When a user connects to a network, the user is initially put into a quarantine state. During this stage, we allow only DNS and traffic from the Cisco Network Access Control [NAC] Appliance Agent to go to Cisco ISE. When Cisco ISE determines the user to be using a posture-compliant device, RADIUS change of authorization (CoA) is used to re-authenticate the user and provide the user with access appropriate to the user's role. Because the WLCs only support named-ACLs today, we need to predefine ACLs on the WLC.

Although we are defining this ACL for posture redirection at this stage, it will not be utilized until we move in to the Enforcement mode with posture enabled.

Step 1

From the WLC, navigate to Security > Access Control Lists. Click New.

Step 2

Use ACL-AGENT-REDIRECT as the ACL name

Step 3

Click ACL-AGENT-REDIRECT ACL

Step 4

Click Add New Rule. Use the values shown in the image below.

Step 5

Click Apply after each set of values and select Add New Rule for the next rule.

Step 6

Confirm that the ACL is configured correctly.