Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

client provisioning exception for guest flow - bug?

hi all,

I encounterd one problem with guest flow and client provisioning.

Please if someone could confirm that this can or can't be done 

I want to accomplish such a scenario:

- AD user have to download the full nac agent

- AD user from specific group when using webauthentication (as a fallback) doesn't need to downlaod webagent (so no posture at all - the default status is compliant)

- all guest users need to download webagent

It seems that it can't be done cause:

First of all to make it work we need to enable "guest users should download the posture client"


I created the "client provisioning policy" in a way that:


If it is AD user and its not a guest flow (2) then NAC agent should be applied

If it is a guest user webagent should be downloaded

It works with an exception that when AD user logs in using webauthentication (guest portal), no download page is displayed (as expected) but instead of normal access there is a blank page with the following URL


so it seems that even though there is no match in "client Provisioing Policy" (again, as expected) ISE still tries to redirect to the cpp portal as this checkbox in multiportal configuration says so.

As a result no CoA is initiated to the switch and switch authentication hangs on the last default policy -  CWA_POSTURE_REMEDIATION

Is it possible to do it?



CreatePlease login to create content