06-27-2019 08:30 AM
Hi all,
I'm using ISE with a 3850 switch running 802.1x. Our 802.1x setup requires the phone to have a CAPF certificate and authenticates via EAP-TLS. There's a chicken/egg scenario with a new phone setup. I know we could plug the phone into a lab port without 802.1x, but we deploy a lot of phones so we want it as scalable as possible.
The Policy set would look like this:
So the thought is, it would look like this:
However, it seems to work like this:
Is this normal? Is there a way for Cisco to profile faster so it immediately sees it as a Cisco Phone?
We have Device sensor on.
Solved! Go to Solution.
06-29-2019 12:10 AM
What you have described is how profiling works. Another option is not to use profiling for initial phase. Instead use EAP-TLS with MIC (Manufacturer Installed Certificate) that is already present on the phone as initial authentication.
You simply need to trust Cisco Certificate for EAP purpose and create appropriate policy to permit MIC authenticated phones to the network.
06-29-2019 12:10 AM
What you have described is how profiling works. Another option is not to use profiling for initial phase. Instead use EAP-TLS with MIC (Manufacturer Installed Certificate) that is already present on the phone as initial authentication.
You simply need to trust Cisco Certificate for EAP purpose and create appropriate policy to permit MIC authenticated phones to the network.
06-29-2019 07:18 AM
So its normal for the device get to authorized as an unknown device first by ise (ie catchall). And then ise finishes profiling.... does ise then decide to put the device through the AuthZ policy again on it’s own after profiling happens and send a CoA based on the result?
or does the switch need to ask for a reauth?
thanks!!
06-29-2019 08:37 AM
It depends on the global CoA setting under Administration > System > Settings > Profiling. If set to Reauth or Port Bounce the endpoint will be moved to Phone ACL upon moving from unknown device to a known profile.
07-01-2019 08:08 AM
My CoA Type is currently set to "No CoA". Yet, it still seems to update it's authorization. Maybe it's the switch sending re-auth's. If the switch sends re-auth requests, I'm assuming it would get authorized based on the updated profile if it changed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide