Solved: Re: ISE 2.3 Posture Check with Wireless BYOD

dhanushka_ · ‎08-16-2018

Hi,

We have deployed Wireless BYOD with dule SSID flow using NetworkSetupAssistant and also we have deployed posture check for Guest users using Cisco temporary agent which working perfectly fine.

we need to do posture check for BYOD user with duel SSID flow.

Can any one tell me is it possible to achieve this in cisco ISE 2.3 and how we can deploy Posture check for BYOD user with dule SSID flow in ISE 2.3.

RichardAtkin · ‎08-17-2018

It's easy enough - focus on the 'second' SSID... Instead of having a rule that says 'if authenticated, permit access' (like you presumably do today), you're going to replace that with two rules;

if authenticated && ('Posture==Compliant' or 'Posture Not Applicable'), Permit Access
and
if authenticated && Posture != Compliant, Do Posture

The "Do Posture" bit is the Authorisation Policy that invokes posture so this is where your Posture ACL and URL Redirect goes, and obviously make sure you have some Posture Policies built (sounds like you already do).

View solution in original post

Timothy Abbott · ‎08-17-2018

You can but it depends on the endpoint type. ISE doesn't have native MDM functionality so to do compliance checking for mobile devices you will need to leverage a MDM solution.

Regards,
-Tim

dhanushka_ · ‎08-17-2018

HI Tim,
Thanks for your reply, meantime we do not need to do compliance checking for the mobile devices. We only want to do the compliance checking for the PCs (Windows / MAC) which are connecting via wireless.
If it possible to do the compliance checking for the PCs in ISE 2.3 can you guide me though the steps.

RichardAtkin · ‎08-17-2018

It's easy enough - focus on the 'second' SSID... Instead of having a rule that says 'if authenticated, permit access' (like you presumably do today), you're going to replace that with two rules;

if authenticated && ('Posture==Compliant' or 'Posture Not Applicable'), Permit Access
and
if authenticated && Posture != Compliant, Do Posture

The "Do Posture" bit is the Authorisation Policy that invokes posture so this is where your Posture ACL and URL Redirect goes, and obviously make sure you have some Posture Policies built (sounds like you already do).

dhanushka_ · ‎08-17-2018

HI Richard,

Thanks for your reply. Is it possible to do the posture check on the BYOD duel SSID flow, Check the compliance status of the PC when user connected to the open SSID and if Posture==Compliant then change to the secure SSID.

RichardAtkin · ‎08-17-2018

You could, but then you're only checking the Posture of the Client once. In this case, if the Client comes back days/weeks/months later and goes straight on to the secure SSID, how do you know it still has a compliant posture? By checking the Posture state on the Secure SSID, you get to check that things are secure every time they connect instead of just the first time.

Some people find Posture a bit disruptive so you could also make it only check once every 'x' number of days, allowing you to find a balancing point between usability and security.

dhanushka_ · ‎08-18-2018

Thanks Richard Hope we got the answer for this question.
In addition to this could you please explain me why if the client comes back days/weeks/mounts later and goes straight on the secure SSID without posture ?

howon · ‎08-20-2018

It is hard to tell without knowing how the policy is structured. Typically customers would enable posture lease to skip posture if it has been done past X number of days. However, if the endpoint is skipping posture beyond the posture lease, my guess is that there is another policy rule in the policy set that is listed before the posture related rule that is causing the skipping of posture. I would suggest looking at live log and going through which policy is being matched and change the order or make changes to the policy condition so two policy rules doesn't conflict.

RichardAtkin · ‎08-17-2018

*here be dragons!*

Running posture against the miriad of devices that people will bring will be impossible. ISE only supports Windows / OSX (Linux added yet?), so BYOD folks come in with something else - netbook, tablet, smartphone, wifi enabled widget, an IOT thing, etc... it won't work. If somebody has a crazy locked-down machine it may also not work.

Admittedly I don't know the wider context of your use case / budget / network, but if you're concerned about BYOD-related security issues, you may do well to consider a secure network design, backed up by more generic and transparent security services like Umbrella and Firepower Threat Defence +ISE's Rapid Threat Containment. Services like these work regardless of device type and require no user interaction, no software to install, etc... Although you get less 'depth' (ie, less visibility 'in' to the BYO device) with this approach, you get MASSIVELY more bredth, and you avoid the faff of having to put software on people's machines, no faff with browser security issues, and so on.

dhanushka_ · ‎08-17-2018

HI Richard,
Thanks for your reply,yes we want to do the posture check only for the PCs which is running windows or OSX. Use case of this implementation is there are different branches for an organization and when employees comes to the head office they need to access the internal resources from their laptops, so before giving access they need to do a posture check for the laptops. We have test posture with cisco temporary agent and its working fine but when we enable the BYOD on the Guest portal user get downloaded NetworkSetupAssistant not the temporary agent and follow the BYOD duel SSID flow.

Im little confused where i can mention the posture check ?