https://community.cisco.com/t5/network-access-control/differentiate-between-client-provisioning-policies/m-p/3495243#M517264 <HTML><HEAD></HEAD><BODY><P>I am looking for a clearer way to differentiate between Posture and NSP in Client Provisioning policies.&nbsp; The particular case is a user has 2 devices - a Corporate Windows device and a personal Windows laptop.&nbsp; I am able to get the posture status working for the AD device, but I am not able to do the BYOD provisioning.</P><P></P><P>In this case, I am redirecting the users to the Guest portal, and enabling the BYOD flow.&nbsp; When the user authenticates (member of the AD group "BYOD User"), they are sent through the BYOD flow, and this works - provisions the certificate from the ISE CA, pushes wireless config, etc.</P><P></P><P>This same user, when they log into a corp domain device, we have Posture enabled, the posture agent fires, does its thing, and things are grand.</P><P></P><P>Here's the rub - I can do one, but not the other, depending on the order in the Client Provisioning policy.&nbsp; Since the user is a member of both the Domain Users and BYOD Users groups the way in which the user logs in should be a defining factor in how the policy is processed..&nbsp; When the provisioning policy for the NSP is first, I get an error in the posture agent, claiming the system is configured for the NAC agent but posture works.</P><P></P><P>When I reverse the configuration and put the Posture rule first, posture works fine, but the NSP process fails with an error message that there is no policy configured for this user.</P><P><IMG __jive_id="116694" alt="" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/116694_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Here is the client provisioning policy:</P><P></P><P><IMG __jive_id="116693" alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/116693_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P>I could use a pointer on the best way to move forward.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 24 Apr 2018 15:04:14 GMT bperciac 2018-04-24T15:04:14Z https://community.cisco.com/t5/network-access-control/differentiate-between-client-provisioning-policies/m-p/3495243#M517264 <HTML><HEAD></HEAD><BODY><P>I am looking for a clearer way to differentiate between Posture and NSP in Client Provisioning policies.&nbsp; The particular case is a user has 2 devices - a Corporate Windows device and a personal Windows laptop.&nbsp; I am able to get the posture status working for the AD device, but I am not able to do the BYOD provisioning.</P><P></P><P>In this case, I am redirecting the users to the Guest portal, and enabling the BYOD flow.&nbsp; When the user authenticates (member of the AD group "BYOD User"), they are sent through the BYOD flow, and this works - provisions the certificate from the ISE CA, pushes wireless config, etc.</P><P></P><P>This same user, when they log into a corp domain device, we have Posture enabled, the posture agent fires, does its thing, and things are grand.</P><P></P><P>Here's the rub - I can do one, but not the other, depending on the order in the Client Provisioning policy.&nbsp; Since the user is a member of both the Domain Users and BYOD Users groups the way in which the user logs in should be a defining factor in how the policy is processed..&nbsp; When the provisioning policy for the NSP is first, I get an error in the posture agent, claiming the system is configured for the NAC agent but posture works.</P><P></P><P>When I reverse the configuration and put the Posture rule first, posture works fine, but the NSP process fails with an error message that there is no policy configured for this user.</P><P><IMG __jive_id="116694" alt="" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/116694_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Here is the client provisioning policy:</P><P></P><P><IMG __jive_id="116693" alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/116693_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P>I could use a pointer on the best way to move forward.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 24 Apr 2018 15:04:14 GMT https://community.cisco.com/t5/network-access-control/differentiate-between-client-provisioning-policies/m-p/3495243#M517264 bperciac 2018-04-24T15:04:14Z https://community.cisco.com/t5/network-access-control/differentiate-between-client-provisioning-policies/m-p/3495244#M517265 <HTML><HEAD></HEAD><BODY><P>Since one for BYOD and the other for posture client provisioning, please try combining the two rules into one.</P><P>If the conditions are supposed to make up unique matches, then there might be a bug in the client provisioning policy rule matching. I would suggest logging a TAC case to debug it further.</P></BODY></HTML> Wed, 25 Apr 2018 02:06:13 GMT https://community.cisco.com/t5/network-access-control/differentiate-between-client-provisioning-policies/m-p/3495244#M517265 hslai 2018-04-25T02:06:13Z