cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2421
Views
0
Helpful
3
Replies

ISE Posture with Forescout Secureconnector integration

kaachary
Cisco Employee
Cisco Employee

Customer has Forescout secureconnector installed on machines for Endpoint Compliance. They are evaluating ISE Posture currently, have a query whether the ISE posture agent can check the compliance status of the secureconnector agent, and then report the machine as compliant/non-compliant.

I don't think there is a straightforward way of doing this, since we do not have any such integration supported on ISE. I am planning to propose a registry check (if there is any) to verify the Secureconnector compliance status. Please let me know if you have any other suggestions.

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

If the Forescout agent runs as a service in Windows and/or Mac OSX, you can also use a Service Condition check in the ISE Posture config to verify that the service named 'xyz' is Running.

See the Assessment Options for Windows and OSX in the ISE 2.2 Admin Guide here:

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies - Cisco

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

If the Forescout agent runs as a service in Windows and/or Mac OSX, you can also use a Service Condition check in the ISE Posture config to verify that the service named 'xyz' is Running.

See the Assessment Options for Windows and OSX in the ISE 2.2 Admin Guide here:

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies - Cisco

Timothy Abbott
Cisco Employee
Cisco Employee

Gregory is correct.  We can check the compliance of the endpoint using posture policy but not the compliant / non-compliant state of SecureConnector.  The most we could do is check to see if it is installed and running.

Regards,

-Tim

Thanks Tim, Gregory

I am aware of the Service check for the agent. But the customer requirement specifically is to check the compliance status of the agent. Anyway, I was thinking if there is a ForeScout registry entry that gets set to a specific value when the machine is declared compliant, I could use that as a Condition, that is the only way I guess.

From what I am hearing, there is no other way to achieve this.

Thanks for the confirmation.