Solved: ISE Profiling Authorisation Policies

dm2020 · ‎05-27-2019

Hi All,

I need some advise regarding authorisation policies that are required to profile some printers

I have configured a policy that matches on Logical Profile: Printers, however, this profile is never hit when I connect a new printer, and the device always hits the default DenyAccess rule.

When testing I noticed that the NAD will not send any device-sensor info until after authorisation succeeds. To get this working, I changed the default rule to PermitAccess which then drops the printer into the switchports native VLAN. The printer then gets profiled correctly, and with a CoA reauth, gets moved to the correct rule which places the printer in the desired VLAN.

Is this the correct and expected behavior? If so, is it ok change to the default rule to PermitAccess, perhaps with a DACL that denys all IP to be on the safe side? Are there any better ways of doing this?

Jason Kunst · ‎05-28-2019

Yes you’re correct in your assumption

I would recommend looking at the profiling design guide
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

View solution in original post

Sathiyanarayanan Ravindran · ‎05-27-2019

Hi Dm,

If the condition created on the policy is not matching then the default policy will get applied.

Refer the ISE Profiling Design Guide

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Jason Kunst · ‎05-28-2019

Yes you’re correct in your assumption

I would recommend looking at the profiling design guide
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456