https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4424709#M568150 <P>Hi thomas,</P><P>&nbsp;</P><P>&nbsp;I really appreciate this useful explanation, very clear.</P><P>&nbsp;</P><P>Thank you.</P> Mon, 28 Jun 2021 09:24:53 GMT Rami Ibrahim 2021-06-28T09:24:53Z https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4417466#M567831 <P>Hi Guys,</P><P>&nbsp;</P><P>Just reading about ISE profiling I got a little bit confused , I can imagine a case where CWA is configured on ISE along with Profiling (whatever probes enabled).</P><P>&nbsp;</P><P>&nbsp;I know that CWA consist of two phases and phase 1 main goal is to redirect the user to the CWA portal but phase 1 is done using MAB that is the MAB transaction should fail to continue to Authorization and Issue the redirect.</P><P>&nbsp;</P><P>&nbsp;My question is what if the Guest Mobile device or laptop got profiled? it would be presented in the endpoint database and MAB should not fails then how would this work?</P><P>&nbsp;</P><P>Thanks</P> Sun, 13 Jun 2021 12:01:24 GMT https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4417466#M567831 Rami Ibrahim 2021-06-13T12:01:24Z https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4424495#M568133 <P>It all depends on your</P> <P>1) Authorization Rules</P> <P>2) Endpoint Profile configurations</P> <P>&nbsp;</P> <P>Typically you have Policy Authorization Rules that match on endpoint profiles:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/123776i149B2E789B702020/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>If there is a match, ISE will assign the Authorization Result and not continue to through the policy where it would eventually match on your CWA rule <EM>very near the bottom</EM> if not the final <STRONG>Default</STRONG>.</P> <P>The endpoint profile may change based on new information after the initial assignment from HTTP, NMAP, etc. When this happens, you <EM>may</EM> perform a RADIUS Change of Authorization (COA). The default Global setting is to do nothing.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/123778i9AE616E639075234/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>You have the ability to control and override this behavior per endpoint profile:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 643px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/123779iB7A2E0C67F4E5CAB/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>You probably do not care about some random guest using Windows 10 Workstation... so don't change it.</P> <P>But if it is profiled as a printer or other specialized IOT device, you <EM>may</EM> want to dynamically perform a COA and re-authorize it properly.</P> <P>Which COA you choose to perform would also depend on the endpoint type and how you have your access VLANs configured and what your network device is capable of supporting.</P> <P>It is typically a bad idea to change the VLAN of non-workstations because they will not know to re-DHCP. For this reason if you do a COA you <EM>may</EM> want to do a COA with Port Bounce. It can be very endpoint-specific.</P> Sun, 27 Jun 2021 23:14:55 GMT https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4424495#M568133 thomas 2021-06-27T23:14:55Z https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4424709#M568150 <P>Hi thomas,</P><P>&nbsp;</P><P>&nbsp;I really appreciate this useful explanation, very clear.</P><P>&nbsp;</P><P>Thank you.</P> Mon, 28 Jun 2021 09:24:53 GMT https://community.cisco.com/t5/network-access-control/isw-cwa-amp-profiling/m-p/4424709#M568150 Rami Ibrahim 2021-06-28T09:24:53Z