Your statement saying "Of course it doesn't get an IP address until it is profiled correctly" is a statement that shouldn't be true.  If you are using profiling in your ISE install at a minimum you should allow unknown devices onto the network but apply a DACL that only allows them to respond to the PSNs that may be probing them, i.e. NMAP or SNMP scans.  I know that necessarily won't help you here, but it sounds like you are rejecting in your default rule which can hinder ISE profiling.

Yes I am pushing a restricted DACL from ISE and I can see that ISE PSN is receiving accounting start from the switch .

Buy no SNMP query is initiate from the PSN which it should according to the document

Thanks for the comments . Will investigate more

Thanks,

Utkarsh

I have seen this issue in the past, but can’t remember what the solution was. A couple other things:

1) If the switch supports device sensor that would be the ideal route, but I am guessing since you are relying on SNMP polls it probably doesn’t support device sensor.

2) I usually have periodic SNMP polling setup on the NAD definitions in ISE. The periodic polling will fix the issue, but of course that doesn’t help you get the phone on in a timely fashion.

If you pushing a DACL and allowing the phone on the network you should be getting DHCP attributes from the phone which should also be profiling the device correctly. Do you have DHCP forwarding to the PSNs configured?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Yes. you got that right. Its working with periodic SNMP polling and DHCP forwarding.

Its always worked in the past for me using Interface level SNMP query because that's the best ways to profile endpoints in closed mode.

Anyways I've got tied up in other stuff so will revisit this issue.

Appreciate your time on this.