09-30-2020 09:02 AM - edited 10-01-2020 02:15 AM
Hello,
We came across an issue that a profiled endpoint lost its profiling after its custom attributes were updated through ERS.
In the body of the API call I had only included the mac address and a couple of custom attributes.
I don't have full details at the moment as this has happened at a client's site but I'll get everything else necessary to resolve.
Thanks
Solved! Go to Solution.
10-01-2020 07:13 AM
There is a global setting that controls whether or not you want ISE to issue a Change of Authorization (CoA) when profiling data changes. Go to Administration->System->Settings->Profiling. There is an option for CoA behavior whether to do "No CoA", port bounce, or reauthentication. Within the profiling policies, there are also options there to trigger a CoA for a specific profiling policy.
This behavior is expected/wanted in a lot of environments because if attributes change for a device, it should be profiled again to ensure the profile is accurate. And if the profile changes, the device should probably be reauthenticated to ensure it has the appropriate access.
09-30-2020 10:24 AM
Example data sent to the API endpoint:
data = {'ERSEndPoint': {'mac': '00:11:22:33:44:55', 'customAttributes': {'customAttributes': {'key1': 'value1'}}}}
10-01-2020 02:16 AM
We've since discovered that the issue is different than we'd originally thought. It seems that updating the values of the custom attributes causes ISE to perform reauthorization of the endpoint, which might not be the expected behavior.
Is this at least documented somewhere?
10-01-2020 07:13 AM
There is a global setting that controls whether or not you want ISE to issue a Change of Authorization (CoA) when profiling data changes. Go to Administration->System->Settings->Profiling. There is an option for CoA behavior whether to do "No CoA", port bounce, or reauthentication. Within the profiling policies, there are also options there to trigger a CoA for a specific profiling policy.
This behavior is expected/wanted in a lot of environments because if attributes change for a device, it should be profiled again to ensure the profile is accurate. And if the profile changes, the device should probably be reauthenticated to ensure it has the appropriate access.
10-01-2020 12:38 PM
Thinking about what you said, it does make sense. Though the granularity of controling this feature is a bit rough I think. I may want to disable it for updating the custom attributes, or maybe per probe. But maybe this suggestion is not a normal way to operate.
In any case, thank you very much for the answer, very helpful.
10-15-2020 12:25 PM
Hi, getting back to this. What happened is actually that an endpoint that was statically assigned to an identity group lost the static assignment and became "Unknown" since it had no further attributes.
Is this a possible behavior of ISE?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: