Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

ISE on boarding profile download process

Go to solution
Mohammad Setan
Level 1
Level 1

‎01-29-2015 04:43 AM - edited ‎03-10-2019 10:23 PM

Dear All,

 

I have a small question about ISE on boarding and Provisioning process.

 

When the client connect to the SSID, the ISE will download the configuration to the client, and the adapter configuration will be changed.

My question is, Does the check for the configuration of the client profile happen each time the client connect? in case yes, the ISE will be downloading the profile each time the client connect or not?

 

In case the ISE will download the configuration once, and check the configuration each time the client connect (which does make sense), do we have any cache on the ISE for any client that is saying this client has a correct profile or not? If yes, after how much time the cache entry will be deleted?

 

Kind Regards

Mohammad Setan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-29-2015 04:22 PM

Hi Mohammad-

Once a device is onboarded/provisioned then that device should not have to go through the "client provisioning" process. Instead, it should hit a different rule that is placed above your "client provisioning" rule in ISE. For instance, if your on-boarding is configuring the client to perform EAP-TLS with a certificate then once the device supplicant is configured to perform EAP-TLS and has obtained a certificate then you should have a rule above the on-boarding rule that checks for EAP-TLS.

I hope this makes sense. Let me know if you need additional clarifications.

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-29-2015 04:22 PM

Hi Mohammad-

Once a device is onboarded/provisioned then that device should not have to go through the "client provisioning" process. Instead, it should hit a different rule that is placed above your "client provisioning" rule in ISE. For instance, if your on-boarding is configuring the client to perform EAP-TLS with a certificate then once the device supplicant is configured to perform EAP-TLS and has obtained a certificate then you should have a rule above the on-boarding rule that checks for EAP-TLS.

I hope this makes sense. Let me know if you need additional clarifications.

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Mohammad Setan
Level 1
Level 1
In response to nspasov

‎02-01-2015 12:58 AM

Hi Neno,

 

Thank you for the reply.

 

So what I understood from you is that there will be two rules, first rule to check EAP-TLS, in case the client connect before, then the client will have the correct profile downloaded, and in that case the client will hit that rule and connect normally as any dot1x supplicant, and in case not, then the user will hit the second rule, which will provision the client to download the supplicant and then connect normally and hit the first rule. Am I right?

 

If yes, then this make sense and there is no need for caching or any other process.

 

Kind Regards

Mohammad Setan

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Mohammad Setan

‎02-02-2015 09:39 AM

Yes, you got it right! :)

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents