This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
does anybody know if it's possible to change the Client only then to the Auth VLAN if the check fails? We want to authenticated the pc by the MAC-Adressfilter and than the user with the NAC-Agent. But the pc should be always in the default Access-Vlan and only change to Auth-Vlan if the NAC-Agent check fails.
All checks? Some checks? One Check?
If all, then you are looking to use a AUTHZ policy for something like this:
Fail-Check if Session:PostureStatus EQUALS NonCompliant then NonCompliantVLAN
Do I understand you want your machines to all pass by MAB and not 802.1X? Or are you referencing the MAC as part of an 802.1X AUTHC rule?
On your switch, you might want to consider how to handle the access policy if the authenticaiton server (RADIUS/ISE) is unavailable/dead... Just to be thourough.
Yes, first we want to pass the PC by the MAC-Address and after the User is logged on, we want to check the PC for anti virus software and so on. And only if the check with the NAC-Agent fails, the PC should come into the Auth-VLAN.
As me and JW.SL9 (who was more thourough) stated you can do that if the status of that client is non compliant then client should go to Auth-Vlan, because if they fail to pass NAC-Agent checks and/or NAC-Agent itself fails they will not be compliant(allowed access) and will fall in Auth-Vlan.