cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

399
Views
10
Helpful
4
Replies
ARQA-netadmin
Beginner

ISE posture policy about user privileges on remote device

Hello,

 

Is it any way to configure ISE Posture Policy (some conditions) that ISE analyzes user level of priviliges on remote computer (on computer from which he trys to orginize anyconnect VPN connection)?
If user has priviliges of administrator on remote machine it's non-compliant variant.
If user doesn`t have administraton`s privilege on remote computer it`s compliant variant.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Mike.Cifelli
VIP Advocate

Are these RA clients not a part of your domain?  If they are IMO it would be easier to rely on GPOs for your local admin concern and AD username mapping to steer authorization policy accordingly for non admin users.  I am not 100% sure on an exact reg key.  This would need to be researched to determine if possible and then properly tested.  I was sharing it as a suggestion.  HTH!

View solution in original post

4 REPLIES 4
Mike.Cifelli
VIP Advocate

AFAIK there is nothing out of the box that would meet this desire.  However, that does not mean that it is completely out of question.  I would suggest trying to determine if it's possible via registry keys or something along those lines.  What is the desire for this?

We need to deny anyconnect vpn connection from users who works remotely with administrator rights on remote device.

For this we are planning to use authorization policies ISE.

How can we solve this problem using registry keys?

Mike.Cifelli
VIP Advocate

Are these RA clients not a part of your domain?  If they are IMO it would be easier to rely on GPOs for your local admin concern and AD username mapping to steer authorization policy accordingly for non admin users.  I am not 100% sure on an exact reg key.  This would need to be researched to determine if possible and then properly tested.  I was sharing it as a suggestion.  HTH!

View solution in original post

No. It`s local users on remote machines. There isn`t any chance to use AD-technology. Is it another solution in this case?

Content for Community-Ad