Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
1
Helpful
6
Replies

Cisco ISE Posture

Go to solution
saxenanitesh8522
Level 4
Level 4

‎02-02-2018 12:38 PM

Hi Guys,

I just need to clear out some doubts about Posture:-

1. When the user is in Unknown --> ISE should use Redirect ACL + Client Provisioning Portal --> CORRECT??

2. When the user is in Non Complaint --> ISE should send DACL for the traffic which is allowed or it should be REDIRECT ACL + CLIENT PROVISIONING + DACL???

Just need to clarify this point.

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎02-02-2018 01:43 PM

Typically, assuming you have the ISE posture module installed via your software distribution software the Unknown state uses the redirect ACL for posture discovery only.  If you aren't planning to use the client provisioning portal (I usually don't) your redirect ACL could just redirect port 80 going to the default gateway to allow posture discovery.  Then you can also apply a DACL to limit access to the network when in Unknown, but be careful with that because posture isn't reported until the user is logged in.

For non-compliant I usually just use a DACL to restrict access and no redirect.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Dustin Anderson
VIP
VIP

‎02-02-2018 01:22 PM

it depends on how you want to handle it, but I have 1 rule for unknown or non-compliant that redirects to the MDM so they can become compliant.

Also, are these wired, or wireless clients? DACLs are only for wired, wireless you would have to call an ACL on the WLC.

0 Helpful

Go to solution
paul
Level 10
Level 10

‎02-02-2018 01:43 PM

Typically, assuming you have the ISE posture module installed via your software distribution software the Unknown state uses the redirect ACL for posture discovery only.  If you aren't planning to use the client provisioning portal (I usually don't) your redirect ACL could just redirect port 80 going to the default gateway to allow posture discovery.  Then you can also apply a DACL to limit access to the network when in Unknown, but be careful with that because posture isn't reported until the user is logged in.

For non-compliant I usually just use a DACL to restrict access and no redirect.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎02-02-2018 02:00 PM

Not sure why I got MDM in my head for the question. Yes as Paul said, it depends on if you want to use the portal and such.

In our case, since we use posture on wireless. Instead of an ACL due to WLC limits, we leave them on our limited onboarding network until compliant. Once compliant, we assign a vlan based on status.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Dustin Anderson

‎02-02-2018 02:45 PM

I don’t think so. I never us the GUI. I do it all from the CLI.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4

‎02-05-2018 03:57 AM

Hi Everyone,

The windows edge popup was fixed when i allowed required traffic in the switch but IE still going for redirection and its automatically opening.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎02-05-2018 04:11 AM

Please clarify what's expected and what's not.

It seems you meant different browsers giving you different results. Edge is not redirecting while IE is?? Please check what web site IE is going and triggering the redirect. You might want to take a look at https://en.wikibooks.org/wiki/Windows_Troubleshooter_Guide/Network_Location_Awareness

0 Helpful
Customers Also Viewed These Support Documents