Accepted Solutions
It all depends on your
1) Authorization Rules
2) Endpoint Profile configurations
Typically you have Policy Authorization Rules that match on endpoint profiles:
If there is a match, ISE will assign the Authorization Result and not continue to through the policy where it would eventually match on your CWA rule very near the bottom if not the final Default.
The endpoint profile may change based on new information after the initial assignment from HTTP, NMAP, etc. When this happens, you may perform a RADIUS Change of Authorization (COA). The default Global setting is to do nothing.
You have the ability to control and override this behavior per endpoint profile:
You probably do not care about some random guest using Windows 10 Workstation... so don't change it.
But if it is profiled as a printer or other specialized IOT device, you may want to dynamically perform a COA and re-authorize it properly.
Which COA you choose to perform would also depend on the endpoint type and how you have your access VLANs configured and what your network device is capable of supporting.
It is typically a bad idea to change the VLAN of non-workstations because they will not know to re-DHCP. For this reason if you do a COA you may want to do a COA with Port Bounce. It can be very endpoint-specific.
It all depends on your
1) Authorization Rules
2) Endpoint Profile configurations
Typically you have Policy Authorization Rules that match on endpoint profiles:
If there is a match, ISE will assign the Authorization Result and not continue to through the policy where it would eventually match on your CWA rule very near the bottom if not the final Default.
The endpoint profile may change based on new information after the initial assignment from HTTP, NMAP, etc. When this happens, you may perform a RADIUS Change of Authorization (COA). The default Global setting is to do nothing.
You have the ability to control and override this behavior per endpoint profile:
You probably do not care about some random guest using Windows 10 Workstation... so don't change it.
But if it is profiled as a printer or other specialized IOT device, you may want to dynamically perform a COA and re-authorize it properly.
Which COA you choose to perform would also depend on the endpoint type and how you have your access VLANs configured and what your network device is capable of supporting.
It is typically a bad idea to change the VLAN of non-workstations because they will not know to re-DHCP. For this reason if you do a COA you may want to do a COA with Port Bounce. It can be very endpoint-specific.
