cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

412
Views
1
Helpful
4
Replies
Highlighted
Cisco Employee

Change from one static endpoint group to another cause CoA?

Will switching an endpoint from one static endpoint group to another static endpoint group result in a CoA?  If so, is this covered under the base license?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: Change from one static endpoint group to another cause CoA?

In general, no it will not unless the change results in Authorization Policy change.  This would be triggered by the default Profiler Exception Actions.  Plus is required for Profiling, but it is possible to trigger CoA without a Plus license, for example, as part of a guest flow, or sent via API to MnT.

View solution in original post

4 REPLIES 4
Highlighted
Advocate

Re: Change from one static endpoint group to another cause CoA?

In general, no it will not unless the change results in Authorization Policy change.  This would be triggered by the default Profiler Exception Actions.  Plus is required for Profiling, but it is possible to trigger CoA without a Plus license, for example, as part of a guest flow, or sent via API to MnT.

View solution in original post

Highlighted
Cisco Employee

Re: Change from one static endpoint group to another cause CoA?

Thanks for the response.  The static endpoint group change does result in an AuthZ change.  After doing some testing we've found that we can apply a temp plus license, change the CoA type action to reauth/port bounce and then delete the plus license and the CoA will still work.  However, the customer said that after a reboot the CoA no longer worked until they re-added the temp plus license.  I am going to test that today but I'm unsure as to why that would be. 

Highlighted
Advocate

Re: Change from one static endpoint group to another cause CoA?

CoA is not a binary function.  It can be triggered by many different functions.  As noted, the specific case which is trigger in your case is likely profiling which is activated with Plus license and lost if remove Plus license and reboot.  If customer wants this functionality, then would it not make sense to purchase some Plus licenses?

Highlighted
Cisco Employee

Re: Change from one static endpoint group to another cause CoA?

Understood.  I just wanted to make sure purchasing a plus license was the way to go for them.  Thanks for the help!