I am using:
Installed Patches 2
Product Identifier (PID) ISE-VM-K9
Version Identifier (VID) V01
ADE-OS Version 3.0.8.091
I have a question about “stacking” profiles. By stacking, I mean, I have setup ISE to NMAP and profile an factory new endpoint to an initially trusted endpoint profile and assign it to an identity group as a candidate for further processing.
The initial profile works great, the NMAP performs its scan, meeting a profiler policy condition through customized NMAPExtension and the system places the endpoint in a selected Identity Group called “candidate”.
Life would be so easy if I left the endpoint in this state, but I have this access requirement to first profile the endpoint and use a graduated approach from a candidate (member of this identity group) to a higher set of authorizations including VLAN/dACL assignment.
My initial approach was to build a policy set outside of the initial working set that bought the “layer0-endpoint” to “layer1-candidate” and then once in the candidate stage, authorized it to a different authorization profile, turning it into “layer2-release”. Obviously, I am performing configurations to the endpoint when they transition through the phases – including an eventual DOT1X implementation in the end.
Goes from out of the factory sealed box and added to the network - layer0-endpoint -> layer1-candidate -> layer2-release
I’ve tried a few things, yet nothing is working. At this point, I’m unsure it is even possible to first profile an endpoint into a candidate and then into release – or my profile stacking concept.
Any points or artlicles which may help please…