Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
2
Replies

Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue with F

nicoff
Level 1
Level 1

‎10-05-2024 08:00 AM

Hi,

We're currently implementing posture with Cisco ISE, and we've successfully configured policies and used dACLs (Downloadable ACLs) for wired and VPN connections. However, we're facing an issue with ISE Posture on WiFi as we can't use dACLs on the WLC 9800 in FlexConnect mode.

To work around this limitation, we've created specific SGTs (Security Group Tags) to manage network access rules via FTD (Firepower Threat Defense) based on posture states (Unknown, Compliant, and Non Compliant).

The problem is that the firewall doesn't seem to update the SGT tied to a particular user, even though the posture compliance status is correctly obtained.

In the ISE live logs, we can clearly see that the user is assigned the "Posture-Compliant" SGT, but the firewall still sees the user with the SGT "Posture-Unknown," and as a result, their access to internal resources is blocked.

Has anyone encountered this issue before? Why isn't the firewall recognizing the SGT change? What should we check or troubleshoot to resolve this?

0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎10-06-2024 08:00 AM

 

            - What type of firewall are you  using ?

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

nicoff
Level 1
Level 1
In response to marce1000

‎10-06-2024 10:17 AM

Firepower 1120 v.7.2.4.1. I forgot to mention that we manage our firewalls using FMC.

0 Helpful
Customers Also Viewed These Support Documents