ISE and certificates

Similar Messages

• Another ISE and certificates

  Hi,
  I have an deployment, ISE 1.2, were Im trying to run EAP-TLS with computer certificates.
  There is only on PKI, with a root CA and a intermediate issuing CA.
  When we try to authenticate the client we get:
  Event    5400 Authentication failed
  Failure Reason    12508 EAP-TLS handshake failed
  For troubleshooting we have tried to import root and issuing certificates from the client to ISE.
  We have compared serial numbers on all certificates and  they match.
  I have checked with Wireshark and I see the client present client-cert and issuing, from ISE there is client-cert, issuing and root.
  I have tried to change CN to SAN to SAN DNS.
  If I run user certificate from the client it works like it should, and that show me that the root and issuing certificate are ok on ISE.
  Any good tip on what could be wrong?
  Or maybe an example of a computer CA template that can be used for auto enrollment with AD?  :-)
  Regards

  Problem solved.
  The reason ISE rejected the certificate was because an extra extension added to the certificate.
  The server team added this extension to the 'Application Policy Extension' and then made it critical, they wanted to have something extra to filter on.
  ISE rejected the certificate because it couldn't validate the extra extension and a critical extension has to be validated. When we removed the 'Make this Extension Critical' check mark from the certificate it worked as it should.
  Cheers

• Does Anybody know how to keep the license files and Certificates in ISE-3315 During the upgrade.

  Hi,
  I have two ISE-3315 Appliances in production network.
  I need someone's help to explain, how to make the Secondary node as the primary admin note to reset-config.
  And then I would like to know how to keep the license files and Certificate during the Upgrade.
  Please help me to answer my questions.
  Thanks
  CSCO11872447

  The Cisco Identity Services Engine (ISE) provides distributed  deployment of runtime services with centralized configuration and  management. Multiple nodes can be deployed together in a distributed  fashion to support failover.
  If you register a  secondary Monitoring ISE node, it is recommended that you first back up  the primary Monitoring ISE node and then restore the data to the new  secondary Monitoring ISE node. This ensures that the history of the  primary Monitoring ISE node is in sync with the new secondary node as  new changes are replicated.
  Please  Check the below configuration guide for Secondary ISE- Nodes.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.pdf

• ISE and EAP-TLS

  Hi
  We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
  22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request
  I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
  EAP-TLS is enabled in  the 'Default Network Access' authentication result.
  Can anyone shine a light on where I'm going wrong?
  Thanks
  Martin

  Martin,
  Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
  http://support.microsoft.com/kb/814394
  Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
  The IAS or the VPN server computer certificate is configured with the  Server Authentication purpose. The object identifier for Server  Authentication is 1.3.6.1.5.5.7.3.1.
  Here is the Cisco eap-tls deployment guide which references the same as above:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken

• Ise and windows CA cert issues during tls

  Hi All,
  We are having some issues when doing eap-tls during onboarding. The setup is to have a single ssid network. Clients initially gets connected via peap and after onboarding it is eap-tls. The environment is a 2 tier CA hirearchy having a root-ca (offline) and intermediate CA (this is the AD domain enterprise CA and scep server). ISE cert was signed by the intermediate CA for https and eap. Also imported the certificate chain from the intermediate CA to ISE cert store (converted from .p7b to .der). It also has the scep RA certificate and scep communication between ise and scep server looks ok.
  The issue is during the onboarding process (tested with windows xp) after the redirection to guest poral, windows SPW wizard starts and prompts to confirm the user certificate. This keeps on prompting after 'ok' is clicked and does not proceed further. The 'view certificate' shows the following error " The issuer of this ccertficate is not found". ISE shows the following errors in authentication details (jpg attached). Windows SPW logs shows that it keep on retrying authentication.
  The issuer of the client cert which is the intermediate CA cert is already in the ISE certificate store. Therefore shouldn't that client get this issuer CA details from ISE and ISE should be able to authenticate client during onboarding to start the tls connection? Do we have to import seperate certs for root-ca, Intermediate ca in ise store instead of the chain?
  Does anybody had this issue with ISE in a hirearchical CA environment?
  Thanks in advance.

  Review this link
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1044440

• ISE and 802.1x - Retrieve User Cert from AD for Auth without it being in the Personal Store?

  Hello,
  We are implementing 802.1x EAP-TLS wired at the moment with Cisco ISE, and wireless is to come after that, along with our internal PKI.  I set up the PKI, and our network engineer is setting up the ISE.  We currently have it set to first authenticate the computers with a computer certificate (allowing access to AD, among some other things), and then further authenticate the users with user certificates.
  I don't have much knowledge of Cisco ISE, and plan to learn as we go, but I'm wondering:
  Is it possible to authenticate the computer via the computer certificate, getting access to AD, and then have the ISE check AD for the User certificate INSTEAD of the User certificate being in the local Personal store of the client computer?  We have autoenrollment going for user certificates, but it seems to be cumbersome (in thought) that once 802.1x is enabled, a new computer/employee coming on the network has to first go to an unauthenticated port to be able to download the User certificate in the Personal store, before then being able to use an 802.1x port?
  I guess that makes two questions:
  1) Can ISE pull the user cert from AD, without needing it in the local Personal store?
  2) What's the easiest way to handle new computers/users that don't already have the User cert in their local Personal store once 802.1x is enabled?

  1)No
  2)Use EAP-Chaining with EAP-TLS and PEAP
  For this scenario, i would go with Cisco AnyConnect NAM, and then use EAP-Chaining, with EAP-TLS for machine auth, and then PEAP for user authentication. This way you can make sure that both the machine and the user is authenticated, and more importantly, that a user can not get on the network with their user identity only and no machine identity. Using windows own supplicant for this, gives no garantee that the user has logged in from an authenticated machine. The feature that used to be used for this before EAP-Chaining was introduced, is called MAR, and has many problems, making it almost useless in a corporate environment. Security wise, the PEAP-MSCHAPV2 is tunneled in EAP-FAST and does not have the same security issues as regular PEAP.

• 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Hi guys,
  I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
  I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

• ISE, BYOD: win clients reject ISE local-certificate

  Hello!
  We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.
  Windows clients cannot connect to 802.1x SSID with the following error on ISE:
       Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  The client doesn't have preconfigured wifi profile or root certificate installed.
  The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
  The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.
  If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.
  So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
  p.s. the attached file shows the example of pop up TLS-alert window

  Are there any recommendations from Cisco about the issue with Windows?
  I believe there's a new version of smart solution design guide coming up.
  The current one does not mention anything to do with certs in "User Experience" chapter.
  You can check one of the possible approaches in Nico's document:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  (It can be easily expended).
  I think irt. PEAP we will always say that the cert or the root/sub CA cert should be already trusted on the device when perfoming enrollment.
  Will try to dig in, can't say I promise to get something concrete though. 

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• ISE trusted certificates - 1.1.1 bug??

  Hello,
  I'm authenticating a few Cisco Phones towards ISE via EAP-TLS, and all was working on version  version 1.1.
  Now that we've upgraded to 1.1.1, I've reimported Cisco's Manufacturing CA and Root CA certificates into ISE, and marked them for trust for EAP-TLS authentications, but when phones authenticate I keep getting the message that they've presented an unknown CA certificate in their certificate request, and obviously we are failing EAP-TLS, but I'm pretty sure the certificates are well imported into ISE, so they should pass the validation.
  Is anybody aware of a bug of some sort with this?
  I read a post where somebody stated that now ISE would only support one certificate for EAP-TLS auth...
  If somebody can provide further details...
  Thanks
  Gustavo Novais

  The defect that I come across even I had all the certs installed correctly.
  CSCud00831    eap-tls authentications start failing after a while x509 decrypt error
  Symptom:
  EAP-TLS authentications fail with "X509 decrypt error"
  Conditions:
  Visiting backup/restore page or performing an automatic scheduled backup
  without visiting the backup/restore page
  Workaround:
  Do not visit backup page. Disable scheduled backup. Separate Policy
  Services. Node on deployment from Administrative or Monitoring Node.
  The fix will be available in ISE 1.1.3
  Jatin Katyal
  - Do rate helpful posts -

• Server 2012 R2 - Essentials Experience - - I jacked my CA and certificates all to @#&$%!!

  Windows Server 2012 R2 - Essentials Experience
  In trying to put pieces together, I jacked my CA and certificates all to @#&$%!!
  Some of the factors involved are:
   Server0 - Hyper-V Host
    Server1 - DC, 2012 R2 Essentials Experience role
    Server2 - Exchange 2013
   Client Machines -
    Windows 7 Pro
    XP (Yes, these are my cross to bear... - worth noting their presence, but I'm working them out) 
   The functional requirements:
    Anywhere Access for Remote users
     - Remote Desktop for Windows 7 machines
    Outlook Web Access
  The mistake... 'Web Application Proxy'
   -which uninstalled the CA
  There is a CA back now, but after days of spinning in cirles in a rare area where I feel nearly completely lost (Certificate services) I am asking for help getting these pieces put back together.
  The current situation:
   The network is up with all of the network and business services required to work 'Inside the Office' - so the client is "functional".
   The "Essentials Experience" is broken and won't install to the clients, though it does provide the Essentials website, access to server shared files (fairly gracefully, I might add) and, as an administrator user, I can get to the servers via
  RWA through the site and there are no certificate problems with that since I have a secured certificate for the domain. 
   OWA has been moved to a further back burner while I try to get the Essentials Experience functioning t the point where the remote users can get to their workstations through RWA... This is the biggest current hurdle... RWA for the clients.
  Trying to install the client to the workstations nets me the "The Server is not available.  Try connecting this computer again,..." message at the point of username and password authentication.
  The clientdeploy.log finishes like this:
   [4976] 141016.153746.2670: ClientSetup: Standard Error:
   [4784] 141016.153746.2670: ClientSetup: The exit code of the process (C:\Windows\system32\nslookup.exe) is: 0
   [4784] 141016.153746.2670: ClientSetup: Set CD Fail reason 10 for SQM in ClientDeployment.exe
   [4784] 141016.153746.2670: ClientSetup: RecordClientDeploymentFailReason: Save registry failed in ClientDeployment.exe : System.UnauthorizedAccessException: Cannot write to the registry key.
    at Microsoft.Win32.RegistryKey.EnsureWriteable()
    at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
    at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck)
    at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.Helper.RecordClientDeploymentFailReason(UInt32 failReason)
   [4784] 141016.153746.2670: ClientSetup: Exiting ValidateUserTask.Run
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
   [4784] 141016.153746.2670: ClientSetup: Exting ConnectorWizardForm.RunTasks
   [1272] 141016.153755.0976: ClientSetup: Back from the Client Deployment Wizard
   [1272] 141016.153755.0976: ServerDiscovery:HostsFileUpdater: Removing hosts file entry: 1-WGB-01
   [1272] 141016.153755.0976: ClientSetup: Saving Wizard Data
   [1272] 141016.153755.0976: ClientSetup: End of ClientDeploy: ErrorCode=1603
  The computerconnector.log shows nothing of value.
  What I want to accomplish as a 'first step' toward recovery is to get the workstations properly connected so they show up in the Dashboard 'Devices' pane and can be managed and access by the Essentials tools.
  Secondarily, I would like to get the client side tools in place and functioning (I expect the latter will be a side effect of the former).
  So,... for anyone patient enough to have read this far... uh,... help?

  Actually,... I can now confirm the delicacy of which you speak...
  After a support incident with Microsoft which spanned a marathon 18+ hours on the phone and remote access by no fewer than 7 Microsoft Engineers, we got to a successful result. 
  It is a point of utter frustration for me when people put in threads like this then don't bother to come back and report 'how the issue was solved', and sadly, I am about to have done that merely because my span of functional attention and valuable reporting
  capability was basically gone before I submitted the ticket and following all that was done in my state was not conceivably possible. 
  So - all I can do is apologize for not being able to report a valuable resolution and give a few little tidbits.
  The net result is this - DO WHAT YOU CAN TO AVOID THE SITUATION IN THE FIRST PLACE.  Once your CA is in place, LEAVE IT THE $%@& ALONE!!!!  I mean... my best current advice.
  In all, the CA was uninstalled and reinstalled 4 times after my blunder and significant work was done in ADSIEdit as well as substantial manual manipulation of certificates and CAs that was well outside of my (quite considerable) scope of expertise.
  I wish I had more to offer in the world of resolution.
  With this said, I will make one more request of viewers and moderators alike:
  THIS QUESTION IS OFFICIALLY NOT ANSWERED.  IT WILL NEVER BE ANSWERED.  THE RESOLUTION IS NOT AVAILABLE TO THE MORTAL MAN.
  DO NOT MARK IT AS ANSWERED
  IF YOU MUST DO SOMETHING, DELETE THE WHOLE THREAD, BUT DO NOT BURDON PEOPLE WHO ARE LOOKING FOR REAL ANSWERS WITH THE NECESSITY OF READING THROUGH THIS.
  DO NOT MARK THIS QUESTION AS ANSWERED
  I hope this makes sense for people, and I hope people will appreciate NOT having to read this as though there is some 'resolution' contained within.

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*