Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
1
Helpful
4
Replies

ISE Profiling Services on ISR 2921 with SM module

Go to solution
vaganesa
Cisco Employee
Cisco Employee

‎10-24-2017 08:59 PM

Hi,

I have a Customer with a Cisco 2921 ISR router with SM Ethernet module. They would like to know if ISE profiling services are compatible with SM module. They are looking to expand their wired infrastructure with ISE.

Any help would be highly appreciated!

Thanks,

Vaishnavi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎10-25-2017 03:45 PM

In general, profiling is supported with any switch as virtually all will have the same methods for forwarding DHCP, DNS, RADIUS, SNMP, etc.  CoA is needed to change policy at time of profie change so either RADIUS CoA or SNMP CoA must be possible to provide that.  As Tim stated, the ESW modules are basically same device as standalone counterparts but no PSU and different uplink interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎10-25-2017 09:55 AM

Many times the SM ethernet module in routers run a very stimilar version of code to their dedicated switch counterparts.  If you can find the version of IOS it uses, 9 time out of 10 you will have the same functionality.

Regards,

-Tim

Go to solution
Craig Hyps
Level 10
Level 10

‎10-25-2017 03:45 PM

In general, profiling is supported with any switch as virtually all will have the same methods for forwarding DHCP, DNS, RADIUS, SNMP, etc.  CoA is needed to change policy at time of profie change so either RADIUS CoA or SNMP CoA must be possible to provide that.  As Tim stated, the ESW modules are basically same device as standalone counterparts but no PSU and different uplink interface.

0 Helpful

Go to solution
vaganesa
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎10-29-2017 11:34 PM

Hi Craig & Timothy,

Thanks for your help on this!


A followup query on CoA: If I can't turn on CoA globally because of limited support on the Cisco 2921 with the Ethernet module, can I use RADIUS probes to handle CoA by itself without turning on CoA globally?  I understand it is recommended or a best practice to turn on Radius probing with CoA for better performance.  But is it possible to enforce CoA with RADIUS probes only, and are there any limitations with this configuration?


Thanks again!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vaganesa

‎10-30-2017 04:14 AM

Radius probes are used for profiling info

Coa (change of authorization) has nothing to do with the radius probe, it’s a mechanism to change access permissions when something changes

For example a device moved from web auth state to guest permit access

Or changed from posture unknown to compliant state

If the network access device doesn’t support snmp or radius coa then you won’t be able to switch a devices permissions

0 Helpful
Customers Also Viewed These Support Documents