View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0055 - ISE 1.1 Posture Assessment with NAC Agent (Part 1)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video looks at posture assessment configuration on Cisco ISE. We will be performing Antivirus installation, and signature definition update checks before allowing a domain user onto the network.  Using wired Windows 7 and ClamWin Antivirus as an example, we will step through the posture assessment process, starting from NAC Agent download, and, along the way, try to bring our test machine to a compliant state to gain full network access. 

In part 1, we will be configuring authentication, authorization, and client provisioning policies to allow client to download a NAC Agent.  
  • Authorization Policies
  • Posture Policies
  • Client Provisioning Policies
  • Policy Elements
    • Conditions (Authorization)
    • Results (Authorization Profile, dACL, VLAN)
  • Posture Agent Profile
  • Cisco NAC Agent (Windows)
  • NAC Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus
  • NAC Agent uses SWISS protocol (UDP/8905) to communicate with ISE

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new technologies.


Hello, if there are multiple PSNs, how do you add them without manually changing the NAC agent profile to point to a particular PSN. In other words, how can I make the NAC agent to point to whichever PSN responds first.

My understanding is there is nothing you really need to do on the NAC agent side. The PSN server should be automatically selected based on the RADIUS server config on the switch/WLC. Are you experiencing something different?

Default everyone (any IP address) with right username and pasword can access ISE web portal. I want to limit that only specific IP can access ISE web portal. Please show me how to do that !

Are you talking about the web GUI admin? If so, there should be a section under Administration > Admin that allow you restrict IP that can access the GUI.

About VLAN check box in Authorization Profiles, Tag ID : 1, Edit Tag ID/Name : 63 mean if match the rule have this Authorization Profiles, then vlan ID of port change from 1 to 63 right ? But if in the interface connect to Endpoint if i execute command : "switchport access vlan 1". Is Dynamic vlan still effect or not ?
And about DACL, it only requied the switch support DACL or we need to do something else on switch for DACL take effect

VLAN you configure in Auth Profile on ISE will override whatever VLAN you set on the switchport as long as that VLAN is created in the VLAN database. dACL from ISE will only be accepted by the switch if the switch support dACL and has aaa network autorization enabled.

When user login success, after some time the login pop-up appear in Clent pc and ask user re-type there username or password. Where i can disable reauthentication ?? On switch, on ISE or both ??

If it is a domain computer, user should never be prompted if you have .1x profile configured to use windows credential. Reauth can be disabled on switchport.