Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue with F

nicoff — Sat, 05 Oct 2024 15:00:22 GMT

Hi,

We're currently implementing posture with Cisco ISE, and we've successfully configured policies and used dACLs (Downloadable ACLs) for wired and VPN connections. However, we're facing an issue with ISE Posture on WiFi as we can't use dACLs on the WLC 9800 in FlexConnect mode.

To work around this limitation, we've created specific SGTs (Security Group Tags) to manage network access rules via FTD (Firepower Threat Defense) based on posture states (Unknown, Compliant, and Non Compliant).

The problem is that the firewall doesn't seem to update the SGT tied to a particular user, even though the posture compliance status is correctly obtained.

In the ISE live logs, we can clearly see that the user is assigned the "Posture-Compliant" SGT, but the firewall still sees the user with the SGT "Posture-Unknown," and as a result, their access to internal resources is blocked.

Has anyone encountered this issue before? Why isn't the firewall recognizing the SGT change? What should we check or troubleshoot to resolve this?

Re: Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue wi

Mark Elsen — Sun, 06 Oct 2024 15:00:54 GMT

- What type of firewall are you using ?

Re: Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue wi

nicoff — Sun, 06 Oct 2024 17:17:25 GMT

Firepower 1120 v.7.2.4.1. I forgot to mention that we manage our firewalls using FMC.

topic Re: Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue wi in Network Access Control

Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue with F

Re: Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue wi

Re: Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue wi