https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4719265#M578159 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1310935">@KatherineTran</a> correct, CDP/LLDP/DHCP is only sent if the interface is authenticated/authorised.</P> <P>Even if the device fails to authenticate, at a minimum ISE should be able to determine the vendor by the MAC OUI and create a database entry. When a device does successfully authenticate/authorise, ISE will learn more information from CDP/LLDP, the endpoint profile is updated.</P> <P>Regardless, in an ISE deployment you'd normally start in open/monitor mode, so the endpoints should already be profiled before moving to closed mode.</P> Thu, 10 Nov 2022 11:30:03 GMT Rob Ingram 2022-11-10T11:30:03Z https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4717964#M578119 <P>Hello All,</P><P>From my understanding of documentation, CDP/LLDP would not be allowed until a port is authenticated when in closed mode. Low impact mode can be used for DHCP/DNS etc but CDP/LLDP being a layer 2 protocol what options do we have if using for profiling?</P><P>Or should I try to use DHCP for profiling for this reason?</P><P>KT</P> Tue, 08 Nov 2022 14:25:55 GMT https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4717964#M578119 KatherineTran 2022-11-08T14:25:55Z https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4717978#M578121 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1310935">@KatherineTran</a> you'll get more information of the connected endpoints if you use CDP, LLDP and DHCP via device sensor.</P> <P>On ISE you can configure a Change of Authorisation (CoA) to be sent when a device is matched against a new profile, this can enabled globally or per profile. So therefore when the device connect for the first time, once profiled, a CoA is automatically sent and the device re-runs through authorisation and potentially matches a different authorisation rule.</P> Tue, 08 Nov 2022 14:52:38 GMT https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4717978#M578121 Rob Ingram 2022-11-08T14:52:38Z https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4719241#M578158 <P>Hi Rob,</P><P>I believe dot1x in closed mode will not allow CDP/LLDP/DHCP to function and therefore profile the device initially so it will not be able to get to that state?</P><P>Thanks</P><P>KT</P> Thu, 10 Nov 2022 10:21:01 GMT https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4719241#M578158 KatherineTran 2022-11-10T10:21:01Z https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4719265#M578159 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1310935">@KatherineTran</a> correct, CDP/LLDP/DHCP is only sent if the interface is authenticated/authorised.</P> <P>Even if the device fails to authenticate, at a minimum ISE should be able to determine the vendor by the MAC OUI and create a database entry. When a device does successfully authenticate/authorise, ISE will learn more information from CDP/LLDP, the endpoint profile is updated.</P> <P>Regardless, in an ISE deployment you'd normally start in open/monitor mode, so the endpoints should already be profiled before moving to closed mode.</P> Thu, 10 Nov 2022 11:30:03 GMT https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4719265#M578159 Rob Ingram 2022-11-10T11:30:03Z https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4721453#M578270 <P>Chapter 23 Closed Mode of the book Cisco ISE for BYOD and Secure Unified Access has a figure, showing EAP and CDP allowed before authentication.</P> Tue, 15 Nov 2022 02:46:15 GMT https://community.cisco.com/t5/network-access-control/lldp-amp-cdp-closed-dot1x-mode/m-p/4721453#M578270 hslai 2022-11-15T02:46:15Z