04-24-2018 08:04 AM
I am looking for a clearer way to differentiate between Posture and NSP in Client Provisioning policies. The particular case is a user has 2 devices - a Corporate Windows device and a personal Windows laptop. I am able to get the posture status working for the AD device, but I am not able to do the BYOD provisioning.
In this case, I am redirecting the users to the Guest portal, and enabling the BYOD flow. When the user authenticates (member of the AD group "BYOD User"), they are sent through the BYOD flow, and this works - provisions the certificate from the ISE CA, pushes wireless config, etc.
This same user, when they log into a corp domain device, we have Posture enabled, the posture agent fires, does its thing, and things are grand.
Here's the rub - I can do one, but not the other, depending on the order in the Client Provisioning policy. Since the user is a member of both the Domain Users and BYOD Users groups the way in which the user logs in should be a defining factor in how the policy is processed.. When the provisioning policy for the NSP is first, I get an error in the posture agent, claiming the system is configured for the NAC agent but posture works.
When I reverse the configuration and put the Posture rule first, posture works fine, but the NSP process fails with an error message that there is no policy configured for this user.
Here is the client provisioning policy:
I could use a pointer on the best way to move forward.
Thanks!
Solved! Go to Solution.
04-24-2018 07:06 PM
Since one for BYOD and the other for posture client provisioning, please try combining the two rules into one.
If the conditions are supposed to make up unique matches, then there might be a bug in the client provisioning policy rule matching. I would suggest logging a TAC case to debug it further.
04-24-2018 07:06 PM
Since one for BYOD and the other for posture client provisioning, please try combining the two rules into one.
If the conditions are supposed to make up unique matches, then there might be a bug in the client provisioning policy rule matching. I would suggest logging a TAC case to debug it further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide