06-29-2019 11:41 PM
Experts,
We would like to assign different Vlan when Posture checking results to Compliant or Non-compliant as below.
Posture Compliant ---> AuthZ profile Vlan100 (10.1.1.0/24)
Posture Non-compliant or Posture Unknown ---> AuthZ profile Vlan200 (10.1.2.0/24)
On Windows (we are using NAM as the supplicant), everything seems works fine and the call flow is;
Endpoint onboard ->> Endpoint gets an IP in 10.1.2.0/24 (because of endpoint belongs to Unknown before/during posture check) -->> Posture completed and confirm Compliant -->> Endpoint refresh new IP to 10.1.1.0/24
The issue is on MacOS in the last step. MacOS somehow never refreshes his IP address.
The question is 'Is it not something commonly used?'.
I have gone through some online articles and understand we could use dACL or SGT to achieve limiting the non-compliant device talks to Internal resources. Just want to confirm if this depends on endpoint behavior or something we should change on ISE or WLC/Switch.
Solved! Go to Solution.
06-29-2019 11:50 PM
06-29-2019 11:50 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: