Exclude Android/iOS Phones in ISE Posture

LKL4 · ‎05-09-2022

Hello team,

Hope everyone is well.

I want to ignore mobile phones like Android and Iphone from posture and i want to know the best way to perform this.

Actually, i have one SSID (eap-tls) to validate the certificate of my employees notebooks and im checking a few rules with posture module... I want to connect a few phone devices to this same ssid and i want to know the best method for this devices not trigger the "Unkwnows" status in posture. Any tips?

Attached are my 'Policy Sets' and 'Client Provisioning'.

Thanks!!

Marcelo Morais · ‎05-09-2022

Hi @LKL4 ,

try the following:

1st at Work Centers > Profiler > Profiling Policies, check if the Android and Apple-iPhone policies are enabled.

2nd at Policy > Policy Sets > Authorization Policy, create the following Condition (as an example):

a. (EndPoints.EndPointPolicy Not Equals Apple-Device:Apple-iPhone OR EndPoints.EndPointPolicy Not Equals Android) AND Session.PostureStatus Equals Compliant

b. (EndPoints.EndPointPolicy Not Equals Apple-Device:Apple-iPhone OR EndPoints.EndPointPolicy Not Equals Android) AND Session.PostureStatus Equals Unknown

Hope this helps !!!

LKL4 · ‎05-12-2022

Hello @Marcelo Morais

Thanks for the support. I will test these rules n my lab.

If i need to add more devices than android/apple in this network with posture, what would you recommend? maybe a new network is needed for non-postured devices?

Marcelo Morais · ‎05-12-2022

Hi @LKL4 ,

what kind of devices are you planning to add?

Regards

Leo Laohoo · ‎05-09-2022

Random MAC address renders this null and void.