https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3874318#M472317 <P>Thank you</P><P>I am familiar with creating policies to match these objects, I was hoping there was a "manual override" in a sense where I could choose the device from the endpoints list and manually assign the authz policy temporarily.</P> Mon, 17 Jun 2019 14:13:17 GMT scsc_tech 2019-06-17T14:13:17Z https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3873254#M472241 <P>Since ISE gains the most sensor data about an endpoint after it has received its DHCP lease, I need this to occur before I can create a well designed profile for the new device.</P><P>What I don't want to do is open up DHCP to any device that plugs into the network.</P><P>&nbsp;</P><P>What I am hoping to do is plug in a new device, choose it from the endpoints list and manually assign an authz policy that will give it DHCP. Once ISE fully profiles the device, then I can use those attributes to build a well designed policy.</P><P>&nbsp;</P><P>Is there a function in ISE to manually assign an authz policy to an endpoint?</P> Fri, 14 Jun 2019 17:04:20 GMT https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3873254#M472241 scsc_tech 2019-06-14T17:04:20Z https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3873316#M472244 Hi,<BR /><BR />You can create an identity group called pre-profile and create a policy to<BR />match this group and assign author profile. Then you can assign your<BR />endpoints manually to the group (static assigment). This will give them the<BR />initial policy which can all them to get dhcp. Then if the profile is<BR />changed and matched another policy, new author policy will be applied.<BR /><BR />Note that the pre-profile policy should be at the bottom of your policy set<BR />to be last match<BR /> Fri, 14 Jun 2019 18:33:06 GMT https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3873316#M472244 Mohammed al Baqari 2019-06-14T18:33:06Z https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3874011#M472246 <P>There are a number of ways you can achieve this but just to name a few:</P> <P>- Prer-defined Identity Group with the list of mac addresses</P> <P>- Match based on mac OUI</P> <P>- Match based on NDGs , NAS IP adress , NAS port type and the list goes on...</P> <P>&nbsp;</P> Mon, 17 Jun 2019 07:28:25 GMT https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3874011#M472246 ldanny 2019-06-17T07:28:25Z https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3874318#M472317 <P>Thank you</P><P>I am familiar with creating policies to match these objects, I was hoping there was a "manual override" in a sense where I could choose the device from the endpoints list and manually assign the authz policy temporarily.</P> Mon, 17 Jun 2019 14:13:17 GMT https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3874318#M472317 scsc_tech 2019-06-17T14:13:17Z https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3882975#M472318 <P>I believe you already got the idea. ISE does not work that way. The closest is in&nbsp;<A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/292493" target="_blank">Mohammed al Baqari</A>'s response.</P> Tue, 02 Jul 2019 04:15:44 GMT https://community.cisco.com/t5/network-access-control/manual-authz-assignment-to-new-endpoint/m-p/3882975#M472318 hslai 2019-07-02T04:15:44Z