Solved: Matching the proper CP policy

ryan.chen · ‎08-06-2017

Hi ISE experts

I was wondering if anyone has experienced the following. In the client provisioning policy, I've created 2 different policies i.e. 1 for Corporate machines with Windows and 1 for BYOD devices with Windows. Somehow the devices are picking either one of the policy only. Please find the configured CP policies below:

BYOD-Windows

Identity Group - Any

Operating System - Windows All

Other Conditions:

AD Group - BYOD Users

Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11

Result - WebAgent 4.9.5.8, WinSPWizard 2.2.0.52 and Corporate-NSP-BYOD

Corporate-Windows

Identity Group - Any

Operating System - Windows All

Other Conditions:

AD Group - Domain Users

Radius:NAS-Port-Type EQUALS Wireless-IEEE 802.11

Result - NACAgent 4.9.5.8 AND ComplianceModule 3.6.11098.2

When I do get the Web Agent on the BYOD devices, I also notice that the endpoint is scanned for the Corporate Security Requirements as well (instead of the BYOD Security Requirements only). But this is definitely due to the user being in 2 of the AD external groups (BYOD user and Domain User).

Any help would be appreciated.

Other info:

Currently running ISE 2.1 patch 3

Thanks

Ryan

Craig Hyps · ‎08-07-2017

As you said, users can match both policies. For CP it should be first match but Posture policy could be match all. Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?

View solution in original post

Craig Hyps · ‎08-07-2017

As you said, users can match both policies. For CP it should be first match but Posture policy could be match all. Have you considered adding "AND NOT member of BYOD group" to avoid conflicts?