ISE 3.3 Endpoint Profile assignment based on DHCP ID

David Rollins · ‎08-26-2025

I'm working on ISE 3.3 in an Air-gapped environment. I've recently successfully configured ISE and the switch for 802.1x, RADSEC and am now working on Dynamic VLAN assignment. The Printer currently sits in an routed VLAN (with NO DHCP), that I eventually want to use for Quarantine.

I've created an Printer authorization rule based on dot1x authentitcation_passed and ID Group "Printers". I dynamically assign the VLAN 15.

The printer authenticates with dot1x successfully. The DHCP attributes are passed to ISE. But the node still will not get automatically assigned to the ID group "Printers".

I have a Profiler policy for "Printers" with a minimum certainty factor of 25. I have 3 conditions configured, SNMP Check for HP, DHCP check contains JetDirect, and DHCP check contains HP JetDirect. All with a certainty factor of 30.

I've checked the DHCP attributes captured by ISE numerous times. (dhcp-class-identifier HP JetDirect)
The node is still not automatically assigned to the ID group.
Do I have to have CoA enabled on the Profile Policy? Does ISE have to be able to reach the printer in order to verify DHCP attributes? Does the printer have to have an IP for profile assignment to be successful?
I can provide more details upon request.

Dustin Anderson · ‎08-26-2025

I don't use ID groups, but we do most of this, so hopefully I can give you a place to look.

1 If the printer is starting on a vlan with no DHCP, how is ISE getting DHCP for profiling? Did you add a helper on the vlan to send it to ISE?

2 You created a profile called Printers. does the printer get profiled to this, or is another profile winning?

3 Does your switch accept CoA from ISE.

4 Instead of an ID group, can you just do a rule of auth passed and logical profile X? (You may need to make a logical profile and add the printer profile into it)

Personally we us AD groups and MAB for printers as a lot of ours don't support 802.1x. But you should be able to get it to work.

David Rollins · ‎08-26-2025

1 If the printer is starting on a vlan with no DHCP, how is ISE getting DHCP for profiling? Did you add a helper on the vlan to send it to ISE? There is a helper on the SVI, switch device classifier and device-sensor filters

2 You created a profile called Printers. does the printer get profiled to this, or is another profile winning? It does not get profiled, it is UNKNOWN. That is what I'm trying to solve.

3 Does your switch accept CoA from ISE. Not yet, I haven't had a need for CoA yet. But it is on the horizon.

4 Instead of an ID group, can you just do a rule of auth passed and logical profile X? (You may need to make a logical profile and add the printer profile into it) I'd still have to statically assign the printer/node to a profile/group. Which is what I'm trying to avoid.

Dustin Anderson · ‎08-26-2025

ok, so the big thing is it failing profiling. I've had unreliable results when creating profiles, it's almost like once it profiles it doesn't want to update, so maybe try removing the endpoint and tryin again, but below is what I had when we had to profile these UPS tundra scanners they use to use.

So, for us I used the OUI of the mac address since nothing else used it on site. You may be able to do similar profiling instead of the DHCP, or in addition to it.

one, is the profile checks, I matched on the first 6 of the MAC as that was the same for the devices.

Nest were the proflie itself, I usually had issues with smaller numbers and started to use a certainty of 100.

The one I had has 2 checks in one line, if you do similar make sure it is set to or, otherwise all have to match all to hit.

Last I made a logical profile I can call in rules.

This should not need any manual intervention once working. You do not need to add to the groups. May have to tweak rules, but if you do multiple printers, you can add different profiles into the logical profiles, so say HP printers, Brother, etc.

Now, I do believe the switch needs to have CoA enabled to take a vlan change from ISE.,

David Rollins · ‎08-27-2025

I'm re-testing today. I used the Logical Profile and tested it on the workstations. During initial authentication, it wouldn't profile it. But, on the next re-authentication it would. So I changed the default authentication policy to re-authenticate after 60sec.
For the printer, I will probably end up using the OUI profiler policy. Will know more later.

And as far as Dynamic Vlan assignment, it doesn't require CoA. I have Dynamic VLAN assignment configured on the Printer and Workstation Auth policy and it works perfectly.
I don't have CoA configured on the switch or in ISE. I did have dynamic author configured on the switch, but once I configured RADSEC I had to remove it. I kept getting errors on the EAP authentication from the client session. Then I read somewhere, after RADSEC is enabled to remove dynamic author. I will try to configure it again later.

Dustin Anderson · ‎08-27-2025

ok, I haven't done RADSEC, so may be different there. If it's working, should be fine. Yes, I see in our environment the first auth of a new device usually fails as it seems to go through the rules before it's profiled. Second attempt is usually fine.

MHM Cisco World · ‎08-27-2025

Now what is mode you use for SW ?

Close monitor or low impact?

Close not allow dhcp packet and hence ISE can not know printer before authc/authz

This lead us to use low impact' config any dummy vlan under interface' make printer ask IP via dhcp and then ISE know printer and send back CoA for new VLAN.

MHM

David Rollins · ‎08-27-2025

I am using open authentication/low impact. I did get it to work though. @Dustin Anderson the mac address logical profile solution still would not work. It didn't work until 1.) I fixed the default gateway in the DHCP offer 2.) Allowed NMAP scan of the system, via ACL on SVI.
It wasn't until the NMAP scan verifying the system, before it would allow a successful addition into the endpoint policy.