Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
35
Helpful
1
Replies

Default Authorization Policy for Profiling

Go to solution
dawn4000
Level 1
Level 1

‎02-24-2022 04:53 PM

Hi All,

 

I would like to understand a Cisco best practice in Profiling design guide. 

In the design guide, there is a Cisco best practice talking about the default authorization policy. 

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--1484508859

 

Cisco Best Practice: A Default Authorization Policy Rule of Deny Access, or one that completely blocks all network access should generally be used only in environments that require the highest levels of security, or cases where every endpoint is accounted for and does not rely on the profiling process for access. A more common and recommended approach for most environments is to allow restricted access in the Default rule, even for Unknown endpoints. The restricted access may include access to DNS and DHCP services and ISE PSNs. Most profiling data can be acquired through these initial “pinholes”.

 

My question is: For the restricted access in the Default rule, why do we need to allow endpoint to access ISE PSNs? I understood I need the the DHCP access for the endpoints, as ISE and switch need to capture the attributes in DHCP message for profiling, but endpoint wouldn't need to talk to ISE PSNs directly from my understanding. Switch sends the RADIUS requests to ISE PSNs instead of endpoints. In the testing, I allowed DHCP and DNS only, the endpoints can still be profiled. Can I know what is the purpose to allow ISE PSNs in the default policy? Thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-25-2022 12:36 AM

@dawn4000 it depends on the ISE profiling probes. The NMAP probe from the ISE PSN would need to communicate with the endpoint to determine open ports, therefore you'd need to ensure communication is permitted.

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎02-25-2022 12:36 AM

@dawn4000 it depends on the ISE profiling probes. The NMAP probe from the ISE PSN would need to communicate with the endpoint to determine open ports, therefore you'd need to ensure communication is permitted.

Customers Also Viewed These Support Documents