topic ISE Profiling - What is "exception action" and "static assignmen in Network Access Control

ISE Profiling - What is "exception action" and "static assignment"?

muthumohan — Mon, 11 Mar 2019 02:30:38 GMT

Hi All,

I am new to ISE and catching up on things. I am at the profiler and could not clearly understand the two things:

- Exception Action. - what is this for and when/how to use it?

- static assignment - again, not sure of the real purpose?

would appreciate if some can explain me these two things or point me to a good document.

Thanks,

Mohan

ISE Profiling - What is "exception action" and "static assignmen

Tarik Admani — Thu, 06 Sep 2012 20:07:26 GMT

Exception action is an action you can trigger in a profiling policy (such as an nmap scan or CoA) the default exception action is to trigger CoA when a endpoint is profiled from unknown to known, and when an endpoint is deleted. An exception action for example will be to trigger CoA when a device is profiled as a Cisco Device, so they can match another condition after the dhcp information is received after the initial authentication, so know they probably match a Cisco phone 7975...

Static assignment is to statically assign an endpoint to a identity group so they dont bounce around and get reprofiled. Once they meet this condition they are stuck until you delete the endpoint. Usually static entries are present when up load multiple endpoints via csv...

Hope that helps!

Tarik Admani
*Please rate helpful posts*

ISE Profiling - What is "exception action" and "static assignmen

Venkatesh Attuluri — Tue, 28 May 2013 10:53:01 GMT

These are the two types of authorization policies that you can configure:

•Standard

•Exception

Standard policies are policies created to remain in effect for long periods of time, to apply to a larger group of users or devices or groups, and allow access to specific or all network endpoints
contrast, exception policies are appropriately named because this type of policy acts as an exception to the standard policies. Exception polices are intended for authorizing limited access that is based on a variety of factors (short-term policy duration, specific types of network devices, network endpoints or groups, or the need to meet special conditions or permissions or an immediate requirement).

Exception policies are created to meet an immediate or short-term need such as authorizing a limited number of users, devices, or groups to access network resources. An exception policy lets you create a specific set of customized values for an identity group, condition, or permission that are tailored for one user or a subset of users. This allows you to create different or customized policies to meet your corporate, group, or network needs.

Static Assignment :
You can assign an endpoint to an identity group statically. In such cases, the Profiler service does not change the identity group the next time during the policy evaluation for these endpoints, which are previously assigned dynamically to endpoint identity groups in Cisco ISE.