cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
0
Helpful
4
Replies

Cisco ISE inline posture node Posture assessment query

marioderosa2008
Level 1
Level 1

Hi all,

i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...

"In a deployment, such as outlined in the example, when more endpoints connect to the wireless network

they are likely to fall into one of the identity groups that already have authenticated and authorized users

connected to the network.

For instance, there may be an employee, executive, and guest that have been granted access through the

outlined steps. This situation means that the respective restrictive or full-access profiles for those ID

groups have already been installed on the Inline Posture node. The subsequent endpoint authentication

and authorization uses the existing installed profiles on the Inline Posture node, unless the original

profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile

with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."

                  

Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?

I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.

Thanks!

Mario

4 Replies 4

Ryan Wolfe
Level 5
Level 5

I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).

After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.

So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.

If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.

https://communities.cisco.com/docs/DOC-30977

HTH,

Ryan

Hi Ryan,

i do not have access to that document.. can you share?

thanks


Mario

harvisin
Level 3
Level 3

Hello,

I just went through your query and for the same I have a link to share which would help you in solving your query.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

Thanks Harvinder,

yes I have been using this document to design my iPEP proposal... thanks