topic Re: Cisco ISE Posture in Network Access Control

Cisco ISE Posture

saxenanitesh8522 — Fri, 02 Feb 2018 20:38:54 GMT

Hi Guys,

I just need to clear out some doubts about Posture:-

1. When the user is in Unknown --> ISE should use Redirect ACL + Client Provisioning Portal --> CORRECT??

2. When the user is in Non Complaint --> ISE should send DACL for the traffic which is allowed or it should be REDIRECT ACL + CLIENT PROVISIONING + DACL???

Just need to clarify this point.

Re: Cisco ISE Posture

Dustin Anderson — Fri, 02 Feb 2018 21:22:53 GMT

it depends on how you want to handle it, but I have 1 rule for unknown or non-compliant that redirects to the MDM so they can become compliant.

Also, are these wired, or wireless clients? DACLs are only for wired, wireless you would have to call an ACL on the WLC.

Re: Cisco ISE Posture

paul — Fri, 02 Feb 2018 21:43:16 GMT

Typically, assuming you have the ISE posture module installed via your software distribution software the Unknown state uses the redirect ACL for posture discovery only. If you aren't planning to use the client provisioning portal (I usually don't) your redirect ACL could just redirect port 80 going to the default gateway to allow posture discovery. Then you can also apply a DACL to limit access to the network when in Unknown, but be careful with that because posture isn't reported until the user is logged in.

For non-compliant I usually just use a DACL to restrict access and no redirect.

Re: Cisco ISE Posture

Dustin Anderson — Fri, 02 Feb 2018 22:00:13 GMT

Not sure why I got MDM in my head for the question. Yes as Paul said, it depends on if you want to use the portal and such.

In our case, since we use posture on wireless. Instead of an ACL due to WLC limits, we leave them on our limited onboarding network until compliant. Once compliant, we assign a vlan based on status.

Re: Cisco ISE Posture

paul — Fri, 02 Feb 2018 22:45:00 GMT

I don’t think so. I never us the GUI. I do it all from the CLI.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Cisco ISE Posture

saxenanitesh8522 — Mon, 05 Feb 2018 11:57:44 GMT

Hi Everyone,

The windows edge popup was fixed when i allowed required traffic in the switch but IE still going for redirection and its automatically opening.

Re: Cisco ISE Posture

hslai — Mon, 05 Feb 2018 12:11:24 GMT

Please clarify what's expected and what's not.

It seems you meant different browsers giving you different results. Edge is not redirecting while IE is?? Please check what web site IE is going and triggering the redirect. You might want to take a look at https://en.wikibooks.org/wiki/Windows_Troubleshooter_Guide/Network_Location_Awareness