cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

980
Views
5
Helpful
3
Replies
NaveenG_Wi-Fi
Beginner

ISE Profiling

Hi,

I would like to put two non-dot1x endpoints of same type/model of hardware from the same manufacturer, in different VLANs. I would like to use profiling condition/policy and then call it in Authorization rule for VLAN assignment. Can someone suggest how to go about it? I do not want to have  static identity group with the second endpoint manually registered in it.

 

P.S: For simplicity sake, I mentioned two endpoints, but I have more than 150 such endpoints and want to put them in two groups. 

3 REPLIES 3
Damien Miller
VIP Advisor

If these 150 endpoints are identical in type, model, and manufacturer, then profiling alone likely can't be used to differentiate them from one another for use in authorization rules. In this case you need something else to help classify them, a static ID group is certainly one option but you don't want to use that. If they are performing 802.1x, then you could actively authenticate them differently based on credentials. If these endpoints enter the network differently, say from a different switch/wlan, then you could leverage the NAD attributes in the authz.

Hi Damien,

Thank you for the suggestion. The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left?  

Also the Authhorization Rule with matching Static ID group be placed above the Authorization Rule that is matching Profiling policy condition, right?

I agree with @Damien Miller that you are limited.  However, I do want to point out a couple of options that may not be favorable, but could work.

The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left? 

-No.  Technically you could rely on profiling via FQDN or IP conditions.  The kicker here would be that you would have to be able to identify a unique string that would divide the hosts into two separate groups as you wish.  Unfortunately, this may not suffice, but I have seen it work.  Something else to note is that it could be a security concern in some eyes.  Any chance you have other tools in your environment that you could generate a list of MACs for the respective two groups? If so, you have the ability to utilize ISE APIs to add/move MACs to desired groups.  IMO this would be quicker than settling with statically assigning them.  Take a peek here for more ideas: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-1299141482

 

Good luck & HTH!

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube