cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

77
Views
0
Helpful
1
Replies
Highlighted
Beginner

adding Posture in dot1x environment

Hi Guys:

I'm new in ISE and now I have a good challenge to enable a Posture module for a current environment with dot1x.  my deal is I have 30 authorization rules with the syntaxes of:

item 1 AD_group_A then applied VLAN_A

item 2 AD_group_B then Applied VLAN_B

..

item 30 AD_group_30 then applied VLAN_30

 

 After I read the Posture implementation guide, it says We need to create an authorization condition for posture status equal "complaint" and "no complaint", for this reason, I would like to know in your experience if there a way you can create a simple 2 authorization rule in the top of them or I must duplicate all Authz with complaint and No complaint.

Thanks,

Jhony

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: adding Posture in dot1x environment

In case the endpoints in your deployment able to get new IP addresses after changing subnets, then it possible to assign the endpoint to a common quarantine subnet before their posture statuses become compliant.

In case to keep separate subnets even during quarantine or in case endpoints unable to refresh IP addresses between unknown and compliant, please see whether we may store the VLAN ID or name as an AD user attribute. This way we might be able to assign the VLAN by the AD user attribute, instead, in the authorization profiles, to aggregate the number of rules and profiles.

Screen Shot 2019-07-20 at 4.24.23 PM.png

1 REPLY 1
Cisco Employee

Re: adding Posture in dot1x environment

In case the endpoints in your deployment able to get new IP addresses after changing subnets, then it possible to assign the endpoint to a common quarantine subnet before their posture statuses become compliant.

In case to keep separate subnets even during quarantine or in case endpoints unable to refresh IP addresses between unknown and compliant, please see whether we may store the VLAN ID or name as an AD user attribute. This way we might be able to assign the VLAN by the AD user attribute, instead, in the authorization profiles, to aggregate the number of rules and profiles.

Screen Shot 2019-07-20 at 4.24.23 PM.png