07-24-2019 02:37 PM
Is there any way to statically assign endpoints to a group as part of an authorization result. Or any way to capture the current population of devices so new devices can be identified.
To accelerate the process of identifying new unauthorized devices in an environment, it would be useful to capture the existing population of devices as the known unknown "to be reviewed" device group. This group of devices could then be reviewed and moved into approved use cases with matching authorization rules .
Initially the default rule would be configured to assign any devices that hit it to the "to be reviewed" group.
After the existing devices have been captured in the group, a rule immediately before the default rule would be created to permit the known unknown devices. The new default rule would be used to trigger an immediate unauthorized device investigation. Many of these investigations will identify authorized devices that are not being on-boarded properly.
This would allow the "to be reviewed" group to be emptied over time. And once the unauthorized devices investigations have a low false positive rate the customer could change the default rule to a deny or guest access.
This process is dependent on capturing the initial list of grand fathered devices, and it seems that being able to statically assign endpoints to a group as part of the authorization result would be the simplest way.
07-24-2019 07:13 PM
Endpoints gone through ISE hotspot portals or ISE BYOD will get assigned to static endpoint groups. Please review the info presented in the following two sections in ISE Profiling Design Guide:
07-24-2019 07:57 PM
Unfortunately, those require someone to work through the portal to trigger the static assignment. I was looking for something that would capture IoT devices as well. I didn't think there was a solution, but was asked to reach out to the TME community.
07-27-2019 03:34 PM
We could use the assignments of Endpoint Custom Attributes or the like to differentiate known and pending-review. Such info can be used as authorization conditions.
07-27-2019 10:36 PM
Custom attributes would actually work better than endpoint groups since we could allow the profiler to continue to group devices by type. But there still is not a simple way to add the attribute to all known devices... Maybe an export of all devices could be used to create the import file, but that seems more like a hack then simple solution.
07-28-2019 08:04 AM
Profiling Using the pxGrid Probe might be something to consider.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide