The client has two sites, connected by two firewalls. We have one SEPM to manage two sites. They also use Cisco ISE to do the ID authentication, and SNAC as host integrity check. We know we will treat the Cisco ISE as the Radius, let ISE to decide which production VLAN PC will connect. The question is that: SNAC's host integrity check is managed by users, no matter whether the user is in site A or site B. However, we need to assign the VLAN based on locations, or which physical Cisco switch this PC connect. Cisco ISE will do the ACL for this user no matter which VLAN he is assigned.
Is there anyone who can advise what the best practice or how to configure when SNAC need to work with Cisco ISE across multiple physical sites?
@Henry Cheng, did you know in terms of SNAC appliances? http://www.symantec.com/business/support/index?page=content&id=HOWTO95154
See also https://www-secure.symantec.com/connect/articles/what-all-can-you-do-symantec-network-access-control
Host Integrity (HI) Policy will live on in an upcoming version of SEP 12.1.5 (RU5), but with self enforcement and without the SNAC appliances.
From the decription of your aim, I'm not convinced that SNAC HI results will play any part in the allocation of subnets for your endpoints. Use of the LAN Enforcer will only add checks for if the HI check passed or failed, it will not provide you with geographically dependent VLAN allocations.
Configuration of a different default/production VLAN per switch is entirely possible without the LAN Enforcer, which is why I say this is not really a SNAC question, but more one for your network admins or for Cisco.
What part do you see SNAC playing in this setup?
The reason I ask is that even if the LAN Enforcer was involved, the most likely config would be for it to tell the switch to "open port" on successful HI/Auth/Policy check results, in which case it's down to the switch config to assign the VLAN anyway.