Differentiated assessment posture based on membership of AD machine.

Hello everyone

You guys you have a document or an idea on how to start to set up a policy to assess a host based on its members? Essentially two groups, desktop computers and laptops and both have different requirements to be declared compliant.

Authentication machine and user are works well, and is based on the user posture. The requirements for desktop computers and laptops have already been created, but I can't figure out how to link them to the Organization of machine units. User accounts have no attribute based on the machine.
Posture can operate at the level of the computer?

Tips, ideas and docs are always welcome.

Running distributed ISE 1.3.

Thank you!
Guido

Hi new Guido, what you can do is the following:

-Put all the laptops in their own security group in AD

-Place all the workstations in their own security group in AD

-At ISE, in the policy framework > Posture: you can create different rules are put in correspondence with the specific AD group membership

With regard to the documentation here is an older guide written by TAC:

http://www.Cisco.com/c/en/us/support/docs/security/identity-Services-engine/116143-config-CISE-posture-00.html

In addition, the book of Cisco Press ISE is a very good resource:

http://www.CiscoPress.com/store/Cisco-ISE-for-BYOD-and-secure-unified-access-9780133103656

I hope this helps!

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

  • Printer mappings based on membership in a group

    Hello! So far, I'm in love with EUM and all the features it offers. I'm testing with it before extend me to users and find one or two things that have been frustrating me.

    One of them is condition together with membership in the group. What I try to do is something quite simple: map printers based on group membership. For some reason, it does not.

    Here is the part of the log:

    2016-06-30 14:38:15.160 [DEBUG] Conditions: condition «Group.xml» value assessment

    2016-06-30 14:38:15.176 [DEBUG] Conditions: check for subscription of the user from the group "Domain\Network_Admins" = false

    2016-06-30 14:38:15.176 [INFO] jump EMU mapping printers due to conditions ("HQ_Sharp_MX_4141_11 - 38 c .xml')

    2016-06-30 14:38:15.176 [DEBUG] jump off mapping printers EMU ('HQ_XEROX_7775_11 - 25A .xml')

    2016-06-30 [DEBUG] 14:38:15.176 jump off the EMU printers mapping ('SHARP MX-4141N - 11 - 15.xml')

    2016-06-30 14:38:15.207 [DEBUG] Conditions: check for the user OR = true ("CN = LastName\, FirstName, OR = Users, OR is OEIM, DC is domain, DC = com' belongs to 'OR = Users, OU = OEIM, DC = domain, DC = com' or one of its descendants")

    2016-06-30 [DEBUG] 14:38:15.207 managed to create printer registry keys.

    2016-06-30 14:38:15.660 [ERROR] error 1726 trying to map printer "\\printserver\SHARP MX-4141N-11-34 H" ("SHARP MX-4141N-11-34 H .xml ')

    So I put two conditions on two separate just printers to test how it works. A group membership does not work even though I'm 100% sure that I am a part of this group! Also, what is strange, is how the ORGANIZATIONAL unit verification works, but the printer error when you try to install it.

    If anyone is curious, my environment is seen Horizon 6.2.2 build-3508079 and UM 9.0. Everyone has access to the print server printers are on is not a permissions problem with, in my opinion. Both printers are set to run once and asynchronously. I have App Volumes also 2.10 and 3 appstacks and writing attached to these machines. Writable is a UIA for the location of the Outlook OST that I used with this awesome video: using VMware App Volumes and environment the User Manager to store the Cache in Microsoft Outlook (.) (OST) - YouTube

    Thanks to anyone who can shed some light on this for me.

    Hi edsoncruz4,

    You can check your infrastructure on network problems (DFs maybe? Error 1726 average remote procedure call failed), also you can check with the command WHOAMI /groupes if your user name is a member of security assigned groups.

    Raymond

  • GPO to map a drive (on xp sp2 and sp3 clients) based until membership in one group does not completely finish the mapping

    Hi all

    When you try to use a GPO to map a drive (on xp sp2 and 3 customers) based up to membership in a group, it is not completely finished

    Have created a GPO called MapDrive

    -Under User Config. > Preferences > Windows settings > card reader

    -Set Action = replace and it to map to \\Servername\share\%username% if the user is a member of the XYZ Group (common tab > Item-Level targeting)

    What is happening, it's that the good player cards\\Servername\share\ of under file which is the user name.

    To get the GPO to work that day

    -Did you have to install the patch installed XP from KB943729for side extensions (CSE) Client

    -J' also put a policy of waiting for connection before login (this fixes a problem of no similar mapping with the home folder that you can set the path in the user account object)

    Any ideas why the drive mapping complete otherwise would not work or have a work around?

    See you soon,.

    Schmills

    ThanksThahaseena M.

    In fact, I found that it was not a problem with what I did, in fact, it worked.

    What I found is when you map a drive via gpo to a subfolder, for example\\servername\share\subfolder

    What is displayed is\\servername\share , but it actually be mapped directly to the subfolder. In the GPO, you can create a label for the drive, so in my case I created a StorageFor_ %username% label, which then displays the user who received the file, which is what I wanted.

    My original mail can still help those who have problems with

    1 folder without mapping entirely

    2. the CST for HP patch is required for the mapping of the readers via GPO.

    See you soon,.

    Philippe

  • assessment of suitability of LabVIEW for industrial machine control

    Greetings,

    I'm trying to determine if LabVIEW and related equipment are able to meet several organizational needs - which is a direct control of industrial machines as the main driver interface.  Specific IO is quite simple and not time critical, with the exception of a few security control.

    I'm trying to find information or use case examples where LabVIEW has been used in a Setup to autostart when the user/operator is ONLY presented with the Labview VI that acts as the user interface of the machine - without access to the underlying operating system - whether it is * NIX or Windows.

    Most of what I've found so far seems should be directed to LabVIEW providing a global monitoring environment, where the individual machines of control is managed using dedicated plc and HMI.  I would like to know if LabVIEW and related products can be used in place of traditional PLC and HMI hardware.  If not, what are some of the existing approaches for fusion environments?

    If anyone has experience or pointers to information, I would be grateful.

    See you soon,.

    Rob

    Industrial control, we do all the time with LV the first thing to understand is that it is a language of programming like the others - what will happen is what you write. Nothing more, nothing less.

    The second thing is that there is no "related material". LV code can run on a number of platforms, but the actual IO modules you use could in principle be all devices which you can talk to (which means that they have dedicated drivers or memoranda of support that you can use, such as Modbus).

    The third thing is that it is possible to use a desktop for that OS (we do regularly), these systems are not designed for this. Beyond security considerations you mentioned, that must be implemented in dedicated hardware anyway, you should always accept that it is running on a desktop OS means there is a chance of things occur occasionally because preempted or your machine may get stuck in total, etc. For systems that we do, it is generally quite acceptable (and in fact is not often), but it's something to know. We usually leave the UI of the BONE in place, but it is also possible to replace the application from the shell with your own application, and then you will not see the classic interface at all (although users who know what they're doing can access if they really want to). There are different versions of the OS that may be preferable to something like that, but I have no experience with it.

    An obvious point to raise is that NEITHER has a hardware PLC-like dedicated that can run your code of LV and is actually designed to do this. The most obvious is the cRIO devices family. These work exactly like robots, with the exception that they are significantly more efficient and much more expensive.

    In regard to the mix of things, the classic way is to have the code on the PLC information and using something like Modbus, exactly as interactions with HMI systems jobs. LV is not a HMI program, however. It has some advantages, like being able to encode and do custom things and a few drawbacks, like not being able to do the UIs of basic or logging as easily. There is an add-on for LV that is supposed to add a bit of this, called the DSC module, but I don't really have experience with it. The decision on whether to use a program to HMI or code your own (in BT or any other language) should depend on the system and the implementer.

    Again, LV is like any other programming language. You can control applications in C, but you must know C and build the relevant parts. Goes same for LV - you will need to know and to be able to write specific code you want. NOR has some reference designs, they come out on the subject, but I never watched their close collaboration. You can look at the table at the bottom of this article to see this - http://www.ni.com/example/30331/en/

  • semaphore timeout during his membership to the machine on the domain

    When I try to join windows Server 2008 to a domain via VPN, I get an error semaphore timeout, any suggestions?

    Hello

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows Server on TechNet forum
    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

  • Returns the name of the FQDN for a vcenter based on a given virtual machine

    Slowly, I am working on a set of workflow that will integrate a powershell module, I created.

    For my first stream of work, I'm trying to find all the information I need when a user runs a workflow on a VM orchestrator.

    I understood the cluster so far, but I can't identify the right script object that will give me the full domain name of a host corresponding to this virtual machine vcenter.

    Being new vCO does not help much, either.

    I thought that it would be part of VcManagedEntity, but for some reason, this page translates into a big ol' 404!

    https://www.VMware.com/support/Orchestrator/doc/vco_vsphere51_api/HTML/VcManagedEntity.html#configStatus

    I thought that maybe it would be part of vm.runtime.parent.parent but my script results in errors.

    Any help would be greatly appreciated!

    Thank you.

    I think that now you are a the right way, the full name of the vCenter server will be localhost, so the answer of vm.sdkConnection.setting.sdkConnection is localhost.

    Maybe this will help you:

    var sdkConnection = vm.sdkConnection;
var optionManager = sdkConnection.optionManager;

var vCenterInstanceName = optionManager.queryOptions( "VirtualCenter.InstanceName" ).shift().value;
var vCenterFqdn = optionManager.queryOptions( "VirtualCenter.FQDN" ).shift().value;

System.log( "vCenter Instance Name: " + vCenterInstanceName );
System.log( "vCenter FQDN: " + vCenterFqdn );

    Where I think that the name of your instance will show localhost.

    But the FULL domain name should be the thing you are looking.

    See you soon

  • ISE 1.1.1 posture of client Windows NAC loop control

    Hi all

    Just upgraded Cisco ISE to 1.1.1 in my demo/lab environment and now have problems with an implementation of the basic posture. In short, I connect a wireless SSID and verify the posture based on the presence of a file. The NAC agent says my host compliant comprehensive network and grants access however about 5 seconds later it it checks for the requirements again everything by putting my host in the temporary network access. At this point, he says I'm in line again and 5 seconds later scans again. This behaivour doesn't stop and continues constantly until I close the wireless connection. I had no problem with this Setup on 1.1.

    The newspaper indicate successful compliance and not compliance errors. Any ideas would be appreciated.

    Stephen, take a look at this, it really looks like is a bug and it s we can do anything... .workaround, has chosen another method of authentic, pathetic...

    lets wait for a patch

    CSCua79768            Details of bug

    Chaining of EAP + Posture lost consistent Session: PostureStatus in reauth
    Symptom:
    NAC agent seems continually posture endpoint in a continuous loop
    Conditions:
    Machine authentication EAP - TLS, EAP-chaining of Posture OR + Posture

    Workaround solution:
    Use the different authentication method.

  • Dynamic group membership query

    Hello

    I'm looking to set membership in a group for an existing installation of EM.

    I don't want to use administrative groups that we have really not state of the lifecycle or other properties of the set target, and I don't want to put everything right now (we have several targets on single servers, over 100 on 1 Server).

    Therefore, I was interested in the use of dynamic groups for DB services, e.g. dynamic group DB_APP1 where target name was like '% APP1.

    I do not see this property in the dynamic groups, rather dynamic group properties are determined by the membership criteria (e.g. target =, on the host type = y)

    vs

    The normal groups where I can search for all the targets called "APP1%.

    is there any criteria of dynamic search by name of the target in dynamic groups?

    Thank you

    Looks like we don't have direct Option.

    http://docs.Oracle.com/CD/E24628_01/doc.121/e25353/whats_new.htm#EMCON142

    2.2.3.1 dynamic groups

    Note:

    This feature was new in Enterprise Manager Cloud Control Release 2 (12.1.0.2).

    Dynamic groups to create groups based on membership criteria. Criteria for membership is based on the properties target as target type, the life cycle State, Department, target version and so on. Targets whose properties match the criteria of a dynamic group are automatically added to the dynamic group.

    Dynamic groups facilitate management groups. Administrators do not have to define the criteria for membership in the group only once and Enterprise Manager automatically adds or removes the target to or from the appropriate dynamic group.

    But,

    We can choose based on observation, while adding, if mention us the search string in the comment as "APP1" and mention that the same comment of the dynamic group will help.

    Concerning

    Krishnan

  • vRA 6.2 API - is possible to ask a new virtual machine based on a machine of model using the API

    Hello

    Is this possible in version 6.2 API at the request of a new virtual machine based on a model of Machine catalog?

    Thanks for the help in advance,

    Pieter

    Yes, you need to specify the new virtual machine in json format and publish it on/catalog-service/api/consumer/requests

  • Cannot install Windows 8 assessment (booting from the install image error)

    Hello

    I have problems to install Windows 8 assessment. When you start the virtual machine I can't boot from the installation of Windows 8 image to start the installation process. I always get this error message:

    error.png

    I use a picture of Windows 8 x 64 downloaded from here: http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx. The VMware Player version is 5.0.0 build-812388.

    How can I solve this problem?

    Thanks for your help.

    Welcome to the community,

    This error occurs because Windows 8 requires the 'Execute Disable Bit' is activated. For VMware Player pass this parameter in the BIOS of the virtual machine, it must be enabled in the BIOS of the physical system. Make sure that the feeding cycle you your system after you change this setting in the BIOS, a simple reboot might not be enough!

    André

  • Change the Linux based VM scsi controller

    Hi all

    I have a strange problem with a Linux based VM. The virtual machine is currently set up with free adapter, I add another drive connected using Buslogic and the virtual machine boot more.

    Y at - there a Posibility to specify the startup disk?

    Thank you!

    Check if the comments BIOS setting is like this:

    AWo

    VCP 3 & 4

    Author @ vmwire.net

    \[:o]===\[o:]

    = You want to have this ad as a ringtone on your mobile phone? =

    = Send 'Assignment' to 911 for only $999999,99! =

  • AnyConnect dynamic address pool

    It is possible using DAP to assign the different address for anyconnect users pool?

    Currently, I check if the PC has some elements such as process, save the key and activated applications.

    If yes-> ACL using "allow normal access.

    Is not-> ACL uses 'access '.

    That works, but two computers uses the pool of customer addresses defined in the configuration of the Tunnel

    tunnel-group remoteaccess General attributes
    remoteaccess-pool1 address pool

    It is possible to also dynamically set the address pool?

    If yes-> ACL using 'Allow normal access' & 'remoteaccess-pool1'

    SE not-> 'Access restricted' ACL uses & "remoteaccess-pool2.

    Thank you!

    Rolando A. Valenzuela.

    Hello Rolando,

    Correct than me if I'm wrong, based on the computer (the domain to which it belongs) that you want to map to some Grouppolicy, which has some qualities as the pool of addresses, and that way you can establish a distinction, one area to the other, let's say:
    (Admins/domain gets the address pool of 10.10.10.0/24)
    (Suppliers/field gets the address pool of 10.20.20.0/24)

    Based on this I will give you my recommendations, if you want to do it based on the computer and not the user, I recommend you to get all the computers in the same group of users in Active Directory, so if you have a group of users (Admin / domain group) you can add computers, and with the LDAP Mapping attribute you can map based on membership in a specific political group in this way, all computers that use of Admin users, will be assigned to a group policy with several attributes, such as the Pool of local IP, if users don't below any of the advertised groups, they will not be able to connect either, because you will need create a group policy NO ACCESSIBLE to be used for users who should not connect You can find more information here:

    - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

    Another medium, will be filtering the PC based on the MAC address, YES this function uses a regular expression to match the organizational (YES) the unique identifier that will allow the PC connect so those that match the program defined in the regular expression with Regex LUA , this is possible, you can find this regular expression, for example :

    assert(function ()    local pattern = "^d067\.e5*"    local true_on_match = true

    local match = false    for k,v in pairs(endpoint.device.MAC) do        print(k)        match = string.find(k, pattern)        if (match) then            if (true_on_match) then                return true            else return (false)            end        end    endend)()
    If the PC is HP or Dell, you can use the MAC address YES part and set it there and allow the user to connect, and the user peuvent then be mapped with the Protocol LDAP attribute mapping to a group policy so they will be able to connect with a different IP address. (DAP cannot assign IP address), it's a dynamic access policy that works with HostScan Module of Posture to do a preliminary assessment and as he says unit of Posture, NOTE: PAH itself gives you the ability to filter by individual MAC address, so you don't need to do it by YES, this is common for large companies that have a large amount of users , so they prefer to make Yes that is easier, but you can set the MAC address of another way will be to use another regular expression so DAP can examine the first 3 letters (Case Insensitive) of the PC and then allow it to connect if it matches the regex, if it's not, the connection ends, you can find the regular expression here :
    assert(function()    local match_pattern = "^[Mm][Ss][Vv]"         -> Those are the 3 first letters    local match_value   = endpoint.device.hostname  --> Specifying hostname      if (type(match_value) == "string") then        if (string.find(match_value, match_pattern) ~= nil) then            return true        end    elseif (type(match_value) == "table") then        local k,v        for k,v in pairs(match_value) do            if (string.find(v, match_pattern) ~= nil) then                return true            end        end    end    return falseend)()
    In addition to regular expressions of LUA:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex... To do this you must License Premium AnyConnect (then Yes you can use the default two value that comes with the ASA). Also, you must have image CSD or Hostscan in ASA and activated so that you can get that kind of information about the computers that connects the AnyConnect. You can use the AnyConnect image like hostscan image. (do not forget to activate the attributes of endpoint through Deputy Ministers, DEPUTIES of the section of the CSD, otherwise it won't work). The previous mentioned is good options for you to explore, but it will not be very scalable (depending on number of users), so I recommend than a registry key with check check "Domain name" or file would work well but its your CUs call if he wants to still check MAC or not. Please do not forget to rate and score as correct this message if it helped, keep me posted! Best regards, David Castro,

  • ASA 5525 X Anyconnect configuration with ISE 2.1

    I have a new deployment of ISE 2.1 which is used only for the management of the devices at the moment.  The intention is that it will serve as radius for authentication of our VPN server.

    5525 x is a brand new ASA runs the 9.4 code.  I want to configure VPN on the SAA strategy so that each user is assigned a DAP based on their Department.

    I already have the designation of the Department for user accounts assigned in AD through a group membership.  I don't know how to get ISE to belonging to a group at the ASA so that she can associate the user based on this correct in RAP group membership.

    I succumbed to determine how this is supposed to work.  Thanks for any help.

    @Jonathan Harrison ,

    Normally we authenticate and authorize users and then push DACL or allow connection from ISE etc. of such conditions profiles that check results Posture or parts constituting the identity of the user (such as AD or another external identity store belonging to a group).

    There are a couple of good guides to do so, including detailed examples:

    https://communities.Cisco.com/docs/doc-68158

    http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

    While they focus on the case of use of Posture, they can be adapted to add other uses. For example, ISE registration condition may be the result of not only a Posture check also membership in a given group or another if you make it a State.

    I do not think we can specify to the ASA to call a given font of DAP like Hostscan module cannot be used at the same time that the module ISE Posture. However, you should be able to accomplish just about everything you used to depend on the DAP with ISE Posture Module AnyConnect (assuming you have AnyConnect 4.x Apex licenses).

    If you want to stick with the ASA DAP model, you can forgo using policies and module ISE Posture and instead create an authorization profile (result) to send the ASA, a pair of RAY - V based on a correspondence (in the authorization of the ISE policy) with the ad group. He is a "Cisco-VPN-3000" A - V called "PIX7x-members-from' that can be used in ASA dynamic access policies. You can see (and all other pairs A - v supported buy ISE) here:

    https://communities.Cisco.com/docs/doc-67894

  • iTunes not systematically renaming imported MP3 files

    I am running iTunes 12.3.2 on multiple systems (all Windows 10, both 32 - and 64-bit).  I noticed some strange behavior when adding media mp3 Amazon-bought to my iTunes library.  Since I was the copy... Keep organized... options and enabled in Edit > preferences > advanced the expected result is that iTunes should rename files as they are copied, depending on the model:

    • .MP3 (single disc albums)
    • - (multi disc albums) .mp3

    My standard practice is, if necessary, to update the metadata of files mp3 apart from iTunes using Foobar 2000 (since it gives a lot better in bulk tools than iTunes edition), generally I do changes such as:

    • correction of names of artist, Album and the track if they do not correspond to my standard conventions (or are simply not true)
    • adjusting artist award so that securities presenting artists invited in the value of the artist rather than added on behalf of the track
    • removing the irritants suffixes like '(Live)","(Remastered)","(version Album) "than Amazon / media companies add to their track provided metadata"
    • check and if necessary change the mp3 version to be marking ID3v2.3 and by removing all redundant tag versions

    That's why I wait for iTunes to be constantly renaming of files during the import process correspond to the values of metadata.  However, I came to open a Windows Explorer window and look for the folder created by iTunes to a new import.  My library on an external drive, so for the folder names, the model is:

    • : \\iTunes\iTunes Media\Music\-

    What I see here is one of two conditions:

    • the names of files after the copy operation are the same as those downloaded on Amazon, i.e., was did not updated to reflect changes in metadata, or
    • are a mixture of original file names Amazon and good names generated by iTunes

    A thorough inspection showed that further updates in iTunes (for example, modify the associated work) corrects then all file names to match the pattern expected as determined by the parameter "Keep." organized... ».

    In some ways, I actually don't care about what I usually don't worry about how iTunes stores/names of media files as long as it preserves the integrity of my library.  However, this may be associated with other symptoms (especially the questions repeatedly reported with albums with not properly) which suggest that recent versions of iTunes have had problems with the assessment rules based on metadata.

    Everyone looks the same?  I think that this should be reported as a bug, but I prefer to verify that this isn't an oddity associated with my library (even if I have several computers running iTunes they use all copies of the same library).

    Clarification (since I can't change the original view)... when I talk about my use of Foobar 2000, the workflow that I use is:

    • Download purchased files using the Amazon Music app, which I configured to not automatically add new downloads for iTunes
    • load files in Foobar 2000 and update metadata
    • importing files into iTunes

    Thus, changes to metadata are all made before that anything that is either added to iTunes.

  • Multicast passed from one Mrouter to another - without reason?

    I have a L3 switch N5K environment connected to 4500 x (Switch L2).

    they have relationship neighbor PIM and eigrp on the same interface VLAN.

    I added a new switch L3 N5K (N5K2) - I have added to the same VLAN for the EIGRP and PIM neighbor relationship.

    at the moment there is nothing connected to N5K2 - all hosts are connected to N5K1.

    There is a multicast stream to switch to basic heading the hosts in N5K1.

    for some reason-the multicast even come N5K2 - despite the fact that there is no host who are listening to it.

    Watch http://lisa.mindbit.ro/wiki/doku.php?id=igmp_snooping

    beavhior IGMP should be 1 Mrouter interfece multicast will not go to a different interface from the mrouter except the mrouter had joined this group.

    so why I get these multicasts?

    Hello.

    I'm not sure about the article.

    By RFC 4541 (see section 2.1.2):

    1) Packets with a destination IP address outside 224.0.0.X which are
      not IGMP should be forwarded according to group-based port
      membership tables and must also be forwarded on router ports.
    You can also find interesting the questionnaire in section 4 of the RFC (and question 6).

Maybe you are looking for