11-02-2017 06:32 AM
I am working with a client who is doing PEAP Domain Computer and PEAP User + MAR Cache. As the computer and user get authenticated ISE records the following under the endpoint:
AD-Host-Resolved-DNs
AD-User-Resolved-DNs
Is there anyway I can use those values in profiling? I can't find an option to. I am trying to profile endpoints whose AD-Host-Resolved-DNs contain a particular OU. In this case, I am trying to profile laptops vs. desktops based on the OU in AD. The customer has the laptops and desktops in different OUs.
They only want to apply posturing rules to laptops, but because they are transitioning to User mode authentication I can't easily do that with authorization rules. I am trying to see if I can combine profiling with authentication to say "If a user is authenticating from a device profiled as a laptop then apply the posturing logic."
Any thoughts on this.
Solved! Go to Solution.
11-02-2017 11:37 AM
Short answer is no. You could submit feature enhancement with customer name and impact. There are requests to extend attributes in Profiler, but helps to be specific as to which are needed for prioritization.
We do not expose those particular attributes to profiler today but may be possible to achieve similar intent via AD Join Point, NMAP-SMB Domain, DHCP hostname/DDNS name, or possibly use GPO to set User Class ID to include OU.
Scripting could also be used to fetch AD LDAP info and set custom attributes in ISE.
Once shift to user auth, not sure new endpoints will be populating the AD host info.
Craig
11-02-2017 07:05 AM
Hello , i think you must create different
Profiling Policies for laptops and desktops with different OU .In my deployment we have desktops with names like PC400123.ad.corp and notebooks NB400123.ad.corp .And all are resolvable by cmd with this names .
11-02-2017 11:37 AM
Short answer is no. You could submit feature enhancement with customer name and impact. There are requests to extend attributes in Profiler, but helps to be specific as to which are needed for prioritization.
We do not expose those particular attributes to profiler today but may be possible to achieve similar intent via AD Join Point, NMAP-SMB Domain, DHCP hostname/DDNS name, or possibly use GPO to set User Class ID to include OU.
Scripting could also be used to fetch AD LDAP info and set custom attributes in ISE.
Once shift to user auth, not sure new endpoints will be populating the AD host info.
Craig
11-02-2017 01:19 PM
Thanks Craig. That is what I thought. I know I can do the DHCP class GPO trick, but was hoping to be able to use that attribute.
Thanks for the quick response.
07-29-2024 06:33 AM
Hi! I'm in the same situation and I'd like to confirm if we're still in the state or if we can somehow check the AD-Host-Resolved-DNs value. We're using ISE 3.2 patch 6. Thx!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide