cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

159
Views
2
Helpful
1
Replies
Beginner

Matching the proper CP policy

Hi ISE experts

I was wondering if anyone has experienced the following. In the client provisioning policy, I've created 2 different policies i.e. 1 for Corporate machines with Windows and 1 for BYOD devices with Windows. Somehow the devices are picking either one of the policy only. Please find the configured CP policies below:

BYOD-Windows

Identity Group - Any

Operating System - Windows All

Other Conditions:

     AD Group - BYOD Users

     Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11

Result - WebAgent 4.9.5.8, WinSPWizard 2.2.0.52 and Corporate-NSP-BYOD

Corporate-Windows

Identity Group - Any

Operating System - Windows All

Other Conditions:

     AD Group - Domain Users

     Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11

Result - NACAgent 4.9.5.8 AND ComplianceModule 3.6.11098.2


When I do get the Web Agent on the BYOD devices, I also notice that the endpoint is scanned for the Corporate Security Requirements as well (instead of the BYOD Security Requirements only). But this is definitely due to the user being in 2 of the AD external groups (BYOD user and Domain User).


Any help would be appreciated.


Other info:

Currently running ISE 2.1 patch 3


Thanks


Ryan

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Matching the proper CP policy

As you said, users can match both policies.  For CP it should be first match but Posture policy could be match all.  Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?

1 REPLY 1
Advocate

Re: Matching the proper CP policy

As you said, users can match both policies.  For CP it should be first match but Posture policy could be match all.  Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?