cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

113
Views
1
Helpful
1
Replies
Highlighted
Contributor

Differentiate between Client Provisioning policies

I am looking for a clearer way to differentiate between Posture and NSP in Client Provisioning policies.  The particular case is a user has 2 devices - a Corporate Windows device and a personal Windows laptop.  I am able to get the posture status working for the AD device, but I am not able to do the BYOD provisioning.

In this case, I am redirecting the users to the Guest portal, and enabling the BYOD flow.  When the user authenticates (member of the AD group "BYOD User"), they are sent through the BYOD flow, and this works - provisions the certificate from the ISE CA, pushes wireless config, etc.

This same user, when they log into a corp domain device, we have Posture enabled, the posture agent fires, does its thing, and things are grand.

Here's the rub - I can do one, but not the other, depending on the order in the Client Provisioning policy.  Since the user is a member of both the Domain Users and BYOD Users groups the way in which the user logs in should be a defining factor in how the policy is processed..  When the provisioning policy for the NSP is first, I get an error in the posture agent, claiming the system is configured for the NAC agent but posture works.

When I reverse the configuration and put the Posture rule first, posture works fine, but the NSP process fails with an error message that there is no policy configured for this user.

Here is the client provisioning policy:

I could use a pointer on the best way to move forward.

Thanks!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Differentiate between Client Provisioning policies

Since one for BYOD and the other for posture client provisioning, please try combining the two rules into one.

If the conditions are supposed to make up unique matches, then there might be a bug in the client provisioning policy rule matching. I would suggest logging a TAC case to debug it further.

View solution in original post

1 REPLY 1
Cisco Employee

Re: Differentiate between Client Provisioning policies

Since one for BYOD and the other for posture client provisioning, please try combining the two rules into one.

If the conditions are supposed to make up unique matches, then there might be a bug in the client provisioning policy rule matching. I would suggest logging a TAC case to debug it further.

View solution in original post