Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7327
Views
11
Helpful
6
Replies

ISE Posturing to check if system belongs to domain

Go to solution
User_80617
Level 1
Level 1

‎03-21-2021 10:53 PM

Hi Guys,

 

Need help. We are doing posturing on ISE for internet VPN users. Want to configure ISE posturing to check if system belongs to domain to allow it the access. What are the configuration options available. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-22-2021 01:38 AM - edited ‎03-22-2021 02:31 AM

@User_80617 

You can check a registry value when performing ISE posture, which checks to see if the computer is joined to your domain.

 

Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=your.domain.name

 

Another option would also be to use computer certificates, which could only ever be issued by your internal CA. Though posture doesn't check the certificates, it's the ASA/FTD that would validate the cert, but it proves the computer is a corporate asset.

 

HTH

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-22-2021 01:13 AM

Is the device known or unknow, if the known you have Cisco any connect client to take control do the posture check ?

 

is this what you looking ? or BYOD ?

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_compliance.html#concept_A9C0E9F58A4A4FECBC9C5BB362F9B403

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
User_80617
Level 1
Level 1
In response to balaji.bandi

‎04-06-2021 04:10 AM

Hi Bala,

 

So we are not doing byod. Only domain system shall connect to the vpn. What is safest way to implement with lesser impact before going to prod apply.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-22-2021 01:38 AM - edited ‎03-22-2021 02:31 AM

@User_80617 

You can check a registry value when performing ISE posture, which checks to see if the computer is joined to your domain.

 

Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=your.domain.name

 

Another option would also be to use computer certificates, which could only ever be issued by your internal CA. Though posture doesn't check the certificates, it's the ASA/FTD that would validate the cert, but it proves the computer is a corporate asset.

 

HTH

 

Go to solution
Ernestas Sabukevicius
Level 1
Level 1
In response to Rob Ingram

‎05-02-2023 09:19 AM

Good solution but it works only as requirement. I wonder if there is another one for selecting a different Policy based on belonging to a domain.

For example i can do a selection based on belonging to specific OS in Policy Sets with creating a LogicalProfile:

ErnestasSabukevicius_0-1683044260800.png

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-06-2021 05:19 AM

Adding an additional option besides what @Rob Ingram shared as those are good options.  You could also target specific enterprise resources that should be on your standard image (ie- ensure McAfee products are installed/running/etc.).  I actually use the domain reg check with one customer plus additional items and they work great.  Ultimately I think this comes down to what you feel you can target based on what you know is required on clients in your enterprise.  HTH!

0 Helpful

Go to solution
User_80617
Level 1
Level 1

‎05-15-2023 08:59 AM

Hi,

Is there any way to see if the user system name is also joined domain? This is to be configured on vpn and not 802.1x.

0 Helpful
Customers Also Viewed These Support Documents