Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
30
Helpful
3
Replies

Client Provisioning Policies

Anthony O'Reilly
Level 3
Level 3

‎10-05-2021 09:12 AM - edited ‎10-05-2021 09:14 AM

Hi,

 

I have a customer that has laptops and desktops with different AnyConnect versions and compliance modules. They currently have wireless posturing working for wi-fi only.

 

 

Device

Wireless/Wired

AnyConnect Version

Compliance Module

Policy

Identity Groups

Laptop

Wireless

4.8.03036

4.3.1453.6145

Use existing policy

None

Laptop

Wired

4.8.03036

4.3.1453.6145

Need new policy that looks at only laptops on the LAN that doesn't conflict with desktops

None

Desktop

Wired

4.10.02086

4.3.2336.6145

Need new policy that looks at desktops on the LAN and it doesn't conflict with laptopsNone

 

Possibly three profiles on ISE required:

 

  1. Wireless – use the same one – same compliance module
  2. Wired – Laptop – use same compliance module as wireless setup, this is so the laptop will not have two different compliance module (avoid conflicts in software versions)
  3. Wired – Desktop -  use new compliance module (highlight in green in table above)

 

Need a policy to determine if the device is a laptop/desktop and if it is laptop only go to Wired Laptop policy. I was going to suggest an AD group as a condition for Laptops and one for desktops and build them into the policy. 

 

Is there any better way of doing this?

 

Preview file
51 KB
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-05-2021 09:32 AM

Is there any better way of doing this?

-IMO there are many ways to differentiate, but this really comes down to what you feel is best fit for your environment.  As you alluded to the external AD group is one I often see used in other condition and could very well be the easiest.  Perhaps you have each of the three in separate security groups already.  Are devices static that never move around campus?  Perhaps you could rely on device type or location if all three are subject to same areas?  Lastly, 4.8 is ancient you should really look into upgrading the AC client.  HTH!

Anthony O'Reilly
Level 3
Level 3
In response to Mike.Cifelli

‎10-06-2021 01:03 AM

Hi Mike,
We currently don't use security groups.
4.8 will be upgraded at the beginning of next year (hopefully)
Laptop users roam around the buildings and branches but desktops are static.

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-06-2021 04:59 AM

@Anthony O'Reilly your best bet is to take a detailed radius live log for each of the 3 use cases and identify potential conditions that you could test/use to meet your need.  

Customers Also Viewed These Support Documents