10-03-2018 02:04 PM
Hi,
I need help regarding configuring ISE 2.4 to posture work without ACL redirect.
In all examples there is ACL that uses to redirect browser to ISE where is NAC agent downloaded an posture performed .
What if i dont want to do redirect ? I installed on my test PC NAC Agent v4.9.5.10 and need to make posture to work but it does not work.
Is there any guide if i want to install NAC agent without redirection and how need to configure then ?
Im using 802.1x on my wifi. Authentication with my PKI is working , but i want to use posture without redirection and to change VLAN for endpoint.
If endpoint is Non-Complaint then one VLAN , if Compliant then to change VLAN. ( i already done this in authorization policy) , but posture dont work.
Do i need first to grant access to network with one rule ? and then with second rule to do compliance check ?
KR
VZ
Solved! Go to Solution.
10-04-2018 04:17 AM
I figured that was the reason you didn't want to do the redirect. One of the biggest misunderstandings I see with posturing is what the purpose of the redirect is. If you aren't using the client provisioning portal to install the posture module (you almost never should), then you redirect should only be redirecting the posture discovery traffic.
The posture module uses two each main web calls when doing posture discovery, port 80 to the client's default gateway and port 80 to enroll.cisco.com. So on you wired switches you use this as your posture discovery ACL:
ip access-list extended POSTURE-DISCOVERY
permit tcp any 10.0.0.1 0.255.255.0 eq 80
permit tcp any host 72.163.1.80 eq 80
deny ip any any
This only redirect the discovery traffic and won't touch real client web traffic. This assumes your network is a 10.x.x.x network with gateways ending in .1. Wireless doesn't support non-standard masks so you would have to specify the default gateway in the ACL or just use the enroll.cisco.com IP.
The unknown state is the default state a user is in when posture hasn't been received.
10-03-2018 02:56 PM
Check this link out:
You would need to install the Posture Module with an XML configuration file that has a Call Home list which are the PSN FQDNs.
You need to allow the device onto the network in the posture Unknown state.
10-03-2018 02:56 PM
Also are you not doing redirects because the network devices are non-Cisco?
10-04-2018 12:15 AM
Hi ,
Thanks for this , it helps me much , but where to allow the device onto the network in the posture Unknown state?
KR
VZ
10-04-2018 12:35 AM
Hi,
No all network devices are Cisco , Wireless is WLC 5520 , switches are 2960X , but reason why i dont want to redirect , because users would complain whta to do when they open browser and see new steps , so i want to avoid that.
How to install / config that xml file?
10-04-2018 04:17 AM
I figured that was the reason you didn't want to do the redirect. One of the biggest misunderstandings I see with posturing is what the purpose of the redirect is. If you aren't using the client provisioning portal to install the posture module (you almost never should), then you redirect should only be redirecting the posture discovery traffic.
The posture module uses two each main web calls when doing posture discovery, port 80 to the client's default gateway and port 80 to enroll.cisco.com. So on you wired switches you use this as your posture discovery ACL:
ip access-list extended POSTURE-DISCOVERY
permit tcp any 10.0.0.1 0.255.255.0 eq 80
permit tcp any host 72.163.1.80 eq 80
deny ip any any
This only redirect the discovery traffic and won't touch real client web traffic. This assumes your network is a 10.x.x.x network with gateways ending in .1. Wireless doesn't support non-standard masks so you would have to specify the default gateway in the ACL or just use the enroll.cisco.com IP.
The unknown state is the default state a user is in when posture hasn't been received.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide