06-11-2019 09:46 AM
Hello,
We were testing the AD probe in ISE 2.4 patch 5. The following scenarios were tested.
Scenario-1: The Endpoint is part of Domain and is configured for PEAP and the setting is "User or Computer Authentication"
The endpoint is booted up and then connected to the port configured for ISE. While the endpoint is in the login screen, we can see computer authentication happening and the AD attributes are collected in ISE. We could see them in context visibility. For instance we see AD-host-exists = true. Works as expected.
Scenario-2: The Endpoint is removed from Domain and is configured for PEAP and the setting is "User or Computer Authentication"
The endpoint is removed from the AD domain. After 24 hours we connect the endpoint, the authentication fails and the AD attributes did not get updated. Ideally, we should be seeing the AD-host-exists attribute becoming false. But this is not happening.
Scenario-3: The New Endpoint which was never part of the Domain and is configured for PEAP and the setting is "Computer Authentication"
When a new endpoint which is not a part of domain is connecting to the port configured for ISE. We are not seeing any AD attributes in the context visibility. I have default authorization policy as Permit All. Ideally I should see the AD attributes accumulated. AD-host-exists should be false.
We would like to know whether scenario 2 and 3 is expected behavior in ISE. Are there any plans in the pipeline to include the aforementioned requirement as a part of enhancement?
Thanks,
Aravind Ravikumar
Solved! Go to Solution.
06-13-2019 09:21 AM
Both 2 and 3 are expected.
On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).
On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.
06-12-2019 03:17 AM
have you tried to remove endpoint from ISE before initiating connectivity?
06-12-2019 06:23 AM
Thank you for the response. Yes I tried that. But we could not see the "AD-host-exists" attribute becoming false.
Thanks,
Aravind Ravikumar.
06-13-2019 09:21 AM
Both 2 and 3 are expected.
On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).
On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide