cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2199
Views
0
Helpful
5
Replies

ISE posture assessment Wired/Wireless/VPN

Tmsna
Level 1
Level 1

Hi Guys,

 

I am deploying a new network and I am implementing posture assessment over wired, wireless and VPN.

I would like to achieve this: when a user is compliance, the user can connect to any other corp network without performing another posture scan.

I have configured ISE to perform posture assessment once every day, but I still get scanned everytime I connect.

If I disable redirection and removed the discovery host and just use call home list, I don't get scanned everytime but on ISE my posture status is still unknown.

can you please assist?

 

Regards,

Albert

5 Replies 5

Colby LeMaire
VIP Alumni
VIP Alumni

Sounds like an issue with your authorization policy.  When you are being scanned every time you connect, verify which authorization policy rule you are hitting.  Your rules should be something like below and the order matters:

Posture Status = Compliant -> Full Access/No Redirect

Posture Status != Compliant -> Limited Access/Posture Redirect

Sounds like you are not hitting your compliant rule to give full access.

Hi Colby,
The order configured is the following: compliant, not compliant and unknown.
My laptop hits the unknown rule even if the compliant rule is at the top.
Not sure if this can be an issue but I have multiple policy sets, one for VPN one for wired and one for wireless.
Regards,
Albert

Can you send a screenshot of your compliant and unknown posture rules?  You have to look at why you are not hitting the compliant rule.

Please see screenshot attached.

On your most recent successful authentication in Live Logs, open up the details and scroll down on the left side.  Do you see the proper EAP-Chaining result of Machine passed and User passed?  Do you also see Posture Status of Compliant?