Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1442
Views
10
Helpful
6
Replies

ISE Posture with static addressing

Go to solution
victormanuelsolis
Level 1
Level 1

‎05-05-2022 05:51 PM

Hello Team,

I'm struggling configuring the posture for +600 users with static addressing (this addressing is assigned by ISE) I can't make the ISE applies the iP address for each user plus works the ISE Posture at the same time within my policy, anyone can help me?

 

CISCO ISE 2.4

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to victormanuelsolis

‎05-07-2022 06:36 PM - edited ‎05-07-2022 06:37 PM

Hi @victormanuelsolis ,

 if my understanding is correct, you would like not only to use the IP Addr of the Device as a Condition to the Authorization Policy, but also check the Posture status, please try the following (as an example):

At Policy > Policy Set, you created a Wired-Policy, for ex.:

Authorization Policy 

 Rule Name: John-Doe-AuthZPolicy-Compliant

 Condition:  Network Access.Device IP Address Equals 10.10.10.1 AND Session.PostureStatus Equals Compliant

 Result: <AuthZ Profiles Result for Posture Compliant>

 

 Rule Name: John-Doe-AuthZPolicy-Unknown

 Condition:  Network Access.Device IP Address Equals 10.10.10.1 AND Session.PostureStatus Equals Unknown

 Result: <AuthZ Profiles Result for Posture Unknown>

 

Hope this helps !!!

View solution in original post

6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎05-05-2022 06:22 PM

So you are using the ISE local DHCP server?  How is ISE assigning static IPs to clients?  IP Device Tracking enabled on the NAD?

0 Helpful

Go to solution
victormanuelsolis
Level 1
Level 1
In response to ahollifield

‎05-05-2022 07:14 PM

Nope, all the addressing is static, no DHCP, I created each autorization profile with each framed iP, so this profile is the iP the user receives

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to victormanuelsolis

‎05-06-2022 04:22 AM - edited ‎05-06-2022 04:22 AM

Interesting.  What is the use-case here?  So you have 600 AuthZ profiles? One for each user?  

0 Helpful

Go to solution
victormanuelsolis
Level 1
Level 1
In response to ahollifield

‎05-07-2022 04:30 AM

Yes, its a customer requirement to have more control over the users

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to victormanuelsolis

‎05-07-2022 06:36 PM - edited ‎05-07-2022 06:37 PM

Hi @victormanuelsolis ,

 if my understanding is correct, you would like not only to use the IP Addr of the Device as a Condition to the Authorization Policy, but also check the Posture status, please try the following (as an example):

At Policy > Policy Set, you created a Wired-Policy, for ex.:

Authorization Policy 

 Rule Name: John-Doe-AuthZPolicy-Compliant

 Condition:  Network Access.Device IP Address Equals 10.10.10.1 AND Session.PostureStatus Equals Compliant

 Result: <AuthZ Profiles Result for Posture Compliant>

 

 Rule Name: John-Doe-AuthZPolicy-Unknown

 Condition:  Network Access.Device IP Address Equals 10.10.10.1 AND Session.PostureStatus Equals Unknown

 Result: <AuthZ Profiles Result for Posture Unknown>

 

Hope this helps !!!

Go to solution
victormanuelsolis
Level 1
Level 1
In response to Marcelo Morais

‎05-09-2022 10:08 AM

Thank you Marcelo,

 

I tried a solution pretty similar last week and it seems is working The difference is I configured only 1 policy for compliant and noncompliant at the end of policy set and the unknown condition for each user, a lot of work to add manually this condition but its ok. Thank you again.

 

Regards,

Customers Also Viewed These Support Documents