cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1078
Views
0
Helpful
6
Replies

Wired/Wireless BYOD with Posture Check

hunk0602015
Level 1
Level 1

Hi All,

We have deploy Wired/Wireless BYOD with certificate authentication,which working perfectly fine wherein we need to check posture check for BYOD user. 

Can any one tell me how we can deploy Posture check for BYOD user.

Thanks in advance

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Posture Check configuration is pretty thoroughly explained in this document:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

Have you looked at it?

Please do so if you haven't already and reply back here if you have remaining questions.

Hi Marvin,

Thanks for reply. Currently we have configured posturing for Domain Machine and which working perfectly fine.

Now we want to deploy posture checks for BOYD user, so little confused about flow for BYOD user.

BYOD user will first hit to mab with CWA > AD Login for registration > Windows Wizard download> certificate profile download check> Permit access. 

I am little confused,where I can mentioned posture check in it?

Posture check will happen on nac agent or web agent ? 

Thanks in advance

Look in the linked document around paragraph 4a.

Along with the certificate profile download check, add a posture compliance check (like "AND Session: PostureStatus EQUALS Compliant" plus "AND Session: PostureStatus NOT EQUALS Compliant").

If the BYOD User is "PreCompliant" then do a "Posture_Remediation" CoA. Otherwise "Permit access".

Hi Marvin,

Is it possible to provide/configure BYOD Wireless users using Domain Laptops with full network access  and non domain Laptops/Ipads with limited access (Email Server Access Only).

Thanks and Regards

Dinesna

Sure. You just create two Authorization profiles - one with full access and one with an ACL restricting access.

Your Authorization results in your policy set then check for the computer being a member of the domain. If so then permit full access result. If not, then the result is a Change of Authorization that applies the ACL.  

if you are using both wired and wireless then you need two separate Authorization profiles for restricted access - one with a downloadable ACL (wired) and one that calls out a pre-defined Airespace ACL (wireless)

Many thanks marvin for your valuable info. i will work on this today.

regards

Dinesh