cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1263
Views
10
Helpful
3
Replies

Exception actions first time profile with COA for wireless clients

piotrPaszk
Level 1
Level 1

Hello,

 

I have a number of end points which appear in ISE as unknown or are wrong provisioned. This is of course because the radius does pass to much information ones a device requests access to the network I would like to make a rule which allows a device to access the network and only allow it access ISE, DHCP and some dummy vlan. Ones ISE has grabed enough data from DHCP and has profiled the device accordingly I would like to trigger COA, get the device disconnected and then allow it to hit the proper rule in the policy set according to its profile. I would like to make this rule for particular identity groups, not all devices, for example canon printers.

 

How can I acheive it ?

 

Br

Piotr 

3 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
IMO you have a couple of options. You could push authz policy to devices that are identified as unknown into your restricted area that has limited access. Once ISE receives proper attributes from your NADs (device sensors) via radius probe or whichever probe you wish to target you can profile the devices accordingly. Within this new profile you can enable CoA so that the devices are forced to reauth & automatically add the MAC to an endpoint group. Then in your ISE authz policies setup your authz condition that matches on the newly defined endpoint group and pushes full network access or whatever you wish. The caveat here is that you would need to ensure you have plus licensing which would be consumed when pushing policy based on profiled endpoint groups. Another option could be utilizing an ISE portal to allow onboarding (registering) endpoints into respective groups. Essentially unknown or hosts that dont match any other authz policies get access to almost nothing besides the ISE portal. I recommend taking a peek at these:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

View solution in original post

Hi Mike,

 

Thanks for the excelent answer. I would like to chose the option number two to utilize an ISE portal to allow onboarding (registering) endpoints into respective groups. You have refered me to the guide but I can not find any info how to build such portal ?

 

Br

Piotr

View solution in original post

There are built in portals provided by Cisco that you can modify and reference in your authz profiles. You can also create custom portals via: https://isepb.cisco.com/#/
Take a peek on labminutes.com/video/sec
They have some good free tutorials. HTH!

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni
IMO you have a couple of options. You could push authz policy to devices that are identified as unknown into your restricted area that has limited access. Once ISE receives proper attributes from your NADs (device sensors) via radius probe or whichever probe you wish to target you can profile the devices accordingly. Within this new profile you can enable CoA so that the devices are forced to reauth & automatically add the MAC to an endpoint group. Then in your ISE authz policies setup your authz condition that matches on the newly defined endpoint group and pushes full network access or whatever you wish. The caveat here is that you would need to ensure you have plus licensing which would be consumed when pushing policy based on profiled endpoint groups. Another option could be utilizing an ISE portal to allow onboarding (registering) endpoints into respective groups. Essentially unknown or hosts that dont match any other authz policies get access to almost nothing besides the ISE portal. I recommend taking a peek at these:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

Hi Mike,

 

Thanks for the excelent answer. I would like to chose the option number two to utilize an ISE portal to allow onboarding (registering) endpoints into respective groups. You have refered me to the guide but I can not find any info how to build such portal ?

 

Br

Piotr

There are built in portals provided by Cisco that you can modify and reference in your authz profiles. You can also create custom portals via: https://isepb.cisco.com/#/
Take a peek on labminutes.com/video/sec
They have some good free tutorials. HTH!