09-28-2015 05:27 PM - edited 03-10-2019 11:06 PM
Hello there,
I'd like to create an authorization rule on ISE to check the version of OS.
For example, If OS = Windows 8 then Accept_Access.
How could I do that?
I have the option "Endpoints:OperatingSystem equals" but I didn't find any OS to complete the rule.
Regards.
09-29-2015 04:15 AM
You can specify OS versions in a posture policy. It gives you options like Windows XP, 7, 8, 8.1 10 etc.
09-29-2015 11:17 AM
Hi Marvin,
I need a authorization rule based on OS.
Is it possible? Or how could I create a posture policy to accomplish that?
Thank you.
09-29-2015 01:48 PM
Andre,
Think of the Posture policy as a tool to give you more information on which to base your Authorization (AuthZ) policy. The various pieces of ISE build on one another like building blocks to give you the granular context-based AuthZ policy you are talking about.
So create a Posture policy that checks for OS version. The result of that policy is then used in your AuthZ policy to grant access or perform other CoA actions.
This slide from Cisco Live shows what I'm talking about with the pieces working together from AuthC through AuthZ:
09-30-2015 05:54 AM
Hi Marvin,
Thank you for all the attention on this post and for your contribution on this community.
I am trying to figure out how to create a posture rule to check the OS. I know that is possible to specify the OS version as a conditions, but I don't know what will be the requirement.
For example, I can make a posture rule like:
If Windows 8 then AV should be OfficeScan10 (to be compliant)
Now I need a rule like:
If Windows 8 then ???? (to be compliant)
What is the requirement that I have to configure?
Best Regards.
09-30-2015 06:05 AM
You need to implement posture assessment as Martin says.
This will include either using the NAC client or most probably using the Anyconnect client with the posture module.
Then the module will report to ISE extra required information to be able to do what you want.
09-30-2015 07:14 AM
Hi phosawyer,
could you please give me um example of this rule?
Regards.
09-30-2015 07:38 AM
Here is a TAC document on integrating ISE with anyconnect
And this is a TAC document on designing posture policy to be able to have remediation, in this case using WSUS to update windows.
09-30-2015 07:39 AM
Hi phosawyer,
I have all these working (ISE, AC 4, posture rules for AV and WSUS)...
I'd like just to have a rule that check the OS version.
Thanks.
09-30-2015 08:14 AM
Ok I understand now Andre,
I had a quick look and there is a Session:Device-OS condition, which then allows you to select.
However I only am able to select Windows as opposed to a version of windows. This is odd as in the provisioning rules there are specific versions of windows (vista,7,8) and so would've thought the same would be available for the Policy.
09-30-2015 01:15 PM
Now you got my point phosawyer.
Does anyone know how to do that?
I mean, to create a rule that check the Windows version, and If it is Windows 8, then give the access.
Regards.
09-30-2015 05:23 PM
I am posting just to say that I found an option.
On Profiling Policies there are policies for Windows7, Windows8, Windows10,... one way to do what I was asking for is to create a "matching identity group", and then to use this identity group on authz policy.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide