05-18-2016 08:20 AM
If I am changing my authorizations policies on an ISE, and I want to apply them straight away to already connected endpoint/users in a production environment, what is the best policy?
Assuming I cannot send CoA to every client connected one by one.
Thanks
Solved! Go to Solution.
05-18-2016 08:49 AM
Hi,
Unfortunately, there is no bulk method for CoA in ISE today. I've even looked into using the CoA API but you can only issue CoA using the API for one MAC address at a time. The best thing to do is to allow the new policy to take effect when the endpoint re-authenticates.
Regards,
-Tim
05-18-2016 08:49 AM
Hi,
Unfortunately, there is no bulk method for CoA in ISE today. I've even looked into using the CoA API but you can only issue CoA using the API for one MAC address at a time. The best thing to do is to allow the new policy to take effect when the endpoint re-authenticates.
Regards,
-Tim
05-18-2016 09:10 AM
Thanks Tim for the quick answer
And I guess that in case there are access devices not supporting CoA it will have to be manual port down/up.
It would be nice if there was a mechanism to automatically issue a CoA globally (or to a subset of devices) to force also for those devices that are quite static
Thanks
Francesca
==========================================================
Francesca Martucci – CISSP # 481718
CONSULTING SYSTEMS ENGINEER.SECURITY SALES
UKI
05-18-2016 09:40 AM
Hi Francesca,
Thanks for the feedback. The challenge with having a global "CoA Everyone" button would potentially cause issues because in essence, you are telling every endpoint in the deployment to authenticate at the same time.
Regards,
-Tim
05-18-2016 10:03 AM
Here may be a way to workaround this problem Francesca:
Reauth
You can use this option to enforce reauthentication of an already authenticated endpoint when profiled.
If you have multiple active sessions on a single port, the profiler service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function potentially avoids disconnecting other sessions as might occur with the Port Bounce option.
The profiler service implements the CoA in the following cases:
•Static assignment of an endpoint
•An exception action is configured
•An endpoint is profiled for the first time
•Endpoint deleted
The above is from: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html#wp1340649
Basically, you may be able to manipulate based on static profile assignment or exception action. This may help as well:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf
Thanks,
George Bekmezian
Systems Engineer
CCIE R&S/Security #10704, CISSP
Dimension Data | Salt Lake City, UT
05-18-2016 11:35 AM
Thanks George,
I will take a look.
Tim, I fully understand the issue of all reauth at the same time, maybe it could be done simply with multiple selection on the live session.
To be honest though, it is not something critical.
Francesca
Sent from my iPhone
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide