Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
15
Helpful
3
Replies

Through probes using profiling can we authorize the user

Go to solution
RohitSingh91693
Level 1
Level 1

‎06-03-2022 11:16 AM

Through probes using profiling how can we create Authorization policy set and assign the endpoints specific vlan, i have gone through various videos & documents i have understood the concept to what extent but not complete.

 

 

Because there is a rule which says, if switchport is in closed authentication then no traffic will be send except Eapol.

 

So how can we make Authorization policy in Policy set and authorize the user

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7

‎06-03-2022 01:26 PM

Hi

 

It depends on the user/device attributes that ISE would require to successfully profile them.

In closed mode:

 

CDP/LLDP: if profiling requires these attributes, ISE can use SNMP probe to collect them from the switch (they can also be sent in Access-Request if you are using ibns 2)

 

DHCP: if profiling requires DHCP attributes, ISE could authorize with a DACL that permits DHCP only. ISE can get these attributes with DHCP probe

 

NMAP: if profiling requires port/OS attributes, ISE could authorize with a DACL that permits only the required ports (with the PSNs as destination).

 

hth
Andy

View solution in original post

Go to solution
Marcelo Morais
VIP
VIP

‎06-03-2022 02:00 PM

Hi @RohitSingh91693 ,

 beyond what @andrewswanson said ... please take a look at: Cisco ISE Device Administration Prescriptive Deployment Guide, search for Device Admin Policy Sets.

 About Probes ... remember that:

1st Network Probe is a method used to collect an attribute or a set of attributes from an Endpoint on your network. It analyzes received Network Traffic (ex.: RADIUS, SNMP, DHCP, HTTP and more) by collecting Endpoint Attributes.

2nd Most Probes are passive ... traffic MUST be delivered to ISE.

3rd It is NOT recommended to configure ALL Probes, especially in a Production Deployment, as this may result in excessive data collection than is required to achieve the desired goal !!!

Note: you are able to enable Probes at Administration > System > Deployment > select the PSN > select Profiling Configuration tab. 

 

Hope this helps !!!

View solution in original post

3 Replies 3

Go to solution
andrewswanson
Level 7
Level 7

‎06-03-2022 01:26 PM

Hi

 

It depends on the user/device attributes that ISE would require to successfully profile them.

In closed mode:

 

CDP/LLDP: if profiling requires these attributes, ISE can use SNMP probe to collect them from the switch (they can also be sent in Access-Request if you are using ibns 2)

 

DHCP: if profiling requires DHCP attributes, ISE could authorize with a DACL that permits DHCP only. ISE can get these attributes with DHCP probe

 

NMAP: if profiling requires port/OS attributes, ISE could authorize with a DACL that permits only the required ports (with the PSNs as destination).

 

hth
Andy

Go to solution
ahollifield
VIP
VIP
In response to andrewswanson

‎06-03-2022 04:25 PM

Use low-impact with dACLs instead of closed mode.

Go to solution
Marcelo Morais
VIP
VIP

‎06-03-2022 02:00 PM

Hi @RohitSingh91693 ,

 beyond what @andrewswanson said ... please take a look at: Cisco ISE Device Administration Prescriptive Deployment Guide, search for Device Admin Policy Sets.

 About Probes ... remember that:

1st Network Probe is a method used to collect an attribute or a set of attributes from an Endpoint on your network. It analyzes received Network Traffic (ex.: RADIUS, SNMP, DHCP, HTTP and more) by collecting Endpoint Attributes.

2nd Most Probes are passive ... traffic MUST be delivered to ISE.

3rd It is NOT recommended to configure ALL Probes, especially in a Production Deployment, as this may result in excessive data collection than is required to achieve the desired goal !!!

Note: you are able to enable Probes at Administration > System > Deployment > select the PSN > select Profiling Configuration tab. 

 

Hope this helps !!!

Customers Also Viewed These Support Documents