolutely do this with ISE posturing.  The solution has several components and it is rather complex to implement/deploy.  Your condition would look like this:

spooler_con.PNG

 I suggest taking a peek at what @balaji.bandi shared & the following:

ISE Posture Prescriptive Deployment Guide - Cisco Community

Good luck & HTH!

Customers Also Viewed These Support Documents