Hello, I´m implementing ISE 1.4 in a wireless enviroment with WLC.
I´m deploying CWA and if the user is guest sponsored user/password I give internet access, but if the user is from Active Directory I do a Client provisioning with EAP-TLS and certificates for 802.1x in a different SSID. Everything works correctly and the client after the provisioning can connect perfectly to the new 802.1x SSID.
The problem is that I would like doing some profiling just for devices connected with AD user/password, my client has a wide range of devices (apple, windows, Android....) and I can not apply any differentiated profiling policy with the conditions ISE can give me. I would like to profile devices when in the CWA the user is from AD. But trying to create the profiling policies I have no access to the dictionary of my AD, only Radius, DHCP,DNS...etc dictionaries.
I also tried to create a custom dictionary without any success for my purposses.
How can I create a profiling policy with the confition that only applies to devices connected with AD credentials?
Profiling can't be differentiated like that, it works for all devices with a session in ISE. What you can do, and what is normally done, is to let profiling do it's job for every device, and then use multiple conditions in the authorization rules, that relate to both profiling profiles, and AD group memberships for example. This way you can have rules that only require a specific profiling profile, if user is also member of a specific group, or just authenticated via AD.
Hi Jan, thanks for your repsonse.
I understand what you say. What I wanted to do is to configure a profiling policy to create a new identity group with the devices connected with AD user/password. Then use this created group in the authorization rules. Then I wouldn´t do any job with the rest of the guest devices purging the unknown group every week.
Why would you wan't to use profiling for that? ISE already knows they where authenticated via AD and you can just use the "Identity Store" attribute to select those in your authorization rules, no need for profiling to do that.
I don´t have any endopoint in the identity store until they access by CWA. In that moment I wanted to put the endpoint used with AD credentials in a specific endpoint group.
I´m using the attribute "BYODRegistration - equals - yes" to do it.
Thanks for your support.
FYI. There is a dictionary called CWA that contains the following attributes:
Can be used in authorization (not for profiling).Don't think addresses what you are trying to do but worth calling out