Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
6
Replies

Wired/Wireless BYOD with Posture Check

hunk0602015
Level 1
Level 1

‎01-06-2016 07:26 AM - edited ‎03-10-2019 11:22 PM

Hi All,

We have deploy Wired/Wireless BYOD with certificate authentication,which working perfectly fine wherein we need to check posture check for BYOD user. 

Can any one tell me how we can deploy Posture check for BYOD user.

Thanks in advance

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2016 10:03 AM

Posture Check configuration is pretty thoroughly explained in this document:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Have you looked at it?

Please do so if you haven't already and reply back here if you have remaining questions.

0 Helpful

hunk0602015
Level 1
Level 1
In response to Marvin Rhoads

‎01-06-2016 12:04 PM

Hi Marvin,

Thanks for reply. Currently we have configured posturing for Domain Machine and which working perfectly fine.

Now we want to deploy posture checks for BOYD user, so little confused about flow for BYOD user.

BYOD user will first hit to mab with CWA > AD Login for registration > Windows Wizard download> certificate profile download check> Permit access. 

I am little confused,where I can mentioned posture check in it?

Posture check will happen on nac agent or web agent ? 

Thanks in advance

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hunk0602015

‎01-06-2016 12:18 PM

Look in the linked document around paragraph 4a.

Along with the certificate profile download check, add a posture compliance check (like "AND Session: PostureStatus EQUALS Compliant" plus "AND Session: PostureStatus NOT EQUALS Compliant").

If the BYOD User is "PreCompliant" then do a "Posture_Remediation" CoA. Otherwise "Permit access".

0 Helpful

ddindevanis
Level 1
Level 1
In response to Marvin Rhoads

‎06-21-2016 09:27 PM

Hi Marvin,

Is it possible to provide/configure BYOD Wireless users using Domain Laptops with full network access  and non domain Laptops/Ipads with limited access (Email Server Access Only).

Thanks and Regards

Dinesna

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ddindevanis

‎06-21-2016 09:34 PM

Sure. You just create two Authorization profiles - one with full access and one with an ACL restricting access.

Your Authorization results in your policy set then check for the computer being a member of the domain. If so then permit full access result. If not, then the result is a Change of Authorization that applies the ACL.  

if you are using both wired and wireless then you need two separate Authorization profiles for restricted access - one with a downloadable ACL (wired) and one that calls out a pre-defined Airespace ACL (wireless)

0 Helpful

ddindevanis
Level 1
Level 1
In response to Marvin Rhoads

‎06-21-2016 09:56 PM

Many thanks marvin for your valuable info. i will work on this today.

regards

Dinesh

0 Helpful
Customers Also Viewed These Support Documents