Re: ISE Anti virus update and wireless mac address authentication

eng__mohamed · ‎12-23-2012

I have two questions in ise

1- for guest user I will apply policy if he didn't update the anti virus he must update it so for the downloadable ACL which iP address I will open for it , (all internet or Ise will get the update and the user update from ISE) ?

2- FOR Wireless can we authenticate devices based on MAC and profiling ?

leciscokid · ‎08-19-2013

1.) You will provide access to whatever system you are going to allow the user to access, to get a virus scanner, or an updated signature.

e.g. you must find some way of letting the user know, via the NAC deny , that they were denied due to Posture, and give them a link with steps to remediate.

e.g. "Sorry you failed posture for no Virus Scan, please download AVGFree, etc...

ISE cannot "push" software to the user, it can only measure posture compliance on criteria you write in the authZ posture policy. The user will be required to physically go and retrieve the required app.

If you don't want to allow them out to do this, you can dump them into a QT VLAN, that has access to an internal server or DMZ host, which hosts the files for them.

hslai · ‎04-12-2018

In case you are using Cisco WLC or Meraki MR APs, then we should be able to a wireless network (SSID) to MAB-based control, use ISE for profiling and for authorization.