https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624399#M575193 <P>Use low-impact with dACLs instead of closed mode.</P> Fri, 03 Jun 2022 23:25:15 GMT ahollifield 2022-06-03T23:25:15Z https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624274#M575188 <HR /> <P>Through probes using profiling how can we create Authorization policy set and assign the endpoints specific vlan, i have gone through various videos &amp; documents i have understood the concept to what extent but not complete.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Because there is a rule which says, if switchport is in closed authentication then no traffic will be send except Eapol.</P> <P>&nbsp;</P> <P>So how can we make Authorization policy in Policy set and authorize the user</P> Fri, 03 Jun 2022 18:16:38 GMT https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624274#M575188 RohitSingh91693 2022-06-03T18:16:38Z https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624329#M575189 <P>Hi</P><P>&nbsp;</P><P>It depends on the user/device attributes that ISE would require to successfully profile them.</P><P>In closed mode:</P><P>&nbsp;</P><P><STRONG>CDP/LLDP</STRONG>: if profiling requires these attributes, ISE can use SNMP probe to collect them from the switch (they can also be sent in Access-Request if you are using ibns 2)</P><P>&nbsp;</P><P><STRONG>DHCP</STRONG>: if profiling requires DHCP attributes, ISE could authorize with a DACL that permits DHCP only. ISE can get these attributes with DHCP probe</P><P>&nbsp;</P><P><STRONG>NMAP</STRONG>: if profiling requires port/OS attributes, ISE could authorize with a DACL that permits only the required ports (with the PSNs as destination).</P><P>&nbsp;</P><P>hth<BR />Andy</P> Fri, 03 Jun 2022 20:26:12 GMT https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624329#M575189 andrewswanson 2022-06-03T20:26:12Z https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624351#M575190 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1177229">@RohitSingh91693</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;beyond what&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/255857">@andrewswanson</a>&nbsp;said ... please take a look at: <A href="https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin" target="_blank" rel="noopener">Cisco ISE Device Administration Prescriptive Deployment Guide</A>, search for <STRONG>Device Admin Policy Sets</STRONG>.</P> <P class="lia-align-justify">&nbsp;About Probes ... remember that:</P> <P class="lia-align-justify"><STRONG>1st</STRONG> <STRONG>Network Probe</STRONG> is a method used to collect an attribute or a set of attributes from an <STRONG>Endpoint</STRONG> on your network. It analyzes received Network Traffic (ex.: <STRONG>RADIUS</STRONG>, <STRONG>SNMP</STRONG>, <STRONG>DHCP</STRONG>, <STRONG>HTTP</STRONG> and more) by collecting <STRONG>Endpoint Attributes</STRONG>.</P> <P class="lia-align-justify"><STRONG>2nd</STRONG> Most <STRONG>Probes</STRONG> are <U>passive</U> ... traffic MUST be delivered to <STRONG>ISE</STRONG>.</P> <P class="lia-align-justify"><STRONG>3rd</STRONG> It is <U>NOT recommended</U> to configure <STRONG>ALL Probes</STRONG>, especially in a <STRONG>Production Deployment</STRONG>, as this may result in <U>excessive data collection</U> than is required to achieve the desired goal !!!</P> <P class="lia-align-justify">Note: you are able to enable <STRONG>Probes</STRONG> at <STRONG>Administration &gt; System &gt; Deployment &gt;</STRONG> select the <STRONG>PSN</STRONG> &gt; select <STRONG>Profiling Configuration</STRONG>&nbsp;tab.&nbsp;</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Hope this helps !!!</P> Fri, 03 Jun 2022 21:00:55 GMT https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624351#M575190 Marcelo Morais 2022-06-03T21:00:55Z https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624399#M575193 <P>Use low-impact with dACLs instead of closed mode.</P> Fri, 03 Jun 2022 23:25:15 GMT https://community.cisco.com/t5/network-access-control/through-probes-using-profiling-can-we-authorize-the-user/m-p/4624399#M575193 ahollifield 2022-06-03T23:25:15Z