topic Re: ISE Posture Call Home List in Network Access Control

ISE Posture Call Home List

aravikumar — Fri, 28 Jun 2019 15:01:43 GMT

Hello,

In our environment we are using meraki switches and as they do not support DACLs or ACLs for Posture redirection, we used call home list in the anyconnect configuration profile to let the endpoint reach the PSN. During redirection or before redirection, does the endpoint have access to all the resources in the network based on the VLAN configured on the connected switchport.

Thanks,

Aravind

Re: ISE Posture Call Home List

howon — Fri, 28 Jun 2019 15:55:59 GMT

Meraki MS supports named ACL posture redirect. Suggest avoiding VLAN change pre/post posture if possible:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html

Re: ISE Posture Call Home List

aravikumar — Fri, 28 Jun 2019 16:10:23 GMT

Hi Howon,

Thank you for your response. There is no place in Meraki platform to define a named ACL specifically for posture redirection for wired switches. We are able to apply redirection only for wireless using group policies. I have already reached out to Meraki regarding this. Please do let me know if something is changed.

https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853

If We are using call home list in ISE, Is that going to restrict access to all other resources except PSN nodes?

Thanks,

Aravind

Re: ISE Posture Call Home List

Jason Kunst — Fri, 28 Jun 2019 17:26:53 GMT

See meraki ISE guide

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

also this is another related doc
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Re: ISE Posture Call Home List

aravikumar — Fri, 28 Jun 2019 21:18:06 GMT

Hi Jason,

The document provided does not say about configuring named ACL for redirection in wired switches for posture redirection. It just mentions about "wired CWA".

Thanks,

Aravind.

Re: ISE Posture Call Home List

Jason Kunst — Sat, 29 Jun 2019 01:43:53 GMT

Redirect for guest is same for redirect for posture

Re: ISE Posture Call Home List

hslai — Sun, 30 Jun 2019 05:56:52 GMT

https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853

That gives Change of Authorization with RADIUS (CoA) on MS Switches, which mentions,

Use Case URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
By default, URL redirect is enabled with CoA. This can be used to redirect clients to a webpage for authentication. Before authentication, the client will have access to all HTTP resources. The walled garden can be used to limit access to the web server only. This feature will only be enabled if one or more supported switches are in the network. Configurations on this feature will be ignored by unsupported switches.

Re: ISE Posture Call Home List

aravikumar — Tue, 02 Jul 2019 15:21:00 GMT

Redirection for wireless guest is possible with meraki as ISE uses airespace ACL to apply the group policy for guest redirection. But in the case of wired switches in the documentation provided or in the reference links, there are no pointers or ways to create Named ACL for Wired Posture redirection. Please help.

Thanks,

Aravind.

Re: ISE Posture Call Home List

hslai — Tue, 02 Jul 2019 16:08:52 GMT

Check my earlier response to this thread.

Please test it out yourself as the Meraki gears in our lab are not currently working.

Re: ISE Posture Call Home List

Jason Kunst — Tue, 02 Jul 2019 16:26:59 GMT

Please reach out to meraki