Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1223
Views
5
Helpful
3
Replies

ISE Profiling

NaveenG_Wi-Fi
Level 1
Level 1

ā€Ž06-14-2020 07:43 AM

Hi,

I would like to put two non-dot1x endpoints of same type/model of hardware from the same manufacturer, in different VLANs. I would like to use profiling condition/policy and then call it in Authorization rule for VLAN assignment. Can someone suggest how to go about it? I do not want to have  static identity group with the second endpoint manually registered in it.

 

P.S: For simplicity sake, I mentioned two endpoints, but I have more than 150 such endpoints and want to put them in two groups. 

0 Helpful
3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

ā€Ž06-14-2020 11:31 AM

If these 150 endpoints are identical in type, model, and manufacturer, then profiling alone likely can't be used to differentiate them from one another for use in authorization rules. In this case you need something else to help classify them, a static ID group is certainly one option but you don't want to use that. If they are performing 802.1x, then you could actively authenticate them differently based on credentials. If these endpoints enter the network differently, say from a different switch/wlan, then you could leverage the NAD attributes in the authz.
0 Helpful

NaveenG_Wi-Fi
Level 1
Level 1
In response to Damien Miller

ā€Ž06-14-2020 11:16 PM

Hi Damien,

Thank you for the suggestion. The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left?  

Also the Authhorization Rule with matching Static ID group be placed above the Authorization Rule that is matching Profiling policy condition, right?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to NaveenG_Wi-Fi

ā€Ž06-17-2020 06:02 PM

I agree with @Damien Miller that you are limited.  However, I do want to point out a couple of options that may not be favorable, but could work.

The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left? 

-No.  Technically you could rely on profiling via FQDN or IP conditions.  The kicker here would be that you would have to be able to identify a unique string that would divide the hosts into two separate groups as you wish.  Unfortunately, this may not suffice, but I have seen it work.  Something else to note is that it could be a security concern in some eyes.  Any chance you have other tools in your environment that you could generate a list of MACs for the respective two groups? If so, you have the ability to utilize ISE APIs to add/move MACs to desired groups.  IMO this would be quicker than settling with statically assigning them.  Take a peek here for more ideas: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-1299141482

 

Good luck & HTH!

Customers Also Viewed These Support Documents