ISE and Symantec SEP 11 Interworkering Question

Similar Messages

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE and wireless CWA

  Need some help on this one.
  This is ISE 1.1.1 and WLC 7.2
  I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
  This is working but I need some clarification :-)
  First I tried to use AuthC policy with
  allowed protocolls= PAP-ASCII + Host lookup
  Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
  But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
  If I change AuthC to
  allowed protocolls=  Default Network Access
  All is working fine for all endpoints.
  Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
  An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
  Thanks!

  I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
  http://www.cisco.com/">
  It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough

• ISE and critieria for quarantine

  We have a question concerning ISE and what criteria it is able to use when placing an enpoint into quarrantine. We would like to configure ISE to quarrantine systems that have been placed on a network other than our business network. In other words, we're wondering if ISE is able to detect whether one of our systems has been on another network (for example: it has been connected to a users' home network). Can ISE do this, quarantining the system until security scans can be completed?
  Thank you for any information that you can provide                  

  Please check the posture remediation options below
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2319686

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• ISE and NAC wireless guest networks

  I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
  Sent from Cisco Technical Support iPad App

  Hello,
  For your query regarding ISE and NAC following are my  findings, which might help you in order to solve your query.
  for your first question:-
  ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
  ISE is a 50% software discount for customers who have  NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
  for your second question:-
  There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs.

• ISE and 802.1x - Retrieve User Cert from AD for Auth without it being in the Personal Store?

  Hello,
  We are implementing 802.1x EAP-TLS wired at the moment with Cisco ISE, and wireless is to come after that, along with our internal PKI.  I set up the PKI, and our network engineer is setting up the ISE.  We currently have it set to first authenticate the computers with a computer certificate (allowing access to AD, among some other things), and then further authenticate the users with user certificates.
  I don't have much knowledge of Cisco ISE, and plan to learn as we go, but I'm wondering:
  Is it possible to authenticate the computer via the computer certificate, getting access to AD, and then have the ISE check AD for the User certificate INSTEAD of the User certificate being in the local Personal store of the client computer?  We have autoenrollment going for user certificates, but it seems to be cumbersome (in thought) that once 802.1x is enabled, a new computer/employee coming on the network has to first go to an unauthenticated port to be able to download the User certificate in the Personal store, before then being able to use an 802.1x port?
  I guess that makes two questions:
  1) Can ISE pull the user cert from AD, without needing it in the local Personal store?
  2) What's the easiest way to handle new computers/users that don't already have the User cert in their local Personal store once 802.1x is enabled?

  1)No
  2)Use EAP-Chaining with EAP-TLS and PEAP
  For this scenario, i would go with Cisco AnyConnect NAM, and then use EAP-Chaining, with EAP-TLS for machine auth, and then PEAP for user authentication. This way you can make sure that both the machine and the user is authenticated, and more importantly, that a user can not get on the network with their user identity only and no machine identity. Using windows own supplicant for this, gives no garantee that the user has logged in from an authenticated machine. The feature that used to be used for this before EAP-Chaining was introduced, is called MAR, and has many problems, making it almost useless in a corporate environment. Security wise, the PEAP-MSCHAPV2 is tunneled in EAP-FAST and does not have the same security issues as regular PEAP.

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• Have you fixed the compatibility with HP printers and Symantec yet for the latest Firefox? I am waiting before installing.

  You told me to install the 3.7 version in April. It messed up both my printer and my Norton security. I downgraded successfully. I am waiting to hear that HP printers and Symantec are now compatible. You said this was their responsibility, but it is your responsibility to inform us when you have become compatible with the most common devices, security and other programs. How else would we find out except by bombing our computers by upgrading you?

  It seems like Symantec has.Hope this helps-
  http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20100720113635EN&ln=en_U
  About HP, seeing the thread with similar question would be helpful-
  https://support.mozilla.com/en-US/questions/799388
  https://support.mozilla.com/en-US/questions/804465?s=hp+symantec+firefox+&as=s

• HI THERE UMM I AM TRYING TO USE MY MIRCO SOFT WORD AND THERE IS A QUESTION MARK ON IT AND WONT LET ME OPEN IT

  hi i am trying to get on to my mirco soft word and there is a question mark placed on it. when i try to open the app it wont.
  help

  Which version of OSX and which version of Word?

• My new iphone is asking for an old iCloud password I can't remember the password, don't have access to the old email and when I try and answer the security question it is telling me that my date of birth is wrong?? Arggghh help?

  My new iphone is asking for an old iCloud password I can't remember the password, don't have access to the old email and when I try and answer the security question it is telling me that my date of birth is wrong?? Arggghh help?

  Contact iTunes Customer support... it is not possible to bypass Activation Lock.

• I have 2 imac computers and here are my questions: first, how to I transfer the information from my contact directory from my old imac into my new imac and once the information is transfered how can I print it? Second: I have a large music collection in m

  have 2 imac computers and here are my questions: first, how to I transfer the information from my contact directory from my old imac into my new imac?  Once the information is transfered how can I print it? Second: I have a large music collection in my old Imac computer how do I transfer this information to my new computer? Also how can I share this information with other computers at home?

  I think you may find helpful information here:
  A Basic Guide for Migrating to Intel-Macs
  The Knowledgebase article Intel-based Mac: Some migrated applications may need to be updated refers to methods of dealing with migrating from PowerPC chips to Intel with the Migration Assistant safely. The authors of this tip have not had a chance to verify this works in all instances, or that it avoids the 10.6.1 and earlier Guest Account bug that caused account information to get deleted upon use of the Migration/Setup Assistant. However, a well backed up source that includes at least two backups of all the data that are not connected to your machine will help you avoid potential issues, should they arise. In event it does not work, follow the steps below.
  If you are migrating a PowerPC system (G3, G4, or G5) to an Intel-Mac be careful what you migrate.  Keep in mind that some items that may get transferred will not work on Intel machines and may end up causing your computer's operating system to malfunction.
  Rosetta supports "software that runs on the PowerPC G3, G4, or G5 processor that are built for Mac OS X". This excludes the items that are not universal binaries or simply will not work in Rosetta:
  Classic Environment, and subsequently any Mac OS 9 or earlier applications
  Screensavers written for the PowerPC System Preference add-ons
  All Unsanity Haxies Browser and other plug-ins
  Contextual Menu Items
  Applications which specifically require the PowerPC G5 Kernel extensions
  Java applications with JNI (PowerPC) libraries
  See also What Can Be Translated by Rosetta.
  In addition to the above you could also have problems with migrated cache files and/or cache files containing code that is incompatible.
  If you migrate a user folder that contains any of these items, you may find that your Intel-Mac is malfunctioning. It would be wise to take care when migrating your systems from a PowerPC platform to an Intel-Mac platform to assure that you do not migrate these incompatible items.
  If you have problems with applications not working, then completely uninstall said application and reinstall it from scratch. Take great care with Java applications and Java-based Peer-to-Peer applications. Many Java apps will not work on Intel-Macs as they are currently compiled. As of this time Limewire, Cabos, and Acquisition are available as universal binaries. Do not install browser plug-ins such as Flash or Shockwave from downloaded installers unless they are universal binaries. The version of OS X installed on your Intel-Mac comes with special compatible versions of Flash and Shockwave plug-ins for use with your browser.
  The same problem will exist for any hardware drivers such as mouse software unless the drivers have been compiled as universal binaries. For third-party mice the current choices are USB Overdrive or SteerMouse. Contact the developer or manufacturer of your third-party mouse software to find out when a universal binary version will be available.
  Also be careful with some backup utilities and third-party disk repair utilities. Disk Warrior, TechTool Pro , SuperDuper , and Drive Genius  work properly on Intel-Macs with Leopard.  The same caution may apply to the many "maintenance" utilities that have not yet been converted to universal binaries.  Leopard Cache Cleaner, Onyx, TinkerTool System, and Cocktail are now compatible with Leopard.
  Before migrating or installing software on your Intel-Mac check MacFixit's Rosetta Compatibility Index.
  Additional links that will be helpful to new Intel-Mac users:
  Intel In Macs
  Apple Guide to Universal Applications
  MacInTouch List of Compatible Universal Binaries
  MacInTouch List of Rosetta Compatible Applications
  MacUpdate List of Intel-Compatible Software
  Transferring data with Setup Assistant - Migration Assistant FAQ
  Because Migration Assistant isn't the ideal way to migrate from PowerPC to Intel Macs, using Target Disk Mode, copying the critical contents to CD and DVD, an external hard drive, or networking will work better when moving from PowerPC to Intel Macs.  The initial section below discusses Target Disk Mode.  It is then followed by a section which discusses networking with Macs that lack Firewire.
  If both computers support the use of Firewire then you can use the following instructions:
  1. Repair the hard drive and permissions using Disk Utility.
  2. Backup your data.  This is vitally important in case you make a mistake or there's some other problem.
  3. Connect a Firewire cable between your old Mac and your new Intel Mac.
  4. Startup your old Mac in Transferring files between two computers using FireWire.
  5. Startup your new Mac for the first time, go through the setup and registration screens, but do NOT migrate data over. Get to your desktop on the new Mac without migrating any new data over.
  If you are not able to use a Firewire connection (for example you have a Late 2008 MacBook that only supports USB:)
  1. Set up a local home network: Creating a small Ethernet Network.
  2. If you have a MacBook Air or Late 2008 MacBook see the following:
  MacBook (13-inch, Aluminum, Late 2008) and MacBook Pro (15-inch, Late 2008)- What to do if migration is unsuccessful;
  MacBook Air- Migration Tips and Tricks;
  MacBook Air- Remote Disc, Migration, or Remote Install Mac OS X and wireless 802.11n networks.
  Copy the following items from your old Mac to the new Mac:
  In your /Home/ folder: Documents, Movies, Music, Pictures, and Sites folders.
  In your /Home/Library/ folder:
  /Home/Library/Application Support/AddressBook (copy the whole folder) /Home/Library/Application Support/iCal (copy the whole folder)
  Also in /Home/Library/Application Support (copy whatever else you need including folders for any third-party applications)
  /Home/Library/Keychains (copy the whole folder) /Home/Library/Mail (copy the whole folder) /Home/Library/Preferences/ (copy the whole folder) /Home /Library/Calendars (copy the whole folder) /Home /Library/iTunes (copy the whole folder) /Home /Library/Safari (copy the whole folder)
  If you want cookies:
  /Home/Library/Cookies/Cookies.plist /Home/Library/Application Support/WebFoundation/HTTPCookies.plist
  For Entourage users:
  Entourage is in /Home/Documents/Microsoft User Data Also in /Home/Library/Preferences/Microsoft.
  Credit goes to Macjack for this information.
  If you need to transfer data for other applications please ask the vendor or ask in the  Discussions where specific applications store their data.
  5. Once you have transferred what you need restart the new Mac and test to make sure the contents are there for each of the applications.
  Written by Kappy with additional contributions from a brody.Revised 5/21/2011

• Can't seem to download any app despite entering the correct password and answering 3 security question but still in the end it comes up the message that my session has timed out no matter what! Please help, many thanks in adv!!

  Can't seem to download any app despite entering the correct password and answering 3 security question but still in the end it comes up the message that my session has timed out no matter what! Please help, many thanks in adv!!

  Try doing it on your computer with iTunes and then sync to your iPad to see if it clears the problem.

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*