Solved: Re: ISE Posture Policy Set Athorization Profile

Shrimpy · ‎12-16-2020

Good Day,

I currently have ISE 2.7 installed with Posture Policy set, in monitor mode. As of right now watching all the youtube videos, my understanding was when the device hits your Policy set > Authorization rule. It hits the posture complaint rule and then continue down the list and then use the next applicable authorization rule to set the authorization profile.

For example, i have users in 3 different groups that each get placed in a different vlan per the authorization profile. Would i need to create a posture compliant rule for each of those rules?

if USER_GROUP_A then GROUP_A authorization profile A(placed into vlan 1)
if USER_GROUP_B then GROUP_B authorization profile B(placed into vlan 2)
if USER_GROUP_C then GROUP_C authorization profile C(placed into vlan 3)

needing this:

if USER_GROUP_A & POSTURE COMPLIANT then GROUP_A authorization profile A(placed into vlan 1)
if USER_GROUP_B & POSTURE COMPLIANT then GROUP_B authorization profile B(placed into vlan 2)
if USER_GROUP_C & POSTURE COMPLIANT then GROUP_C authorization profile C(placed into vlan 3)

It seems like this would fix my issue where users are not being placed in the correct vlan, but assumed there must be another way.

Mike.Cifelli · ‎12-16-2020

But my understanding is that ISE posture does not hit the ISE COMPLIANT rule and then once determined it is compliant, it goes back through the policy set to determine what to do with the device? Is that correct?

-Yes. When a client first connects its posture status will be deemed as unknown, which is when the entire process will begin. Once it is determined compliant or non-compliant you would have different authz policies for each allowing the respective access (full access for compliant, limited for non-compliant).

But if you want ISE to assign a vlan for a user, you would need 3 conditions for all the different profiles that you would want to assign. For example 3 rules for: admin, users, stupid users, finance, nose pickers. Each getting their own complaint/non-complaint/unknow.

-IMO this depends on requirements. If you want to separate unknown and non-compliant for each you could do that. You could rely on DACLs to limit all <groups> access in that state in one vlan. Yes, for the complaint state you will need multiple different authz policies if you are pushing different network access policies (separate authz prof results with different vlans for each respective group). This question IMO really comes down to what you are trying to accomplish as there are different ways to tackle this. I would test and determine which setup meets your requirements best.

HTH!

View solution in original post

Mike.Cifelli · ‎12-16-2020

There are several components needed for this solution to work, and additional posture status conditions you will need to build out/reference in your authz policies. The other conditions would/will be unknown and non-compliant. To see proper workflow, posture assessment capabilities, and attain additional guidance take a peek here: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Shrimpy · ‎12-16-2020

Thank you for the reply!
But my understanding is that ISE posture does not hit the ISE COMPLIANT rule and then once determined it is compliant, it goes back through the policy set to determine what to do with the device? Is that correct?

I understand the 3 conditions, unknown/non-compliant/compliant, and all the videos and guides really only mention that if it's compliant, then permit network access. But if you want ISE to assign a vlan for a user, you would need 3 conditions for all the different profiles that you would want to assign. For example 3 rules for: admin, users, stupid users, finance, nose pickers. Each getting their own complaint/non-complaint/unknow.

Just making sure i'm not tripling my policy set rules by 3 since we use ISE to assign vlans depending on the AD group.

Again, thanks for your help, a big mis-understanding on my part.

Mike.Cifelli · ‎12-16-2020

But my understanding is that ISE posture does not hit the ISE COMPLIANT rule and then once determined it is compliant, it goes back through the policy set to determine what to do with the device? Is that correct?

-Yes. When a client first connects its posture status will be deemed as unknown, which is when the entire process will begin. Once it is determined compliant or non-compliant you would have different authz policies for each allowing the respective access (full access for compliant, limited for non-compliant).

But if you want ISE to assign a vlan for a user, you would need 3 conditions for all the different profiles that you would want to assign. For example 3 rules for: admin, users, stupid users, finance, nose pickers. Each getting their own complaint/non-complaint/unknow.

-IMO this depends on requirements. If you want to separate unknown and non-compliant for each you could do that. You could rely on DACLs to limit all <groups> access in that state in one vlan. Yes, for the complaint state you will need multiple different authz policies if you are pushing different network access policies (separate authz prof results with different vlans for each respective group). This question IMO really comes down to what you are trying to accomplish as there are different ways to tackle this. I would test and determine which setup meets your requirements best.

HTH!

Shrimpy · ‎12-16-2020

Amazing, thank you for the help!