Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
10
Helpful
3
Replies

Exception actions first time profile with COA for wireless clients

Go to solution
piotrPaszk
Level 1
Level 1

‎02-15-2020 01:15 AM

Hello,

 

I have a number of end points which appear in ISE as unknown or are wrong provisioned. This is of course because the radius does pass to much information ones a device requests access to the network I would like to make a rule which allows a device to access the network and only allow it access ISE, DHCP and some dummy vlan. Ones ISE has grabed enough data from DHCP and has profiled the device accordingly I would like to trigger COA, get the device disconnected and then allow it to hit the proper rule in the policy set according to its profile. I would like to make this rule for particular identity groups, not all devices, for example canon printers.

 

How can I acheive it ?

 

Br

Piotr 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-15-2020 05:24 AM

IMO you have a couple of options. You could push authz policy to devices that are identified as unknown into your restricted area that has limited access. Once ISE receives proper attributes from your NADs (device sensors) via radius probe or whichever probe you wish to target you can profile the devices accordingly. Within this new profile you can enable CoA so that the devices are forced to reauth & automatically add the MAC to an endpoint group. Then in your ISE authz policies setup your authz condition that matches on the newly defined endpoint group and pushes full network access or whatever you wish. The caveat here is that you would need to ensure you have plus licensing which would be consumed when pushing policy based on profiled endpoint groups. Another option could be utilizing an ISE portal to allow onboarding (registering) endpoints into respective groups. Essentially unknown or hosts that dont match any other authz policies get access to almost nothing besides the ISE portal. I recommend taking a peek at these:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

View solution in original post

Go to solution
piotrPaszk
Level 1
Level 1
In response to Mike.Cifelli

‎02-16-2020 05:54 AM

Hi Mike,

 

Thanks for the excelent answer. I would like to chose the option number two to utilize an ISE portal to allow onboarding (registering) endpoints into respective groups. You have refered me to the guide but I can not find any info how to build such portal ?

 

Br

Piotr

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to piotrPaszk

‎02-17-2020 08:37 AM - edited ‎02-17-2020 08:39 AM

There are built in portals provided by Cisco that you can modify and reference in your authz profiles. You can also create custom portals via: https://isepb.cisco.com/#/
Take a peek on labminutes.com/video/sec
They have some good free tutorials. HTH!

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-15-2020 05:24 AM

IMO you have a couple of options. You could push authz policy to devices that are identified as unknown into your restricted area that has limited access. Once ISE receives proper attributes from your NADs (device sensors) via radius probe or whichever probe you wish to target you can profile the devices accordingly. Within this new profile you can enable CoA so that the devices are forced to reauth & automatically add the MAC to an endpoint group. Then in your ISE authz policies setup your authz condition that matches on the newly defined endpoint group and pushes full network access or whatever you wish. The caveat here is that you would need to ensure you have plus licensing which would be consumed when pushing policy based on profiled endpoint groups. Another option could be utilizing an ISE portal to allow onboarding (registering) endpoints into respective groups. Essentially unknown or hosts that dont match any other authz policies get access to almost nothing besides the ISE portal. I recommend taking a peek at these:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

Go to solution
piotrPaszk
Level 1
Level 1
In response to Mike.Cifelli

‎02-16-2020 05:54 AM

Hi Mike,

 

Thanks for the excelent answer. I would like to chose the option number two to utilize an ISE portal to allow onboarding (registering) endpoints into respective groups. You have refered me to the guide but I can not find any info how to build such portal ?

 

Br

Piotr

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to piotrPaszk

‎02-17-2020 08:37 AM - edited ‎02-17-2020 08:39 AM

There are built in portals provided by Cisco that you can modify and reference in your authz profiles. You can also create custom portals via: https://isepb.cisco.com/#/
Take a peek on labminutes.com/video/sec
They have some good free tutorials. HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents