Cisco Cisco Identity Services Engine 1.1 Troubleshooting Guide
Introduction
This document describes posture services, client provisioning, posture policy creation, and access policy
configuration for the Cisco Identity Services Engine (ISE). Endpoint assessment results for both wired clients
(connected to Cisco switches) and wireless clients (connected to Cisco wireless controllers) are discussed.
configuration for the Cisco Identity Services Engine (ISE). Endpoint assessment results for both wired clients
(connected to Cisco switches) and wireless clients (connected to Cisco wireless controllers) are discussed.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Cisco Identity Services Engine (ISE)
•
Cisco IOS
®
software switch configuration
•
Cisco Wireless LAN Controller (WLC) configuration
•
Components Used
The information in this document is based on these software and hardware versions:
Cisco ISE Version 1.1.3
•
Cisco Catalyst 3560 Series Switch Version 15.0(2) SE2
•
Cisco 2504 Series WLC Version 7.4.100.0
•
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Background Information
ISE Posture Services
The posture services workflow is comprised of three main configuration sections:
Client provisioning
•
Posture policy
•
Authorization policy
•
Client Provisioning
In order to perform posture assessment and determine the compliance state of an endpoint, it is necessary to
provision the endpoint with an agent. The Network Admission Control (NAC) Agent can be persistent,
whereby the agent is installed and is automatically loaded each time a user logs in. Alternatively, the NAC
Agent can be temporal, whereby a web−based agent is dynamically downloaded to the endpoint for each new
session and then removed after the posture assessment process. NAC Agents also facilitate remediation and
provide an optional acceptable use policy (AUP) to the end user.
provision the endpoint with an agent. The Network Admission Control (NAC) Agent can be persistent,
whereby the agent is installed and is automatically loaded each time a user logs in. Alternatively, the NAC
Agent can be temporal, whereby a web−based agent is dynamically downloaded to the endpoint for each new
session and then removed after the posture assessment process. NAC Agents also facilitate remediation and
provide an optional acceptable use policy (AUP) to the end user.
Therefore, one of the first steps in the workflow is to retrieve the agent files from the Cisco website and to
create policies that determine which agent and configuration files are downloaded to endpoints, based upon
attributes such as user identity and client OS type.
create policies that determine which agent and configuration files are downloaded to endpoints, based upon
attributes such as user identity and client OS type.