Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I am trying to create an authorization condition to match any newly created endpoint. In other words, a condition to match a device the first time it is seen by ISE.
I thought using dictionary attribute ENDPOINTPURGE:ElapsedDays equals zero might ...
@RichardAtkin wrote:
To be honest with you, I still don't get why you think your use case is different to anybody else who does profiling. Why cant you create Authz rules for the various device types to grant them the access you want them to, then a...
Using Octavian's suggestion, we created a compound authorization condition with the following dictionary attributes:
NetworkAccess:AuthenticationMethod = LookupandNetworkAccess:AuthenticationStatus = UnknownUser)
We tested this with a variety of ...
If the device is not new and it was already profile, it will not match this rule but a top rule.
The assumption you're making is that all "not new" profiled MAB devices have an authorization rule. That isn't the case here, unfortunately. There will...
Well, so far we've identified that the following services are necessary for many devices to complete profiling and also to be in a state to accept a CoA on reauth.
DHCP, DNS, ICMP to GW, TFTP, AD
Not all are required for profiling but some device...
We've found that some new devices do not get correctly profiled until they are granted some limited access to allow the profiling probes to gather all the data needed for an accurate profiler policy match.
We're looking for method to identify new W...
