05-27-2019 02:30 AM - edited 05-27-2019 04:41 AM
Hi All,
I need some advise regarding authorisation policies that are required to profile some printers
I have configured a policy that matches on Logical Profile: Printers, however, this profile is never hit when I connect a new printer, and the device always hits the default DenyAccess rule.
When testing I noticed that the NAD will not send any device-sensor info until after authorisation succeeds. To get this working, I changed the default rule to PermitAccess which then drops the printer into the switchports native VLAN. The printer then gets profiled correctly, and with a CoA reauth, gets moved to the correct rule which places the printer in the desired VLAN.
Is this the correct and expected behavior? If so, is it ok change to the default rule to PermitAccess, perhaps with a DACL that denys all IP to be on the safe side? Are there any better ways of doing this?
Solved! Go to Solution.
05-28-2019 03:01 PM
05-27-2019 03:09 AM
Hi Dm,
If the condition created on the policy is not matching then the default policy will get applied.
Refer the ISE Profiling Design Guide
05-28-2019 03:01 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide