Solved: Apply a new policy to connected devices

martucci · ‎05-18-2016

If I am changing my authorizations policies on an ISE, and I want to apply them straight away to already connected endpoint/users in a production environment, what is the best policy?

Assuming I cannot send CoA to every client connected one by one.

Thanks

Timothy Abbott · ‎05-18-2016

Hi,

Unfortunately, there is no bulk method for CoA in ISE today. I've even looked into using the CoA API but you can only issue CoA using the API for one MAC address at a time. The best thing to do is to allow the new policy to take effect when the endpoint re-authenticates.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎05-18-2016

Hi,

Unfortunately, there is no bulk method for CoA in ISE today. I've even looked into using the CoA API but you can only issue CoA using the API for one MAC address at a time. The best thing to do is to allow the new policy to take effect when the endpoint re-authenticates.

Regards,

-Tim

martucci · ‎05-18-2016

Thanks Tim for the quick answer

And I guess that in case there are access devices not supporting CoA it will have to be manual port down/up.

It would be nice if there was a mechanism to automatically issue a CoA globally (or to a subset of devices) to force also for those devices that are quite static

Thanks

Francesca

==========================================================

Francesca Martucci – CISSP # 481718

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

UKI

Timothy Abbott · ‎05-18-2016

Hi Francesca,

Thanks for the feedback. The challenge with having a global "CoA Everyone" button would potentially cause issues because in essence, you are telling every endpoint in the deployment to authenticate at the same time.

Regards,

-Tim

gbekmezi-DD · ‎05-18-2016

Here may be a way to workaround this problem Francesca:

Reauth

You can use this option to enforce reauthentication of an already authenticated endpoint when profiled.

If you have multiple active sessions on a single port, the profiler service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function potentially avoids disconnecting other sessions as might occur with the Port Bounce option.

The profiler service implements the CoA in the following cases:

•Static assignment of an endpoint

•An exception action is configured

•An endpoint is profiled for the first time

•Endpoint deleted

The above is from: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html#wp1340649

Basically, you may be able to manipulate based on static profile assignment or exception action. This may help as well:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf

Thanks,

George Bekmezian

Systems Engineer

CCIE R&S/Security #10704, CISSP

Dimension Data | Salt Lake City, UT

martucci · ‎05-18-2016

Thanks George,

I will take a look.

Tim, I fully understand the issue of all reauth at the same time, maybe it could be done simply with multiple selection on the live session.

To be honest though, it is not something critical.

Francesca

Sent from my iPhone