Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
5
Replies

Endpoint Profile only works for already registered devices.

Samuel
Level 1
Level 1

‎08-14-2018 09:12 AM - edited ‎08-14-2018 09:16 AM

Ive created a policy that includes authorization policies for workstations and mobile devices respectively. My issue is that newly connecting devices are not being matched by either. It works perfectly for devices that work already connected hence registered and profiled but it seems like the profiler doesn't kick in until after the authorization process. Can someone help?

ISE.JPG

 

0 Helpful
5 Replies 5

howon
Cisco Employee
Cisco Employee

‎08-14-2018 09:22 AM

This is the default behavior. However, ISE can be configured to send CoA when device transitions from unknown to known state by changing the CoA Type under 'Administration > System > Settings > Profiling'. Change it to either Port Bounce or ReAuth. With this, after the initial authentication when ISE realizes that the profile changed for the endpoint, ISE will issue CoA to reauthenticate the endpoint to assign it to proper policy.

0 Helpful

Samuel
Level 1
Level 1
In response to howon

‎08-14-2018 09:33 AM

Its actually set to reauth. Would I need to have a authorization policy that temporarily puts the client in a dummy vlan until the COA kicks in? Currently its set to just deny the user.

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to Samuel

‎08-14-2018 09:37 AM

ISE needs to learn enough about the endpoint to profile it. So need to give enough permission/access to the network for this to work. If relying on DHCP, then ISE needs to receive DHCP request for instance.

0 Helpful

Samuel
Level 1
Level 1
In response to howon

‎08-14-2018 09:57 AM

The thing is that it works I can see that it works when the device authenticates without the endpoint filter because it profiles the device correctly. When i put the endpoint filter and new devices need to authenticate that is when it doesnt work as if it needs to be done after the device is already on the network.

0 Helpful

kthiruve
Cisco Employee
Cisco Employee
In response to Samuel

‎08-14-2018 01:42 PM

Samuel,

 

Take a look at the ISE logs on attributes gathered by ISE for that endpoint.

ISE recognized the endpoint as unknown and then profiles it based on the attribute you have created in the profiling policy. You need to make sure if it matches. A parent profile has to match for child to match as well. You are using logical profile mapped to one or more profiles. All of these profiles need to match for you to match the logical profile. Try mapping an actual profile to start with and see what attributes you gather. Based on the type of endpoint you may need right attributes in the profile.

 

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents