cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7150
Views
10
Helpful
11
Replies

ISE - Checking Windows version

andre.ortega
Spotlight
Spotlight

Hello there,

I'd like to create an authorization rule on ISE to check the version of OS.

For example, If OS = Windows 8 then Accept_Access.

How could I do that?

I have the option "Endpoints:OperatingSystem equals" but I didn't find any OS to complete the rule.


Regards.

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

You can specify OS versions in a posture policy. It gives you options like Windows XP, 7, 8, 8.1 10 etc.

Reference.

Hi Marvin,
I need a authorization rule based on OS.
Is it possible? Or how could I create a posture policy to accomplish that?

Thank you.

Andre,

Think of the Posture policy as a tool to give you more information on which to base your Authorization (AuthZ) policy. The various pieces of ISE build on one another like building blocks to give you the granular context-based AuthZ policy you are talking about.

So create a Posture policy that checks for OS version. The result of that policy is then used in your AuthZ policy to grant access or perform other CoA actions.

This slide from Cisco Live shows what I'm talking about with the pieces working together from AuthC through AuthZ:

Hi Marvin,

Thank you for all the attention on this post and for your contribution on this community.

I am trying to figure out how to create a posture rule to check the OS. I know that is possible to specify the OS version as a conditions, but I don't know what will be the requirement.

For example, I can make a posture rule like:

If Windows 8 then AV should be OfficeScan10 (to be compliant)

Now I need a rule like:

If Windows 8 then ???? (to be compliant)

What is the requirement that I have to configure?

Best Regards.

You need to implement posture assessment as Martin says.

This will include either using the NAC client or most probably using the Anyconnect client with the posture module.

Then the module will report to ISE extra required information to be able to do what you want.

Hi phosawyer,

could you please give me um example of this rule?

 

Regards.

Here is a TAC document on integrating ISE with anyconnect

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html 

 

And this is a TAC document on designing posture policy to be able to have remediation, in this case using WSUS to update windows.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html 

Hi phosawyer,

I have all these working (ISE, AC 4, posture rules for AV and WSUS)...

I'd like just to have a rule that check the OS version.

Thanks.

Ok I understand now Andre,

 

I had a quick look and there is a Session:Device-OS condition, which then allows you to select.

However I only am able to select Windows as opposed to a version of windows. This is odd as in the provisioning rules there are specific versions of windows (vista,7,8) and so would've thought the same would be available for the Policy.

Now you got my point phosawyer.

Does anyone know how to do that?

I mean, to create a rule that check the Windows version, and If it is Windows 8, then give the access.

 

Regards.

andre.ortega
Spotlight
Spotlight

I am posting just to say that I found an option.

On Profiling Policies there are policies for Windows7, Windows8, Windows10,... one way to do what I was asking for is to create a "matching identity group", and then to use this identity group on authz policy.

 

 

 

 

 

 

 

Thanks.