Solved: Re: ISE Wired and Wireless Posture

joseponceiii · ‎12-22-2020

Hi,

Hoping to get some of your inputs and expertise on ISE Posture deployments.

We're currently planning to deploy ISE posture on both wired and wireless. We're already using this on VPN and is running fine. Now, the posture checks for wired and wireless plan is not that strict as compared to our VPN. We plan to apply "Audit" as opposed to "Mandatory" under the Posture Policy.

My question is, do we still need to be specific especially under the Authorization Profiles that will be applied in the Policy Sets? What I mean is like for example in Wireless, under Non-Compliant/Compliant policies - are the Airespace ACL in WLC and authorization profile in ISE necessary to create even we only need to basically monitor or audit if the endpoint is compliant or non-compliant (meaning we can only get the posture reports on ISE) or can we just put the ISE default "PermitAccess" for both compliant and non-compliant under Policy Sets to achieve this?

Any suggestions and inputs are appreciated.

Thanks for the help.

Mike.Cifelli · ‎12-23-2020

AFAIK yes you could have one authz profile for the clients if staying in audit state as clients would not be deemed different compliant states while using audit mode. Audit requirements are specified for internal purposes and the agent does not prompt any message or input from end users, regardless of the pass or fail status during policy evaluation. IMO the only thing you will need to consider is different authz profiles for different vlan policies etc. HTH!

View solution in original post

Mike.Cifelli · ‎12-22-2020

My question is, do we still need to be specific especially under the Authorization Profiles that will be applied in the Policy Sets? What I mean is like for example in Wireless, under Non-Compliant/Compliant policies - are the Airespace ACL in WLC and authorization profile in ISE necessary to create even we only need to basically monitor or audit if the endpoint is compliant or non-compliant (meaning we can only get the posture reports on ISE) or can we just put the ISE default "PermitAccess" for both compliant and non-compliant under Policy Sets to achieve this?

-I think your scenario is a catch 22 and depends on your end goal. What I mean is if you are planning at some point to move forward with making the checks mandatory for wired and wireless clients then I would pre-stage everything. At least this way you could slowly flip the switches, and test accordingly.

Something to note, posture checks are evaluated in the order of mandatory, optional, and audit. If a mandatory check fails, the related audit checks will not be carried out. Good luck & HTH!

joseponceiii · ‎12-22-2020

Hi @Mike.Cifelli , thanks for your inputs.

Originally, the plan was to make posture checks as mandatory but the management is starting to consider wired and wireless as less strict as far as security is concerned. And you are correct, it will be easier to flip the switch slowly if that's our end goal. But what if Audit is only our concern in the long run, is my understanding correct that Auth Profiles will not be necessary (PermitAccess will do) for both compliant and non-compliant states? Thanks.

Mike.Cifelli · ‎12-23-2020

AFAIK yes you could have one authz profile for the clients if staying in audit state as clients would not be deemed different compliant states while using audit mode. Audit requirements are specified for internal purposes and the agent does not prompt any message or input from end users, regardless of the pass or fail status during policy evaluation. IMO the only thing you will need to consider is different authz profiles for different vlan policies etc. HTH!