Hi,

We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device location

Equal "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PC

connect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3).

But in our case user PC connect any other switch than switch1, it hit the ISE default policy

(not included in this attachement) and also it pop-ups the NAC agent and do the posturing.

Questions

-why the PC/user is not hitting rule 1-3 and goes to default rule

-why the PC/user is doing posture where there's no posture rule hitting.

We only need any user connects switch1 do dot1x and posture and other user connect any other switch (not switch1)

should only do dot1x.

Please let me know what configuration should exactly modify to have above requirement.

Also appreciate if someone can advise what is the best option to immediately rollback any user

not to do do1x and posture without modify anything on switch or user PCs and using simply task (1 or 2 click)

from the ISE. We know on old NAC we have option to select the port and say Control or Uncontrol.

Thanks in advance..

We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device location
Equal "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PC
connect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3).
 But in our case user PC connect any other switch than switch1, it hit the ISE default policy
(not included in this attachement) and also it pop-ups the NAC agent and do the posturing.
 Questions
-why the PC/user is not hitting rule 1-3 and goes to default rule
-why the PC/user is doing posture where there's no posture rule hitting.

Hi,

First of all, I would assume you configured the PC for machine or user authentication.

So, when a user connects to the network using other switch but not switch1, it will get 2 hits:

1. Computer authentication - this PC is part of Domain Computers

2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!

You haven't specified a rule for domain users alone (with no location condition) and with no posture.

You have to add something like this:

1. dot1x + Domain PC

2. dot1x + Domain User + location + preposture

3. dot1x + Domain User + location + posture compliant

4. dot1x + Domain User (and no posture condition)

To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture

(http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)

 Generating a Posture Requirement 
 The run-time services requests for the posture requirement for the  endpoint by looking up at the role to which the user belongs to and the  operating system on the client. If you do not have a policy associated  with the role, then the run-time services communicate to the NAC Agent  with an empty requirement. If you have a policy associated with the  role, then the run-time services run through the posture policies  through one or more requirements associated with the policies and for  each requirement through one or more conditions.

If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.

Hi Szolga,

Many thanks for your time on responding to my querries.

I will diffinately test on above senario and let you know.

Hi Harvinder,

Thanks for your time and the response on this. I will let you know if I have any further question on this.