Eric,

You should be able to achieve what you want as long as the WSUS
requirement is set to use "Cisco rules" for validation. Essentially, you
will create 2 WSUS requirements, once with Microsoft Servers, and one
with Managed WSUS Servers. And create a check for the registry key. And
create rules to use proper WSUS requirement.

Thanks,
--Jackie

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Eric K
Sent: Monday, October 01, 2007 8:13 AM
To: [log in to unmask]
Subject: WSUS with Windows Update as Failsafe?

NAC version 4.1.2.1

We have a user role (staff) that may be logging into multiple types of
computers.  Ones owned by the college, which are configured to update to
our own WSUS server, and their personal laptops/computers which should
not have access to the WSUS server, and instead should hit Microsoft's
update servers.

I have determined that a computer configured with our WSUS server has a
specific registry key indicating the URL of our WSUS server, whereas
someone's personal computer will not have that key.

We are trying to create rules and checks based off of these criteria to
determine the remediation path for the user.  Unfortunately, TAC says
this is not possible to accomplish. 

Is there anyone else out there that has a similar requirement, and if
so, how do you do it?