cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1903
Views
5
Helpful
1
Replies
umahar
Cisco Employee

Endpoint Attribute Filter

Hi,

Craig Hypes explains the importance of enabling Endpoint Attribute Filter clearly in Cisco Live.

On explaining the same to the customer we have been asked the below questions. Appreciate your help on them.

1. If it is recommended to enable it in a large deployment why is there an option for to disable it ? Basically the customer is looking for a use case or scenario in which it is necessary to disable it such that we are syncing non-significant attributes and collecting all attributes which are not used in profiling policies.

2. If Endpoint Attribute Filter is enabled and endpoint is moved from one switch to another the NAD attribute wont be collected by the PSNs. Does this mean that it will also not show up in the reports generated in order to track the endpoint movement ?

1 ACCEPTED SOLUTION

Accepted Solutions
Timothy Abbott
Cisco Employee

It is disabled by default.  As Craig states, it is a best practice to enable it in large deployments to reduce global replication.  If the customer wants to replicate attributes other than those necessary to support cisco provided profiles, then leave it disabled.

If the endpoint moves across NADs, a new RADIUS session will occur which will be logged by the MnT node.  This will show up if an authentication report is run.

Regards,

-Tim

View solution in original post

1 REPLY 1
Timothy Abbott
Cisco Employee

It is disabled by default.  As Craig states, it is a best practice to enable it in large deployments to reduce global replication.  If the customer wants to replicate attributes other than those necessary to support cisco provided profiles, then leave it disabled.

If the endpoint moves across NADs, a new RADIUS session will occur which will be logged by the MnT node.  This will show up if an authentication report is run.

Regards,

-Tim

View solution in original post

Content for Community-Ad