cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
4
Replies

Posturing policies help required

ymadheka
Level 4
Level 4

Hi Team,

We are in a middle of deployment of ISE wherein the customer wants to enforce network access based on the selective pass/failure of posture check conditions like as mentioned here:

  • If machine has passed anti-malware, patch update but failed McAfee disk encryption then it should get certain level of network access (partial network access) with no email access.
  • If machine has passed patch update, McAfee disc encryption but failed anti-malware then it should get certain level of network access (partial network access) with no internal application access.
  • If machine fails all three (Anti-Malware, Windows Update and McAfee disc encryption) then it should go to quarantine vlan, where it should not have access to network but only remediation servers.

We have created 3 different authorization policies but facing issue in partial access policy (for above point No.1 & 2 as mentioned above).

Kindly help.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

This logic is currently not possible in ISE Posture.  Regardless of policy, the result is either Compliance or Non-Compliance, not Partial Compliance, or Compliance less Check X or Y.  It is the result of binary Posture Status which determine the access policy.  Please communicate to Cisco sales team the enhancement request.

Craig

View solution in original post

4 Replies 4

Craig Hyps
Level 10
Level 10

This logic is currently not possible in ISE Posture.  Regardless of policy, the result is either Compliance or Non-Compliance, not Partial Compliance, or Compliance less Check X or Y.  It is the result of binary Posture Status which determine the access policy.  Please communicate to Cisco sales team the enhancement request.

Craig

Hi Craig,

Thanks for the reply.

Just to check in case we make use of OR operator for multiple posture checks in single rule does it still hold true that all the conditions has to be checked for compliant or non-compliant?

Thanks & Regards,

Yogesh Madhekar

Yes, there are OR options, but ultimately the result is either compliant or non-compliant, no in-betweens.

powelca
Level 1
Level 1

This post is nearly 7 years old but I'm in the same scenario, is it still the case that there's no mechanism to do conditional authorizations based on which posture check failed?