cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
2
Replies

Transitioning Through Profiles (Profile Stacking)

chris-lawrence
Level 1
Level 1

Team,

 

I am using:

 

Version 3.0.0.458

Installed Patches 2

Product Identifier (PID) ISE-VM-K9

Version Identifier (VID) V01

ADE-OS Version 3.0.8.091

 

I have a question about “stacking” profiles. By stacking, I mean, I have setup ISE to NMAP and profile an factory new endpoint to an initially trusted endpoint profile and assign it to an identity group as a candidate for further processing.

 

The initial profile works great, the NMAP performs its scan, meeting a profiler policy condition through customized NMAPExtension and the system places the endpoint in a selected Identity Group called “candidate”.

 

Life would be so easy if I left the endpoint in this state, but I have this access requirement to first profile the endpoint and use a graduated approach from a candidate (member of this identity group) to a higher set of authorizations including VLAN/dACL assignment.

 

My initial approach was to build a policy set outside of the initial working set that bought the “layer0-endpoint” to “layer1-candidate” and then once in the candidate stage, authorized it to a different authorization profile, turning it into “layer2-release”. Obviously, I am performing configurations to the endpoint when they transition through the phases – including an eventual DOT1X implementation in the end.

 

Goes from out of the factory sealed box and added to the network - layer0-endpoint -> layer1-candidate -> layer2-release

 

I’ve tried a few things, yet nothing is working. At this point, I’m unsure it is even possible to first profile an endpoint into a candidate and then into release – or my profile stacking concept.

 

Any points or artlicles which may help please…

 

Thanks,

Chris

2 Replies 2

chris-lawrence
Level 1
Level 1

Team,

 

So my question is not related to stacking profiles (I guess considered "reprofiling")... I suppose I want to create a new policy set to apply to the “layer1-candidate” after it has been given an Identity Group Assignment to my group - and then once you become a member of that group, you get updated permissions (new VLAN/dACL) given the endpoint modified access.

 

I just do see how this is done with the Policy Set Conditions Studio. I just don't see a dictionary which allowes me to choose some of the ISE parameters like the grouping the endpoint belongs to or its currently assigned policy.

hslai
Cisco Employee
Cisco Employee

Chris: You are correct that endpoint groups or attributes are not currently available as conditions to select a policy set. Thus, you would need to use the same policy set or key off others.