ISE Profiler & COA
ISE Profiler & CoA:
Earlier When a device is discovered and profiling were done at various stages like before Device was profiled, another set of authorization policy was used, after the device is profiled, another set of authorization policy is used. And once the endpoint is definitely known , another set of authorization policy were used, so in nut shell at different stages in process of Endpoint discovery , different levels of Authorization policy were used. In order to solve this issue, CoA is use and is called as Change of Authorization.
In this , as soon as ISE learns more about endpoints at random times intervals , ISE can send CoA to network so that device would have different levels of access applied to it.
There are two methods of applying CoA with Profiling.
- Global Setting
- CoA as per Profile basis.
To enable Global CoA, Use following method.
Work Centers | Profiler | Settings
In above figure, default setting is No CoA. Now click the drop down list, in below figure to see the other choices like port bounce and Reauth.
Port Bounce performs a shutdown on the switch port and then do the no shut to re-enable it.
Using this mode, it is benefit on the situation , when the link states changes many of the devices try to renews its DHCP assigned IP address , also when IP telephony is connected on port , due to which more than one MAC address are being learned , due to which this mode only a Reauth will be sent.
A Reauth will ask NAD to initiate a new authentication to end point, by sending another EAPoL start message, so that supplicant will send credential again or NAD will resend a RADIUS authentication with the endpoint MAC address as identity credential. Either if any type of authentication is used, it still maintains the same session ID, doing so ISE will be able to tie together multiple states of Endpoint.
Per Profile CoA:
In ISE 2.1, administrator added a setting to profile to control what action is required. Example, some time for certain device only send the Port Bounce CoA and for certain device type use Global Reauth CoA.
When for a profile, a particular type of CoA is configured, we say it as Per Profile CoA and when endpoint is classified to particular Profile, CoA related to it is applied.
Profile in Authorization policy
In this , ISE uses the Profile as condition in Authorization policy rule in form of Identity group.
End Point Identity Group
Identity group contain the multiple individual identity of user, device or Endpoints, but the identity of user or endpoint can be a member of only one Identity group at a time.
To create the identity group based on profile, use below method in below figure:
Select the Yes, Create Matching Identity Group option on the profile.
If this option is selected, the matching identity group can be found under Administration | Identity Management | Groups | Endpoint Identity Groups.
From ISE 1.2, Endpoint Identity groups are used for various purpose.