Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE posture requirement to check if endpoint's USP port is disabled

Hi,

I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?

Appreciate your input.

Mike

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ISE posture requirement to check if endpoint's USP port is disab

If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.

Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.

You would have to create a New Posture Condition and Remediations.

The condition that I will use in this example is a Registry Key.

If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.

So set a Posture Condition:

Click Policy > Policy Elements > Conditions

Choose Posture from the left menu:

Then choose Registry Condition from the left menu.

Click +Add to add a new Posture Condition:

Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:

Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.

+Add to add a new Link Remediation:

Then choose Requirements from the left menu and create a new Remediation Result:

Of course, you can choose different remediations as necessary for your environment.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

2 REPLIES
Cisco Employee

ISE posture requirement to check if endpoint's USP port is disab

If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.

Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.

You would have to create a New Posture Condition and Remediations.

The condition that I will use in this example is a Registry Key.

If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.

So set a Posture Condition:

Click Policy > Policy Elements > Conditions

Choose Posture from the left menu:

Then choose Registry Condition from the left menu.

Click +Add to add a new Posture Condition:

Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:

Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.

+Add to add a new Link Remediation:

Then choose Requirements from the left menu and create a new Remediation Result:

Of course, you can choose different remediations as necessary for your environment.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

ISE posture requirement to check if endpoint's USP port is disab

Hi Charles,

    I hasn't tried the solution, yet, but what you have said, with the pictorial detailed steps, I am quite confident, it will work.

Very much appreciated

698
Views
0
Helpful
2
Replies