https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4553227#M572809 <P>Look great let me narrow it down and try with this rule, then I will let you know the result. Thank</P> Wed, 16 Feb 2022 02:11:21 GMT bunleang 2022-02-16T02:11:21Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545366#M572587 <P>Hi all ISE experts,</P><P>&nbsp;</P><P>Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance&nbsp;</P><P>- non-compliance devices blocked access to the internal system</P><P>- non-compliance internet must be accessible&nbsp;</P><P>&nbsp;</P> Fri, 04 Feb 2022 08:31:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545366#M572587 bunleang 2022-02-04T08:31:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545438#M572589 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1267184">@bunleang</a>,</P> <P>This sounds like a standard scenario for posture assessment.</P> <P>Please check <A href="https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_self">ISE Posture Prescriptive Guide</A> to understand concepts and to see how to implement it.</P> <P>BR,</P> <P>Milos</P> Fri, 04 Feb 2022 10:51:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545438#M572589 Milos_Jovanovic 2022-02-04T10:51:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545485#M572590 <P><SPAN>Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance&nbsp;</SPAN></P> <P><SPAN>-You will need a separate authz profile, which contains your desired dacl, that you will use in your radius authorization policy for noncompliant clients.&nbsp; Your conditions in the authz policy will contain Session:Posture Status EQUALS NonCompliant.&nbsp; Then for the result profile assign the authz profile for noncompliant use cases that contains your respective dacl.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Authz/dacl can be created here: Policy-&gt;Policy Elements-&gt;Results-&gt;Authorization</SPAN></P> Fri, 04 Feb 2022 12:20:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4545485#M572590 Mike.Cifelli 2022-02-04T12:20:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552844#M572788 <P>Could you share me sample guide with auth dacl access-list rule?&nbsp;</P><P>&nbsp;</P> Tue, 15 Feb 2022 15:46:14 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552844#M572788 bunleang 2022-02-15T15:46:14Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552858#M572789 <P>I would recommend looking at the guide&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a>&nbsp;shared and this one:&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 15 Feb 2022 16:01:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552858#M572789 Mike.Cifelli 2022-02-15T16:01:57Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552934#M572796 <P>Personally I would apply the following rules on the non-compliant DACL, you can narrow them down if you want:</P> <P>permit udp any eq bootpc any eq bootps</P> <P>permit udp any any eq 53</P> <P>deny ip any 10.0.0.0 0.255.255.255</P> <P>deny ip any 172.16.0.0 0.15.255.255</P> <P>deny ip any 192.168.0.0 0.0.255.255</P> <P>permit tcp any any eq 80</P> <P>permit tcp any any eq 443</P> <P>deny ip any any</P> <P>Keep in mind please that if you want to apply the above DACL to an old WLC, then you need to create the ACL on the WLC, and from ISE authorization profile instead of enabling the check on the "DACL Name" and select the DACL, you would need to enable the "Airespace ACL Name" and provide the name of the ACL you created on the WLC.</P> Tue, 15 Feb 2022 17:32:43 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4552934#M572796 Aref Alsouqi 2022-02-15T17:32:43Z https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4553227#M572809 <P>Look great let me narrow it down and try with this rule, then I will let you know the result. Thank</P> Wed, 16 Feb 2022 02:11:21 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-version-3-0-posture-provisioning/m-p/4553227#M572809 bunleang 2022-02-16T02:11:21Z