topic Hi Marvin, in Network Access Control

Wired/Wireless BYOD with Posture Check

hunk0602015 — Mon, 11 Mar 2019 06:22:16 GMT

Hi All,

We have deploy Wired/Wireless BYOD with certificate authentication,which working perfectly fine wherein we need to check posture check for BYOD user.

Can any one tell me how we can deploy Posture check for BYOD user.

Thanks in advance

Posture Check configuration

Marvin Rhoads — Wed, 06 Jan 2016 18:03:05 GMT

Posture Check configuration is pretty thoroughly explained in this document:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Have you looked at it?

Please do so if you haven't already and reply back here if you have remaining questions.

Hi Marvin,

hunk0602015 — Wed, 06 Jan 2016 20:04:10 GMT

Hi Marvin,

Thanks for reply. Currently we have configured posturing for Domain Machine and which working perfectly fine.

Now we want to deploy posture checks for BOYD user, so little confused about flow for BYOD user.

BYOD user will first hit to mab with CWA > AD Login for registration > Windows Wizard download> certificate profile download check> Permit access.

I am little confused,where I can mentioned posture check in it?

Posture check will happen on nac agent or web agent ?

Thanks in advance

Look in the linked document

Marvin Rhoads — Wed, 06 Jan 2016 20:18:17 GMT

Look in the linked document around paragraph 4a.

Along with the certificate profile download check, add a posture compliance check (like "AND Session: PostureStatus EQUALS Compliant" plus "AND Session: PostureStatus NOT EQUALS Compliant").

If the BYOD User is "PreCompliant" then do a "Posture_Remediation" CoA. Otherwise "Permit access".

Hi Marvin,

ddindevanis — Wed, 22 Jun 2016 04:27:19 GMT

Hi Marvin,

Is it possible to provide/configure BYOD Wireless users using Domain Laptops with full network access and non domain Laptops/Ipads with limited access (Email Server Access Only).

Thanks and Regards

Dinesna

Sure. You just create two

Marvin Rhoads — Wed, 22 Jun 2016 04:34:49 GMT

Sure. You just create two Authorization profiles - one with full access and one with an ACL restricting access.

Your Authorization results in your policy set then check for the computer being a member of the domain. If so then permit full access result. If not, then the result is a Change of Authorization that applies the ACL.

if you are using both wired and wireless then you need two separate Authorization profiles for restricted access - one with a downloadable ACL (wired) and one that calls out a pre-defined Airespace ACL (wireless)

Many thanks marvin for your

ddindevanis — Wed, 22 Jun 2016 04:56:29 GMT

Many thanks marvin for your valuable info. i will work on this today.

regards

Dinesh