Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
2
Replies

Cisco ISE Posture with WLC 9800 in FlexConnect Mode - SGT Issue with F

nicoff
Level 1
Level 1

‎10-05-2024 08:00 AM

Hi,

We're currently implementing posture with Cisco ISE, and we've successfully configured policies and used dACLs (Downloadable ACLs) for wired and VPN connections. However, we're facing an issue with ISE Posture on WiFi as we can't use dACLs on the WLC 9800 in FlexConnect mode.

To work around this limitation, we've created specific SGTs (Security Group Tags) to manage network access rules via FTD (Firepower Threat Defense) based on posture states (Unknown, Compliant, and Non Compliant).

The problem is that the firewall doesn't seem to update the SGT tied to a particular user, even though the posture compliance status is correctly obtained.

In the ISE live logs, we can clearly see that the user is assigned the "Posture-Compliant" SGT, but the firewall still sees the user with the SGT "Posture-Unknown," and as a result, their access to internal resources is blocked.

Has anyone encountered this issue before? Why isn't the firewall recognizing the SGT change? What should we check or troubleshoot to resolve this?

0 Helpful
2 Replies 2

Mark Elsen
Hall of Fame
Hall of Fame

‎10-06-2024 08:00 AM

 

            - What type of firewall are you  using ?

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

nicoff
Level 1
Level 1
In response to Mark Elsen

‎10-06-2024 10:17 AM

Firepower 1120 v.7.2.4.1. I forgot to mention that we manage our firewalls using FMC.

0 Helpful
Customers Also Viewed These Support Documents