Cisco Support Community
Community Member

Supplicant Client Provisioning for Windows + NAC - is it supported?


I'm testing out a scenario where it would be most interesting to be able to provision a windows laptop from connecting to a Guest SSID with it the wireless settings it would need to access a secure SSID where then it would be Posture assessed. Like when someone brings their laptop from home to work in the company, and you want to make sure the laptop is not carrying any bad stuff, while still assisting the user with its configuration..

As the NAC provisioning rules and the supplicant provisioning rules are done from the same page, I'm having trouble being able to differentiate the initial supplicant client provisioning (SPW) and the posture verification done after the the association to the secure SSID.

The choices that we have on the client provisioning pages seem to be too limited to do this.

Can anyone confirm if this scenario is supported?

Thanks for any insight

Gustavo Novais


Supplicant Client Provisioning for Windows + NAC - is it support


You can do this for all clients without having to enable this additional feature, you can create the guest network to use mac-filtering...then point the default authorization policy to the registration portal, allow coa to trigger all guest users to the cpp portal and use the web agent option to scan all machines. Then you can build another rule that if they are compliant (running anti-virus and meet your checks..etc) then then can be access to the secure network.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Supplicant Client Provisioning for Windows + NAC - is it support

Hi Tarik, I managed to do what I wanted - same client being provisioned and NAC'd in two steps, as you were suggesting.

One limitation that I found though is that as soon as you mark a device as registered (part of RegisteredDevices endpoint group), you stop being able to distinguish an iPad from a Windows workstation, if both of them have been registered by the same user - both of them will belong to RegisteredDevices group (assuming initial registration via webguest portal), both of them will have the similar certificate (same common name) and profiling group matching will no longer work.

Do you know if there is any workaround to it? - I can see the common case where people bring their laptop from home as well as their iPad.

A possible way would be to register to two different devRegPortals (two different endpoint groups) depending on the initial profiling option, but I saw no option on the guest portal to be able to choose multiple devRegPortals only self provisioning flow. I guess the best possible way would be to not merge guest portal and provisioning portals and use different authZ rules depending on the initial profiling of the devices, on a separate SSID dedicated to provisioning.

Thanks for your insight

Gustavo Novais

CreatePlease to create content