https://community.cisco.com/t5/network-access-control/matching-the-proper-cp-policy/m-p/3591863#M535417 <HTML><HEAD></HEAD><BODY><DIV><P>As you said, users can match both policies.&nbsp; For CP it should be first match but Posture policy could be match all.&nbsp; Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?</P></DIV></BODY></HTML> Mon, 07 Aug 2017 11:16:11 GMT Craig Hyps 2017-08-07T11:16:11Z https://community.cisco.com/t5/network-access-control/matching-the-proper-cp-policy/m-p/3591862#M535412 <HTML><HEAD></HEAD><BODY><P>Hi ISE experts</P><P></P><P>I was wondering if anyone has experienced the following. In the client provisioning policy, I've created 2 different policies i.e. 1 for Corporate machines with Windows and 1 for BYOD devices with Windows. Somehow the devices are picking either one of the policy only. Please find the configured CP policies below:</P><P></P><P><STRONG style="text-decoration: underline;">BYOD-Windows</STRONG> </P><P><STRONG>Identity Group</STRONG> - Any</P><P><STRONG>Operating System</STRONG> - Windows All</P><P><STRONG>Other Conditions:</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp; AD Group - BYOD Users</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11</P><P><STRONG>Result - </STRONG>WebAgent 4.9.5.8, WinSPWizard 2.2.0.52 and Corporate-NSP-BYOD</P><P></P><P><STRONG style="text-decoration: underline;">Corporate-Windows</STRONG></P><P><STRONG>Identity Group</STRONG> - Any</P><P><STRONG>Operating System</STRONG> - Windows All</P><P><STRONG>Other Conditions:</STRONG></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; AD Group - Domain Users</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11</SPAN></P><P><SPAN style="font-size: 10pt;"><STRONG>Result</STRONG> - NACAgent 4.9.5.8 AND ComplianceModule 3.6.11098.2<BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">When I do get the Web Agent on the BYOD devices, I also notice that the endpoint is scanned for the Corporate Security Requirements as well (instead of the BYOD Security Requirements only). But this is definitely due to the user being in 2 of the AD external groups (BYOD user and Domain User). </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Any help would be appreciated.<BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Other info:</SPAN></P><P><SPAN style="font-size: 10pt;">Currently running <STRONG>ISE 2.1 patch 3</STRONG></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Thanks</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Ryan </SPAN></P></BODY></HTML> Mon, 07 Aug 2017 05:04:34 GMT https://community.cisco.com/t5/network-access-control/matching-the-proper-cp-policy/m-p/3591862#M535412 ryan.chen 2017-08-07T05:04:34Z https://community.cisco.com/t5/network-access-control/matching-the-proper-cp-policy/m-p/3591863#M535417 <HTML><HEAD></HEAD><BODY><DIV><P>As you said, users can match both policies.&nbsp; For CP it should be first match but Posture policy could be match all.&nbsp; Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?</P></DIV></BODY></HTML> Mon, 07 Aug 2017 11:16:11 GMT https://community.cisco.com/t5/network-access-control/matching-the-proper-cp-policy/m-p/3591863#M535417 Craig Hyps 2017-08-07T11:16:11Z