08-14-2018 09:12 AM - edited 08-14-2018 09:16 AM
Ive created a policy that includes authorization policies for workstations and mobile devices respectively. My issue is that newly connecting devices are not being matched by either. It works perfectly for devices that work already connected hence registered and profiled but it seems like the profiler doesn't kick in until after the authorization process. Can someone help?
08-14-2018 09:22 AM
This is the default behavior. However, ISE can be configured to send CoA when device transitions from unknown to known state by changing the CoA Type under 'Administration > System > Settings > Profiling'. Change it to either Port Bounce or ReAuth. With this, after the initial authentication when ISE realizes that the profile changed for the endpoint, ISE will issue CoA to reauthenticate the endpoint to assign it to proper policy.
08-14-2018 09:33 AM
Its actually set to reauth. Would I need to have a authorization policy that temporarily puts the client in a dummy vlan until the COA kicks in? Currently its set to just deny the user.
08-14-2018 09:37 AM
ISE needs to learn enough about the endpoint to profile it. So need to give enough permission/access to the network for this to work. If relying on DHCP, then ISE needs to receive DHCP request for instance.
08-14-2018 09:57 AM
The thing is that it works I can see that it works when the device authenticates without the endpoint filter because it profiles the device correctly. When i put the endpoint filter and new devices need to authenticate that is when it doesnt work as if it needs to be done after the device is already on the network.
08-14-2018 01:42 PM
Samuel,
Take a look at the ISE logs on attributes gathered by ISE for that endpoint.
ISE recognized the endpoint as unknown and then profiles it based on the attribute you have created in the profiling policy. You need to make sure if it matches. A parent profile has to match for child to match as well. You are using logical profile mapped to one or more profiles. All of these profiles need to match for you to match the logical profile. Try mapping an actual profile to start with and see what attributes you gather. Based on the type of endpoint you may need right attributes in the profile.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide