Re: ISE posture assessment Wired/Wireless/VPN

Tmsna · ‎08-11-2020

Hi Guys,

I am deploying a new network and I am implementing posture assessment over wired, wireless and VPN.

I would like to achieve this: when a user is compliance, the user can connect to any other corp network without performing another posture scan.

I have configured ISE to perform posture assessment once every day, but I still get scanned everytime I connect.

If I disable redirection and removed the discovery host and just use call home list, I don't get scanned everytime but on ISE my posture status is still unknown.

can you please assist?

Regards,

Albert

Colby LeMaire · ‎08-11-2020

Sounds like an issue with your authorization policy. When you are being scanned every time you connect, verify which authorization policy rule you are hitting. Your rules should be something like below and the order matters:

Posture Status = Compliant -> Full Access/No Redirect

Posture Status != Compliant -> Limited Access/Posture Redirect

Sounds like you are not hitting your compliant rule to give full access.

Tmsna · ‎08-11-2020

Hi Colby,
The order configured is the following: compliant, not compliant and unknown.
My laptop hits the unknown rule even if the compliant rule is at the top.
Not sure if this can be an issue but I have multiple policy sets, one for VPN one for wired and one for wireless.
Regards,
Albert

Colby LeMaire · ‎08-11-2020

Can you send a screenshot of your compliant and unknown posture rules? You have to look at why you are not hitting the compliant rule.

Tmsna · ‎08-11-2020

Please see screenshot attached.

Colby LeMaire · ‎08-11-2020

On your most recent successful authentication in Live Logs, open up the details and scroll down on the left side. Do you see the proper EAP-Chaining result of Machine passed and User passed? Do you also see Posture Status of Compliant?