ISE 2.3 - Posture

mdjan · ‎03-20-2018

Hello guys,

I would like to check if a user machine has a open USB port and the user has an administrator right on his work machine.

Is It possible to do it with the posture on Cisco ISE 2.3 ? If yes, which attributs and properties shall I use for that.

Thanks.

Rob Ingram · ‎03-20-2018

Hi,

Yes you can get ISE Posture to check for a connected USB device, this guide here shows you the steps you need to take in order to configure posture. The guide may not be 100% what you are looking to do but the configuration of USB Requirements is.

HTH

mdjan · ‎03-20-2018

Thank you for the USB check and now I would like to check if the user is administrator of his machine or not. I hear that there is a attribut on the registry which can say if the user is administrator of his machine (domain machine)

Rob Ingram · ‎03-20-2018

You can certainly use ISE posture to check for registry values, what the attribute value is for checking if a user is an administrator is or not I do not know.

How do you assign administrator rights to a user? Do you add them to an AD group and this AD group is a member of the local computer Administrators group? If yes, then you can just create an Authorization rule in ISE to check for that AD group membership and Authorize however you want. That might be easier than finding the registry value.

mdjan · ‎03-21-2018

Thank RJI for this idea, I thought about It at the begin. In the organization we want to know how many user from company domain are local administrator of their machine.

If you are local administrator, you can install software and Apps on your computer.

mdjan · ‎03-23-2018

Hello RJI,

I don't do that way. It is directly put on the computer administrator group locally.