https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538774#M572408 <P>You mention in another post "I want to avoid authenticating phones to ISE because it requires a plus license for profiling". Do you have the Plus license enabled?</P> <P>The feature you are trying to use also leverages information from Profiling, so you would need the Plus/Advanced license enabled.</P> <P>The CDP information is learned from the Profiling probes (likely sent by Device Sensor on the switch to ISE via the RADIUS probe).</P> Tue, 25 Jan 2022 23:16:29 GMT Greg Gibbs 2022-01-25T23:16:29Z https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538710#M572403 <P>I am sending CDP attributes to ISE during endpoint authentication. I am struggling to use these attributes in an authorization policy. I want a policy that matches if cdpCachePlatform contains 'Phone'. So far, the policy does not match.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot from 2022-01-25 16-00-21.png" style="width: 690px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142160iD68D97DCE5FB7423/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot from 2022-01-25 16-00-21.png" alt="Screenshot from 2022-01-25 16-00-21.png" /></span></P><P>This is the policy I created</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot from 2022-01-25 16-06-12.png" style="width: 765px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142158i559898E15E074944/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot from 2022-01-25 16-06-12.png" alt="Screenshot from 2022-01-25 16-06-12.png" /></span></P><P>This is the dictionary I created.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot from 2022-01-25 16-10-20.png" style="width: 390px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142161i94CB54F733DB3600/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot from 2022-01-25 16-10-20.png" alt="Screenshot from 2022-01-25 16-10-20.png" /></span></P> Tue, 25 Jan 2022 21:13:16 GMT https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538710#M572403 neteng1 2022-01-25T21:13:16Z https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538774#M572408 <P>You mention in another post "I want to avoid authenticating phones to ISE because it requires a plus license for profiling". Do you have the Plus license enabled?</P> <P>The feature you are trying to use also leverages information from Profiling, so you would need the Plus/Advanced license enabled.</P> <P>The CDP information is learned from the Profiling probes (likely sent by Device Sensor on the switch to ISE via the RADIUS probe).</P> Tue, 25 Jan 2022 23:16:29 GMT https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538774#M572408 Greg Gibbs 2022-01-25T23:16:29Z https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538799#M572410 <P>Ah ok, thank you, I was not aware of that.</P><P>It may seem simple to assume that since voice voice vlan assignment works so well locally that you could bypass authentication for voice devices, but I have not found that to be the case.&nbsp;</P> Tue, 25 Jan 2022 23:49:34 GMT https://community.cisco.com/t5/network-access-control/ise-policy-cdp-attributes/m-p/4538799#M572410 neteng1 2022-01-25T23:49:34Z