Re: ISE Posture authorization depending on Posture Check

ryanbess · ‎08-21-2024

We have a want to give an endpoint some level of access even though a single posture policy fails. As an example lets say we're checking for

1. Some Registry key value

2. Some X mgmt. tool installed

3. Some AM tool installed

With the three checks, lets say the mgmt. tool isn't installed but the AM and Registry key is there, is it possible to give a different authorization for that machine? The example would be we could present the user a message box saying go into software center (in the windows use case) and install X tool. The diffrent authorization policy would give line of site to the server that software center needs to download the tool and install it. As best we can tell posture is either a Pass or a Fail.

WILLIAM BAUER · ‎08-21-2024

Have you checked out Work Centers - Posture - Policy Elements - Requirements? Along with that you would use the Remediations section just above it (I'm referencing ISE 3.1). Seems like this could be the direction you need. There will be more to it, but hopefully this will help.

ryanbess · ‎08-22-2024

i'll check but pretty sure the requirements are mandator, audit, or disabled. Also on the remediation's, i believe most of these run in user space so if something requires admin permissions not sure that will work. I do plan on mocking up the remediation's.

today our current NAC solution lets us put an endpoint into a remediation network with a limited network view when some set of checks pass and some set of checks fail. We were hoping to do that with ISE.