Solved: Re: ISE Policy / CDP Attributes

neteng1 · ‎01-25-2022

I am sending CDP attributes to ISE during endpoint authentication. I am struggling to use these attributes in an authorization policy. I want a policy that matches if cdpCachePlatform contains 'Phone'. So far, the policy does not match.

This is the policy I created

This is the dictionary I created.

Greg Gibbs · ‎01-25-2022

You mention in another post "I want to avoid authenticating phones to ISE because it requires a plus license for profiling". Do you have the Plus license enabled?

The feature you are trying to use also leverages information from Profiling, so you would need the Plus/Advanced license enabled.

The CDP information is learned from the Profiling probes (likely sent by Device Sensor on the switch to ISE via the RADIUS probe).

View solution in original post

Greg Gibbs · ‎01-25-2022

You mention in another post "I want to avoid authenticating phones to ISE because it requires a plus license for profiling". Do you have the Plus license enabled?

The feature you are trying to use also leverages information from Profiling, so you would need the Plus/Advanced license enabled.

The CDP information is learned from the Profiling probes (likely sent by Device Sensor on the switch to ISE via the RADIUS probe).

neteng1 · ‎01-25-2022

Ah ok, thank you, I was not aware of that.

It may seem simple to assume that since voice voice vlan assignment works so well locally that you could bypass authentication for voice devices, but I have not found that to be the case.