Re: ISE posture for Active Directory join

manvik · ‎01-27-2025

Other than checking in registry condition, any mechanism to identify whether a windows PC is joined to AD domain?
ISE version 3.4, secure client 5.1

Rob Ingram · ‎01-27-2025

@manvik the recommended way to identify a domain joined corporate asset by checking the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

Value=domain.name is your domain name

manvik · ‎01-27-2025

Other than checking in registry condition??

Rob Ingram · ‎01-27-2025

@manvik checking the registry is the primary way to determine if joined to the domain.

Else, not posture related, but use EAP Chaining (EAP-FAST/TEAP) that would check to see if the computer has a domain issued certificate + user certificate. Typically a computer won't have a certificate unless joined to the domain.

Or with posture you can check to see whether a specific application (i.e the Corporate installed AV or other software) is installed on a computer.

manvik · ‎01-27-2025

thanks, how to check if the computer has a domain issued certificate + user certificate.

Jonatan Jonasson · ‎01-27-2025

There are a few command-line ways to identify the domain.

For example:

systeminfo | findstr /B "Domain"

^^- will show "Domain: WORKGROUP" if not in domain

And: dsregcmd /status
^^- the first section shows if the computer is AD or AAD joined:
(see screenshot example)

And the powershell command: Get-CimInstance win32_computersystem
^^- will show under the Domain column which domain (if any) the computer is joined.

There may be other ways as well if you just google for how to check this via powershell.
And with this info you should be able to craft a .ps1 script for the posture evaluation.

Just keep in mind that if your company is moving to EntraID(Azure) joined machines, the results will not be the same as when checking for on-premises AD joined.

Danny Dulin · ‎03-26-2025

Can this be done for VPN connections?

manvik · ‎03-26-2025

if you're referring to posture, yes it can be done for Anyconnect VPN.

Azizi123 · ‎03-26-2025

@manvik

run i nthe CMD command

systeminfo | findstr /B /C:"Domain"

wmic computersystem get domain

(Get-WmiObject Win32_ComputerSystem).PartOfDomain

(Get-WmiObject Win32_ComputerSystem).Domain

net config workstation

other then that:

Press Win + R, type sysdm.cpl, and press Enter.

manvik · ‎03-26-2025

thank you @Azizi123 commands looks helpful, but how to do Posture from ISE with these commands other powershell script.
Powershell might be disabled in most systems.

Azizi123 · ‎03-26-2025

Dear manvik:

you'll need to rely on Cisco's built-in agents (like the ISE Posture Agent) for a more automated approach. This agent performs checks on the endpoint's compliance with your ISE security policies.

Requirements:

You need a Cisco ISE license to use the posture functionality.

Cisco AnyConnect must be licensed, and the Posture module needs to be enabled on the Cisco ISE platform.

How to Get the AnyConnect Client with the Posture Module:

Step 1: Ensure you have a Cisco account and the necessary licensing for Cisco AnyConnect and ISE.

Step 2: Log in to the Cisco Software Download page.

Step 3: Search for Cisco AnyConnect Secure Mobility Client.

Step 4: Choose the version you want to download.

Step 5: Select the Posture module as part of the AnyConnect package during installation. Make sure your Cisco ISE is properly configured to interact with the posture agent.