01-30-2015 03:39 AM - edited 03-10-2019 10:23 PM
Hello
I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
My questions are:
Thanks
Andy
10-04-2016 09:54 AM
Hi Andy,
Were you able to figure this out?
10-04-2016 11:25 PM
Hi Derrick. No, I was moved off this work and didn't get it resolved. I'll be looking at ISE again soon so I'll post any findings.
Cheers
Andy
10-05-2016 07:37 AM
The phone consumes a Plus license because you are using a profile to authenticate/authorize the connection. Technically, the PC consumes a Plus license as well but only during the profiling process. It is released after profiling if you do not use the profiling information in an authorization rule.
Endpoint groups are based on profiling or guest assignment (which is kind of like the probe based profiling). I have not seen any way to assign a 802.1x authenticated device to an endpoint group outside of profiling.
ISE 2.1 has an AD profiling probe built in if you want to build an endpoint group based on the AD join point of the PC. It was not available in previous ISE releases. You can use that to profile AD joined computers and automatically add them to an endpoint group. You can find more information here:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200553-Configure-ISE-2-1-Profiling-Services-bas.html
Using that and the resulting endpoint group in an authorization rule would consume a Base and Plus license (base for authentication, Plus for the profiling based authorization).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide