cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4500
Views
0
Helpful
6
Replies

ISE Posture for MacOS X - Check if device is in AD Domain

lukeberkheiser
Level 1
Level 1

Hello,

I am trying to implement some Posture checks for MacOS X when users connect to VPN. I was able to get some simple conditions to work, such as verifying that the Anti-Malware software is installed and up-to-date, but I need to do one more test: check if the machine is part of the Active Directory domain. 

I found this post which hinted at a solution: 

https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/td-p/3708295

 

However, when I try to create a File Condition referencing that path, Posture fails every time. I've tried specifying a certain Property and I've also tried just checking that the file exists, but nothing works. 

Is it a problem of rights for AnyConnect to access the folder? Or is there something else that I need to set in this condition?

 

Current settings: 

File Type: FileExistence

File Path: root                  value: /Library/Preferences/OpenDirectory/DynamicData/Active Directory/<domain>.plist

File Operator: Exists

 

Thank you

6 Replies 6

Surendra
Cisco Employee
Cisco Employee
It could be that you haven’t specified the escape sequence for white space?

From your post : /Library/Preferences/OpenDirectory/DynamicData/ActiveDirectory/.plist

From the original post : /Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/.plist

I tried both with "Active Directory" and with "Active\ Directory", without any success.

Colby LeMaire
VIP Alumni
VIP Alumni

If you want to validate that it is a member of the domain, then just do that during the authentication/authorization.  A condition that verifies the machine is a member of Domain Computers.  If that is not possible and you want to stick with the file condition, then verify that the file exists in that location.  If it does, then verify the permissions.  You may need to adjust the permissions so that "everyone" has read access.  chmod +r on the file.

Thank you for your answer. We want to do this check as part of the posture, not as part of a separate Authentication/Authorization rule. I'm not even sure it would work as the user is the one being authenticated, not the machine. 

 

The file exists, but it seems it is tricky to even access the directory, and only the system account can view the contents of the directory, nevermind the file. Not sure enabling access to a system-only directory from everyone is the most secure option. 

 

Has anyone attempted/succeeded in doing this kind of checks on a Mac?

 

For MAC OS X, you can create a file in the /private/etc/ directory and get the SHA256 sum of the file. Then create a File condition for this file that check for this file SHA-256 Data.

I am also facing same issue. Did you got any solution on this ?