Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5682
Views
0
Helpful
8
Replies

ISE profiling

Go to solution
Emerson Rodrigues
Level 1
Level 1

‎06-05-2014 01:01 PM - edited ‎03-10-2019 09:46 PM

Hi,

I would like to know if is possible to disable COA when an device meet an profile, per example, I have the following profiling policy:

 

Workstation

- Windows XP

- Windows Vista

- Windows 7

- Windows 8

 

Sometimes the device get profiled as 'Workstation', other times get profiled as Windows XP, vista, 7, etc.  

 

When the device get profiled as Windows XP, Vista, 7, etc... I want to disable COA to make the device doesn't change his profile, so it will remain profiled as Windows XP, Vista, 7, etc forever.

 

At this moment, our devices get profiled, but sometimes has its profile changed to 'Workstation', sometimes unknown. I want to keep always profiled as Windows device.

 I really apreciate any help!

 

Thanks,

Emerson Rodrigues

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bernardino Tellez
Level 1
Level 1
In response to Emerson Rodrigues

‎06-06-2014 09:27 AM

You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.

Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Alexeev_a
Level 1
Level 1

‎06-05-2014 07:31 PM

Is this setting you need? 

0 Helpful

Go to solution
Emerson Rodrigues
Level 1
Level 1
In response to Alexeev_a

‎06-06-2014 08:19 AM

Thank you guys for replying.

 

As the image bellow, the device is changing his profile, I've got all probes enabled.

 

I want that when the client meet an profile, like windows 7, he always remains as windows 7, and never change profile again.

 

I've already disabled CoA, but it's still changing profile.

 

0 Helpful

Go to solution
Bernardino Tellez
Level 1
Level 1
In response to Emerson Rodrigues

‎06-06-2014 09:27 AM

You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.

Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.

0 Helpful

Go to solution
Emerson Rodrigues
Level 1
Level 1
In response to Bernardino Tellez

‎06-06-2014 09:56 AM

btellez, thank you for replying, I'll try to create that exception action, and let you know the results.

 

 

0 Helpful

Go to solution
Emerson Rodrigues
Level 1
Level 1
In response to Bernardino Tellez

‎06-11-2014 01:41 PM

Exception Action works fine!

 

Thank you!

0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎06-05-2014 09:25 PM

Setting up COA, SNMP RO Community and Endpoint Attribute Filter

Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration page that enables the profiling service with more control over endpoints that are already authenticated.

In addition, you can configure additional SNMP Read Only community strings separated by a comma for the NMAP manual network scan in the Profiler Configuration page. The SNMP RO community strings are used in the same order as they appear in the Current custom SNMP community strings field.

You can also configure endpoint attribute filtering in the Profiler Configuration page.

Step 1 Choose Administration > System > Settings > Profiling .

Step 2 Choose one of the following settings to configure the CoA type:

    • No CoA (default)—You can use this option to disable the global configuration of CoA. This setting overrides any configured CoA per endpoint profiling policy.
    • Port Bounce —You can use this option, if the switch port exists with only one session. If the port exists with multiple sessions, then use the Reauth option.
    • Reauth —You can use this option to enforce reauthentication of an already authenticated endpoint when it is profiled.

If you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function avoids disconnecting other sessions, a situation that might occur with the Port Bounce option.

Step 3 Enter new SNMP community strings separated by a comma for the NMAP manual network scan in the Change custom SNMP community strings field, and re-enter the strings in the Confirm custom SNMP community strings field for confirmation.

Step 4 Check the Endpoint Attribute Filter check box to enable endpoint attribute filtering.

Step 5 Click Save .

 

 

Refer

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-06-2014 02:47 AM

"Endpoint Does Not Align to the Expected Profile" is this the issue you are facinghttp://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-193213 ..what are the  probes you are using for profiling? .

0 Helpful

Go to solution
Kennedychuka1759
Level 1
Level 1

‎06-04-2016 05:29 AM

Hello Btellez,

i would need help on the exception rule creation.

as i have an issue where i statically add endpoints to a particular logical profile i created, but after sometime i notice that the endpoint looses the profile, therefore not getting the desired authorization.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents