Hi Michael,
In my case, I'm trying to do your option #2.
2. if I try to use 2-3 levels for make the device profile - OUI (Triger) (1 st level) --> NMAP Scan (2nd level) --> compile final profile using discovered port - it is work
MAB PASS #1 - I want to initially profile the endpoint on OUI and dhcp-parameters to give temporary access. Done with NAD device sensor.
MAB PASS #2 - I want to provide enough network access to the endpoint to allow ISE to perform its Endpoint Scan (Automatic, Triggered) custom NMAP Custom Ports Scan.
MAB PASS #3 - Only then I want to provide enough network access to the endpoint to reach its provisioning system to get its configuration based on passes 1 and 2.
Once this is done, the endpoint should be authenticated against DOT1X.
Where within ISE do you find the logging/reporting on the results of the Endpoint Scan? I can't seem to locate it.
Thanks,
Chris