Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
4
Replies

Profiling CoA and CWA coexistence for unknown MAC addresses

neroshake
Level 1
Level 1

‎02-28-2016 06:51 AM - edited ‎03-10-2019 11:31 PM

Hello Colleagues,

I am trying to achieve the following with ISE 1.4.

Any device with unknown MAC address but Profiled as Avaya phone should hit AUTHZ_VOICE rule with appropriate profile and ACL.

All other device with unknown MAC address should hit CWA rule.

The logic tells to hit all devices with unkown MAC to CWA rule, and CoA for profiled phones will take them back to the appropriate rule. But the problem is that looks like profiling CoA is not working if the device has already hit CWA rule for unknown MACs.

Any option/solution for this?

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎03-05-2016 05:41 PM

Hi there-

I am not 100% sure I understand what you are trying to accomplish here. A device cannot be both unknown and profiled. A device remains unknown if ISE is not able to profile it based on the attributes received. Thus, if a device is profiled as an Avaya phone then that device will no longer be an "unknown" device. 

With that being said, keep in mind that ISE can be configured to perform CoA every time a device is re-profiled. For instance, from unknown to Avaya Phone. 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

neroshake
Level 1
Level 1
In response to nspasov

‎03-06-2016 10:47 PM

Thanks for the answer, Neno!

Yes, the device cannot be both unknown and profiled. But when it first connects to the network it is unknown, and becomes profiled after a time.

> keep in mind that ISE can be configured to perform CoA every time a device is re-profiled. For instance, from unknown to Avaya Phone.

Correct! But the thing is that if at the time of being profiled the device has already hit the rule with CWA web redirection, profiling CoA doesnt work. Tested and confirmed by TAC.

And I have more than 1000 phones to be connected. Right now a workaround it to use a dummy rule with just access-accept for all endpoints with specific MAC OUI. But this is a oslution for particular devices only - I have also UPSes (of different vendors), cameras, etc.

0 Helpful

Andrea Galbusera
Level 1
Level 1
In response to neroshake

‎04-21-2016 04:58 AM

Hi Neroshake,

what was the TAC answer for this issue? they will fix this or we have to use that workaround?
I experienced the same issue and I don't know how to solve it.

Thanks

0 Helpful

neroshake
Level 1
Level 1
In response to Andrea Galbusera

‎04-23-2016 05:15 AM

Hi Andrea,

Nothing about fixing this in future. We have to use this workaround.

0 Helpful
Customers Also Viewed These Support Documents