This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello every body...
I have ISE appliance integrated with Active Directory to authenticate the users , and i have WLC integrated with the ISE also.
the integration done successfully , and now any user want to access the network through the WIFI ( Dot1x) he should use his AD credintials and if he Compliant he get a full access , if non compliant he go to the quarantine vlan.
my problem is the mobiles , there's some users need to access the WIFI using the personal mobiles using the AD credintials , and i need to bypass the posturing for mobiles only.
in other words , i don't need to check if the devise is compliant or non compliant for the mobiles only , while i need this feature for laptops.
note : i have only 1 SSID
any suggestions for this case....
Solved! Go to Solution.
The solution for the Mobile devices is to enable the profiling, by enabling the profiling, you can categorize the access for all the smart devices, and you can combine them with Wireless_dot1x so all the users can authenticate the access using the AD username and password.
In general, the ISE does not have NAC agents or posture for mobile devices, so you can build an authorization policy based on profiling and authentication, and you can put it on top of the policies so if the ISE detects mobile phone access then the authentication will be dot1x against the AD.
in my case , i noticed that i have only 2 profiled categories.
one for workstations , and the other for ip phones ,,, but unfortunately the Smart phones and mobiles have been recognized as workstations which is become useless when i configure the policey for the profiled devise.
what i need is to configure a policey for any not-windows devise
how can i configure the profiling feature for these devises
any suggestions ....
Hi Reyad, you need to create an Authorisation Policy that matches "PostureApplicable Equals No" above the Authorisaton Policies you have defined for PostureStatus Equals Compliant and PostureStatus Not_Equals Compliant.
Any devices that are not capable of posture assessment (e.g. your mobile devices) will match this rule and bypass the NAC process before hitting the rule you are currently matching.
This should work fine as long as all other Authorisation Policies are correct.
this will help to solve my problem
but i couldn't find the condition "PostureApplicable" in the autherization policys rules , could you help me where can i find this....
hello Andy and sorry for bothering you again...
but i couldn't find the EndPoint within my drop list in the autherization policey page.
do you think its related to ISE IOS version , or i need to do some configuration in some where to have EndPoint.
My ISE version is : Version : 22.214.171.1245
Inorder to have definetions for broader range of endpoints like smartphones , PDAs, please use profiler feed service. It would ensure the device profiles database is updated.