ISE - Authorization Profile issue

Andrew Schulz · ‎08-16-2012

I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:

Name: Posture_Remediation
Access Type: Access_Accept
Common Tools:
- Posture Discovery, Enabled
- Posture Discovery, ACL ACL-POSTURE-REDIRECT

The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19

The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?

Any help would be appriceated.

Andrew

Tarik Admani · ‎08-16-2012

Andrew,

The PostureStatus is condition that will help enforce posture remediation.

The posture discovery is the authorization profile (under policy-elements > results) that will have to be created in order to make this work. You create a posture discover web authentication portal and then you create the ACL you are going call in order to perform the redirection on the NAD.

Then you have to create a client provisioning policy along with a posture policy in order to distribute the agent and perform the checks you want.

Thanks,

Tarik Admani
*Please rate helpful posts*

Eric Kenny · ‎10-16-2012

I had the same issue with the documentation being out of date for 1.1.1. Instead of there being a "Posture Discovery" task, you have to configure "Web Authentication" and select "Posture Discovery" from the drop down box.

Hope that helps,

Eric

Abhishek Abhishek · ‎04-23-2013

Hello Andrew,

As per your query i can suggest you-

Creating a New Authorization Policy

Use this procedure to create a new authorization policy.

To create a new authorization policy, complete the following steps:

--------------------------------------------------------------------------------

Step 1 Choose Policy > Authorization > Standard.

Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.

A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.

Step 3 Enter values for the following authorization policy fields:

•Rule Name—You need to define a rule name for the new policy.

•Identity Groups—Choose a name for the identity group that you want associated with the policy.

–Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.

•Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:

–Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.

–Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.

When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.

For more information please refer to the link -

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html