Solved: DHCP Profiling before sucesfull EAP

piotr.witkowski · ‎11-17-2018

Hi,

I am under consideration of enabling profiling along with dot1x in our enviroment. However i have couple of questions regarding how actually profiling would work.

What are protocols allowed before 802.1x authentication. Are they CDP, STP, EAP? anything else?
Assuming this correct. How ISE can perform profiling for example DHCP, if DHCP probes never reach DHCP relay before sucesfully authenticated EAP session?

I understand that DHCP profiling can occurs after EAP session and then via Radius CoA its possible to change VLAN, port state, ACL, etc.

Jason Kunst · ‎11-17-2018

Profiling doesn’t run before authentication. In order to be able to profile a device you will need to have a valid radius session

I would suggest you look over the profiling design guide to get a better understanding and watch some videos on context visibility profiling in YouTube and following links as well

https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Visibility

View solution in original post

Jason Kunst · ‎11-17-2018

Profiling doesn’t run before authentication. In order to be able to profile a device you will need to have a valid radius session

I would suggest you look over the profiling design guide to get a better understanding and watch some videos on context visibility profiling in YouTube and following links as well

https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Visibility