https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480424#M570185 <P>Hi,</P><P>&nbsp;</P><P>I have a customer that has laptops and desktops with different AnyConnect versions and compliance modules. They currently have wireless posturing working for wi-fi only.</P><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><P>Device</P></TD><TD><P>Wireless/Wired</P></TD><TD><P>AnyConnect Version</P></TD><TD><P>Compliance Module</P></TD><TD><P>Policy</P></TD><TD><P>Identity Groups</P></TD></TR><TR><TD><P>Laptop</P></TD><TD><P>Wireless</P></TD><TD><P>4.8.03036</P></TD><TD><P>4.3.1453.6145</P></TD><TD><P>Use existing policy</P></TD><TD><P>None</P></TD></TR><TR><TD>Laptop</TD><TD><P>Wired</P></TD><TD><P>4.8.03036</P></TD><TD><P>4.3.1453.6145</P></TD><TD><P>Need new policy that looks at only laptops on the LAN that doesn't conflict with desktops</P></TD><TD><P>None</P></TD></TR><TR><TD><P>Desktop</P></TD><TD><P>Wired</P></TD><TD><P>4.10.02086</P></TD><TD><P>4.3.2336.6145</P></TD><TD>Need new policy that looks at desktops on the LAN and it doesn't&nbsp;conflict with laptops</TD><TD>None</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Possibly three profiles on ISE required:</P><P>&nbsp;</P><OL><LI>Wireless – use the same one – same compliance module</LI><LI>Wired – Laptop – use same compliance module as wireless setup, this is so the laptop will not have two different compliance module (avoid conflicts in software versions)</LI><LI>Wired – Desktop -&nbsp; use new compliance module (highlight in green in table above)</LI></OL><P>&nbsp;</P><P>Need a policy to determine if the device is a laptop/desktop and if it is laptop only go to Wired Laptop policy. I was going to suggest an AD group as a condition for Laptops and one for desktops and build them into the policy.&nbsp;</P><P>&nbsp;</P><P>Is there any better way of doing this?</P><P>&nbsp;</P> Tue, 05 Oct 2021 16:14:11 GMT Anthony O'Reilly 2021-10-05T16:14:11Z https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480424#M570185 <P>Hi,</P><P>&nbsp;</P><P>I have a customer that has laptops and desktops with different AnyConnect versions and compliance modules. They currently have wireless posturing working for wi-fi only.</P><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><P>Device</P></TD><TD><P>Wireless/Wired</P></TD><TD><P>AnyConnect Version</P></TD><TD><P>Compliance Module</P></TD><TD><P>Policy</P></TD><TD><P>Identity Groups</P></TD></TR><TR><TD><P>Laptop</P></TD><TD><P>Wireless</P></TD><TD><P>4.8.03036</P></TD><TD><P>4.3.1453.6145</P></TD><TD><P>Use existing policy</P></TD><TD><P>None</P></TD></TR><TR><TD>Laptop</TD><TD><P>Wired</P></TD><TD><P>4.8.03036</P></TD><TD><P>4.3.1453.6145</P></TD><TD><P>Need new policy that looks at only laptops on the LAN that doesn't conflict with desktops</P></TD><TD><P>None</P></TD></TR><TR><TD><P>Desktop</P></TD><TD><P>Wired</P></TD><TD><P>4.10.02086</P></TD><TD><P>4.3.2336.6145</P></TD><TD>Need new policy that looks at desktops on the LAN and it doesn't&nbsp;conflict with laptops</TD><TD>None</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Possibly three profiles on ISE required:</P><P>&nbsp;</P><OL><LI>Wireless – use the same one – same compliance module</LI><LI>Wired – Laptop – use same compliance module as wireless setup, this is so the laptop will not have two different compliance module (avoid conflicts in software versions)</LI><LI>Wired – Desktop -&nbsp; use new compliance module (highlight in green in table above)</LI></OL><P>&nbsp;</P><P>Need a policy to determine if the device is a laptop/desktop and if it is laptop only go to Wired Laptop policy. I was going to suggest an AD group as a condition for Laptops and one for desktops and build them into the policy.&nbsp;</P><P>&nbsp;</P><P>Is there any better way of doing this?</P><P>&nbsp;</P> Tue, 05 Oct 2021 16:14:11 GMT https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480424#M570185 Anthony O'Reilly 2021-10-05T16:14:11Z https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480429#M570186 <P><SPAN>Is there any better way of doing this?</SPAN></P> <P><SPAN>-IMO there are many ways to differentiate, but this really comes down to what you feel is best fit for your environment.&nbsp; As you alluded to the external AD group is one I often see used in other condition and could very well be the easiest.&nbsp; Perhaps you have each of the three in separate security groups already.&nbsp; Are devices static that never move around campus?&nbsp; Perhaps you could rely on device type or location if all three are subject to same areas?&nbsp; Lastly, 4.8 is ancient you should really look into upgrading the AC client.&nbsp; HTH!</SPAN></P> Tue, 05 Oct 2021 16:32:01 GMT https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480429#M570186 Mike.Cifelli 2021-10-05T16:32:01Z https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480814#M570205 Hi Mike,<BR />We currently don't use security groups.<BR />4.8 will be upgraded at the beginning of next year (hopefully)<BR />Laptop users roam around the buildings and branches but desktops are static.<BR /> Wed, 06 Oct 2021 08:03:44 GMT https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480814#M570205 Anthony O'Reilly 2021-10-06T08:03:44Z https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480978#M570213 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/202309">@Anthony O'Reilly</a>&nbsp;your best bet is to take a detailed radius live log for each of the 3 use cases and identify potential conditions that you could test/use to meet your need.&nbsp;&nbsp;</P> Wed, 06 Oct 2021 11:59:43 GMT https://community.cisco.com/t5/network-access-control/client-provisioning-policies/m-p/4480978#M570213 Mike.Cifelli 2021-10-06T11:59:43Z