ā06-14-2020 07:43 AM
Hi,
I would like to put two non-dot1x endpoints of same type/model of hardware from the same manufacturer, in different VLANs. I would like to use profiling condition/policy and then call it in Authorization rule for VLAN assignment. Can someone suggest how to go about it? I do not want to have static identity group with the second endpoint manually registered in it.
P.S: For simplicity sake, I mentioned two endpoints, but I have more than 150 such endpoints and want to put them in two groups.
ā06-14-2020 11:31 AM
ā06-14-2020 11:16 PM
Hi Damien,
Thank you for the suggestion. The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left?
Also the Authhorization Rule with matching Static ID group be placed above the Authorization Rule that is matching Profiling policy condition, right?
ā06-17-2020 06:02 PM
I agree with @Damien Miller that you are limited. However, I do want to point out a couple of options that may not be favorable, but could work.
The endpoints are wired and unfortunately couldn't differentiate with NAD attributes as they are connected to common switch(s). So, am I safe to assume that static Identity group is the only option left?
-No. Technically you could rely on profiling via FQDN or IP conditions. The kicker here would be that you would have to be able to identify a unique string that would divide the hosts into two separate groups as you wish. Unfortunately, this may not suffice, but I have seen it work. Something else to note is that it could be a security concern in some eyes. Any chance you have other tools in your environment that you could generate a list of MACs for the respective two groups? If so, you have the ability to utilize ISE APIs to add/move MACs to desired groups. IMO this would be quicker than settling with statically assigning them. Take a peek here for more ideas: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-1299141482
Good luck & HTH!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide