Ok I understand now Andre, I

andre.ortega · ‎09-28-2015

Hello there,

I'd like to create an authorization rule on ISE to check the version of OS.

For example, If OS = Windows 8 then Accept_Access.

How could I do that?

I have the option "Endpoints:OperatingSystem equals" but I didn't find any OS to complete the rule.

Regards.

Marvin Rhoads · ‎09-29-2015

You can specify OS versions in a posture policy. It gives you options like Windows XP, 7, 8, 8.1 10 etc.

Reference.

andre.ortega · ‎09-29-2015

Hi Marvin,
I need a authorization rule based on OS.
Is it possible? Or how could I create a posture policy to accomplish that?

Thank you.

Marvin Rhoads · ‎09-29-2015

Andre,

Think of the Posture policy as a tool to give you more information on which to base your Authorization (AuthZ) policy. The various pieces of ISE build on one another like building blocks to give you the granular context-based AuthZ policy you are talking about.

So create a Posture policy that checks for OS version. The result of that policy is then used in your AuthZ policy to grant access or perform other CoA actions.

This slide from Cisco Live shows what I'm talking about with the pieces working together from AuthC through AuthZ:

andre.ortega · ‎09-30-2015

Hi Marvin,

Thank you for all the attention on this post and for your contribution on this community.

I am trying to figure out how to create a posture rule to check the OS. I know that is possible to specify the OS version as a conditions, but I don't know what will be the requirement.

For example, I can make a posture rule like:

If Windows 8 then AV should be OfficeScan10 (to be compliant)

Now I need a rule like:

If Windows 8 then ???? (to be compliant)

What is the requirement that I have to configure?

Best Regards.

phosawyer · ‎09-30-2015

You need to implement posture assessment as Martin says.

This will include either using the NAC client or most probably using the Anyconnect client with the posture module.

Then the module will report to ISE extra required information to be able to do what you want.

andre.ortega · ‎09-30-2015

Hi phosawyer,

could you please give me um example of this rule?

Regards.

phosawyer · ‎09-30-2015

Here is a TAC document on integrating ISE with anyconnect

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html

And this is a TAC document on designing posture policy to be able to have remediation, in this case using WSUS to update windows.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

andre.ortega · ‎09-30-2015

Hi phosawyer,

I have all these working (ISE, AC 4, posture rules for AV and WSUS)...

I'd like just to have a rule that check the OS version.

Thanks.

phosawyer · ‎09-30-2015

Ok I understand now Andre,

I had a quick look and there is a Session:Device-OS condition, which then allows you to select.

However I only am able to select Windows as opposed to a version of windows. This is odd as in the provisioning rules there are specific versions of windows (vista,7,8) and so would've thought the same would be available for the Policy.

andre.ortega · ‎09-30-2015

Now you got my point phosawyer.

Does anyone know how to do that?

I mean, to create a rule that check the Windows version, and If it is Windows 8, then give the access.

Regards.

andre.ortega · ‎09-30-2015

I am posting just to say that I found an option.

On Profiling Policies there are policies for Windows7, Windows8, Windows10,... one way to do what I was asking for is to create a "matching identity group", and then to use this identity group on authz policy.

Thanks.

ISE - Checking Windows version