Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
3
Helpful
4
Replies

Profiling Windows Server-based operating systems in ISE

rezaalikhani
VIP
VIP

‎03-14-2023 10:38 PM

Hi all;

Suppose I want to profile Windows Server-based operating systems in ISE like:

Windows-Servers

                          |--> Windows-Server2012

                          |--> Windows-Server2016

                          |--> Windows-Server2019

Can anyone help me with the right probing used to accomplish this?

Thanks

1 person had this problem
4 Replies 4

Arne Bier
VIP
VIP

‎03-16-2023 03:02 PM

Hi @rezaalikhani 

Why would you make a server subject to NAC? 

ISE has no profiles for Windows Server because there's very little sense in profiling a server device. They should not be configured with DHCP (so that option is out of the window) - and there's very little else left that helps you out of the box.

You'd be better off not enabling NAC on those interfaces (if the physical Server is in a DC then it makes no sense anyway) - but if you have a server in the Access Layer, and there is a risk of abusing that port by an attacker, then use MAB with a MAC address reservation in ISE. 

Joseph.F
Level 1
Level 1

‎03-21-2024 07:49 AM

In the era of Federal Comply to Connect,  ISE must categorize servers separately from other windows endpoints.  Although i agree with you that why would you want to do this, the fact remains that rules are requiring us to do this. 

question still stands.  ISE needs to be able to profile windows server and to create a logical profile to lump servers together for reporting purposes.

Arne Bier
VIP
VIP
In response to Joseph.F

‎03-24-2024 04:17 PM

Out of the box, a Windows Server doesn't provide that level of granularity.

For starters, servers typically don't get configured with DHCP (they use static IPv4 addresses) - that means you won't get any detail from a DHCP Discovery packet. Where does that leave you?  

I don't know if Windows Server supports 802.1X supplicant. If it does, then that would be the best option. That means ISE could use the AD probes to glean the operating system details of that domain joined object.

Method of last resort - perhaps try the Microsoft LLDP Driver on the Ethernet Adapter to see if that gives you any joy.

Or method of drastic last resort ... install an SNMP agent on the Windows Server ... that will give you the intel you need. 

0 Helpful

MHM Cisco World
VIP
VIP

‎03-21-2024 07:54 AM

Screenshot (220).png

0 Helpful
Customers Also Viewed These Support Documents