Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISE profiling

Hi,

I would like to know if is possible to disable COA when an device meet an profile, per example, I have the following profiling policy:

 

Workstation

- Windows XP

- Windows Vista

- Windows 7

- Windows 8

 

Sometimes the device get profiled as 'Workstation', other times get profiled as Windows XP, vista, 7, etc.  

 

When the device get profiled as Windows XP, Vista, 7, etc... I want to disable COA to make the device doesn't change his profile, so it will remain profiled as Windows XP, Vista, 7, etc forever.

 

At this moment, our devices get profiled, but sometimes has its profile changed to 'Workstation', sometimes unknown. I want to keep always profiled as Windows device.

 I really apreciate any help!

 

Thanks,

Emerson Rodrigues

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

You need to create an

You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.

Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.

8 REPLIES
Community Member

Is this setting you need?

Is this setting you need? 

Community Member

Thank you guys for replying.

Thank you guys for replying.

 

As the image bellow, the device is changing his profile, I've got all probes enabled.

 

I want that when the client meet an profile, like windows 7, he always remains as windows 7, and never change profile again.

 

I've already disabled CoA, but it's still changing profile.

 

Community Member

You need to create an

You need to create an exception action. This statically assign the profile to the endpoint. Let me know if you need help on the exception action creation.

Also, is not recommended to enable all probes. Most of the times you just only need DHCP, RADIUS, SNMP Query and HTTP.

Community Member

btellez, thank you for

btellez, thank you for replying, I'll try to create that exception action, and let you know the results.

 

 

Community Member

Exception Action works fine!

Exception Action works fine!

 

Thank you!

Setting up COA, SNMP RO

Setting up COA, SNMP RO Community and Endpoint Attribute Filter

Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration page that enables the profiling service with more control over endpoints that are already authenticated.

In addition, you can configure additional SNMP Read Only community strings separated by a comma for the NMAP manual network scan in the Profiler Configuration page. The SNMP RO community strings are used in the same order as they appear in the Current custom SNMP community strings field.

You can also configure endpoint attribute filtering in the Profiler Configuration page.


Step 1 Choose Administration > System > Settings > Profiling .

Step 2 Choose one of the following settings to configure the CoA type:

    • No CoA (default)—You can use this option to disable the global configuration of CoA. This setting overrides any configured CoA per endpoint profiling policy.
    • Port Bounce —You can use this option, if the switch port exists with only one session. If the port exists with multiple sessions, then use the Reauth option.
    • Reauth —You can use this option to enforce reauthentication of an already authenticated endpoint when it is profiled.

If you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function avoids disconnecting other sessions, a situation that might occur with the Port Bounce option.

Step 3 Enter new SNMP community strings separated by a comma for the NMAP manual network scan in the Change custom SNMP community strings field, and re-enter the strings in the Confirm custom SNMP community strings field for confirmation.

Step 4 Check the Endpoint Attribute Filter check box to enable endpoint attribute filtering.

Step 5 Click Save .

 

 

Refer

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

Cisco Employee

"Endpoint Does Not Align to

"Endpoint Does Not Align to the Expected Profile" is this the issue you are facinghttp://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-193213 ..what are the  probes you are using for profiling? .

Community Member

Hello Btellez,

Hello Btellez,

i would need help on the exception rule creation.

as i have an issue where i statically add endpoints to a particular logical profile i created, but after sometime i notice that the endpoint looses the profile, therefore not getting the desired authorization.

Thanks.

1225
Views
0
Helpful
8
Replies
CreatePlease to create content