Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4320
Views
0
Helpful
6
Replies

ISE Posture for MacOS X - Check if device is in AD Domain

lukeberkheiser
Level 1
Level 1

‎05-04-2020 06:13 AM

Hello,

I am trying to implement some Posture checks for MacOS X when users connect to VPN. I was able to get some simple conditions to work, such as verifying that the Anti-Malware software is installed and up-to-date, but I need to do one more test: check if the machine is part of the Active Directory domain. 

I found this post which hinted at a solution: 

https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/td-p/3708295

 

However, when I try to create a File Condition referencing that path, Posture fails every time. I've tried specifying a certain Property and I've also tried just checking that the file exists, but nothing works. 

Is it a problem of rights for AnyConnect to access the folder? Or is there something else that I need to set in this condition?

 

Current settings: 

File Type: FileExistence

File Path: root                  value: /Library/Preferences/OpenDirectory/DynamicData/Active Directory/<domain>.plist

File Operator: Exists

 

Thank you

0 Helpful
6 Replies 6

Surendra
Cisco Employee
Cisco Employee

‎05-04-2020 07:10 AM

It could be that you haven’t specified the escape sequence for white space?

From your post : /Library/Preferences/OpenDirectory/DynamicData/ActiveDirectory/.plist

From the original post : /Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/.plist
0 Helpful

lukeberkheiser
Level 1
Level 1
In response to Surendra

‎05-04-2020 07:13 AM

I tried both with "Active Directory" and with "Active\ Directory", without any success.

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni

‎05-04-2020 07:11 AM

If you want to validate that it is a member of the domain, then just do that during the authentication/authorization.  A condition that verifies the machine is a member of Domain Computers.  If that is not possible and you want to stick with the file condition, then verify that the file exists in that location.  If it does, then verify the permissions.  You may need to adjust the permissions so that "everyone" has read access.  chmod +r on the file.

0 Helpful

lukeberkheiser
Level 1
Level 1
In response to Colby LeMaire

‎05-04-2020 07:48 AM

Thank you for your answer. We want to do this check as part of the posture, not as part of a separate Authentication/Authorization rule. I'm not even sure it would work as the user is the one being authenticated, not the machine. 

 

The file exists, but it seems it is tricky to even access the directory, and only the system account can view the contents of the directory, nevermind the file. Not sure enabling access to a system-only directory from everyone is the most secure option. 

 

Has anyone attempted/succeeded in doing this kind of checks on a Mac?

 

0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to lukeberkheiser

‎05-05-2020 05:37 AM

For MAC OS X, you can create a file in the /private/etc/ directory and get the SHA256 sum of the file. Then create a File condition for this file that check for this file SHA-256 Data.

0 Helpful

jitendrac
Level 1
Level 1
In response to lukeberkheiser

‎07-25-2024 06:47 AM

I am also facing same issue. Did you got any solution on this ?

0 Helpful
Customers Also Viewed These Support Documents