Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1843
Views
0
Helpful
3
Replies

Using AD-Host-Resolved-DNs in Profiling

Go to solution
paul
Level 10
Level 10

‎11-02-2017 06:32 AM

I am working with a client who is doing PEAP Domain Computer and PEAP User + MAR Cache.  As the computer and user get authenticated ISE records the following under the endpoint:

AD-Host-Resolved-DNs

AD-User-Resolved-DNs

Is there anyway I can use those values in profiling?  I can't find an option to.  I am trying to profile endpoints whose AD-Host-Resolved-DNs contain a particular OU.  In this case, I am trying to profile laptops vs. desktops based on the OU in AD.   The customer has the laptops and desktops in different OUs. 


They only want to apply posturing rules to laptops, but because they are transitioning to User mode authentication I can't easily do that with authorization rules.  I am trying to see if I can combine profiling with authentication to say "If a user is authenticating from a device profiled as a laptop then apply the posturing logic."


Any thoughts on this.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to ognyan.totev

‎11-02-2017 11:37 AM

Short answer is no.  You could submit feature enhancement with customer name and impact.  There are requests to extend attributes in Profiler, but helps to be specific as to which are needed for prioritization.

We do not expose those particular attributes to profiler today but may be possible to achieve similar intent via AD Join Point, NMAP-SMB Domain, DHCP hostname/DDNS name, or possibly use GPO to set User Class ID to include OU. 

Scripting could also be used to fetch AD LDAP info and set custom attributes in ISE.

Once shift to user auth, not sure new endpoints will be populating the AD host info.

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ognyan.totev
Level 5
Level 5

‎11-02-2017 07:05 AM

Hello , i think you must create different

Profiling Policies for laptops and desktops with different OU .In my deployment we have desktops with names like PC400123.ad.corp and notebooks NB400123.ad.corp .And all are resolvable by cmd with this names .

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to ognyan.totev

‎11-02-2017 11:37 AM

Short answer is no.  You could submit feature enhancement with customer name and impact.  There are requests to extend attributes in Profiler, but helps to be specific as to which are needed for prioritization.

We do not expose those particular attributes to profiler today but may be possible to achieve similar intent via AD Join Point, NMAP-SMB Domain, DHCP hostname/DDNS name, or possibly use GPO to set User Class ID to include OU. 

Scripting could also be used to fetch AD LDAP info and set custom attributes in ISE.

Once shift to user auth, not sure new endpoints will be populating the AD host info.

Craig

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Craig Hyps

‎11-02-2017 01:19 PM

Thanks Craig.  That is what I thought.  I know I can do the DHCP class GPO trick, but was hoping to be able to use that attribute.

Thanks for the quick response.

0 Helpful
Customers Also Viewed These Support Documents