06-05-2014 01:01 PM - edited 03-10-2019 09:46 PM
Hi,
I would like to know if is possible to disable COA when an device meet an profile, per example, I have the following profiling policy:
Workstation
- Windows XP
- Windows Vista
- Windows 7
- Windows 8
Sometimes the device get profiled as 'Workstation', other times get profiled as Windows XP, vista, 7, etc.
When the device get profiled as Windows XP, Vista, 7, etc... I want to disable COA to make the device doesn't change his profile, so it will remain profiled as Windows XP, Vista, 7, etc forever.
At this moment, our devices get profiled, but sometimes has its profile changed to 'Workstation', sometimes unknown. I want to keep always profiled as Windows device.
I really apreciate any help!
Thanks,
Emerson Rodrigues
Solved! Go to Solution.
06-06-2014 09:27 AM
You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.
Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.
06-05-2014 07:31 PM
Is this setting you need?
06-06-2014 08:19 AM
Thank you guys for replying.
As the image bellow, the device is changing his profile, I've got all probes enabled.
I want that when the client meet an profile, like windows 7, he always remains as windows 7, and never change profile again.
I've already disabled CoA, but it's still changing profile.
06-06-2014 09:27 AM
You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.
Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.
06-06-2014 09:56 AM
btellez, thank you for replying, I'll try to create that exception action, and let you know the results.
06-11-2014 01:41 PM
Exception Action works fine!
Thank you!
06-05-2014 09:25 PM
Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration page that enables the profiling service with more control over endpoints that are already authenticated.
In addition, you can configure additional SNMP Read Only community strings separated by a comma for the NMAP manual network scan in the Profiler Configuration page. The SNMP RO community strings are used in the same order as they appear in the Current custom SNMP community strings field.
You can also configure endpoint attribute filtering in the Profiler Configuration page.
Step 1 Choose Administration > System > Settings > Profiling .
Step 2 Choose one of the following settings to configure the CoA type:
If you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function avoids disconnecting other sessions, a situation that might occur with the Port Bounce option.
Step 3 Enter new SNMP community strings separated by a comma for the NMAP manual network scan in the Change custom SNMP community strings field, and re-enter the strings in the Confirm custom SNMP community strings field for confirmation.
Step 4 Check the Endpoint Attribute Filter check box to enable endpoint attribute filtering.
Refer
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html
06-06-2014 02:47 AM
"Endpoint Does Not Align to the Expected Profile" is this the issue you are facinghttp://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-193213 ..what are the probes you are using for profiling? .
06-04-2016 05:29 AM
Hello Btellez,
i would need help on the exception rule creation.
as i have an issue where i statically add endpoints to a particular logical profile i created, but after sometime i notice that the endpoint looses the profile, therefore not getting the desired authorization.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide