Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CiscoIOSNetFlowVersion5packetsdonotcontainMACaddressesofendpoints.Theattributesthatare collectedfromNetFlowVersion5cannotbedirectlyaddedtotheCiscoISEdatabase.Youcandiscover endpointsbyusingtheirIPaddresses,andappendtheNetFlowVersion5attributestoendpoints,whichcan bedonebycombiningIPaddressesofthenetworkaccessdevicesandIPaddressesobtainedfromtheNetFlow Version5attributes.However,theseendpointsmusthavebeenpreviouslydiscoveredwiththeRADIUSor SNMPprobe. TheMACaddressisnotapartofIPflowsinearlierversionsofNetFlowVersion5,whichrequiresyouto profileendpointswiththeirIPaddressesbycorrelatingtheattributesinformationcollectedfromthenetwork accessdevicesintheendpointscache. FormoreinformationontheNetFlowVersion5RecordFormat,seeTable2,“CiscoIOSNetFlowFlow RecordandExportFormatContentInformation”oftheNetFlowServicesSolutionsGuide. DHCP Probe TheDynamicHostConfigurationProtocolprobeinyourCiscoISEdeployment,whenenabled,allowsthe CiscoISEprofilingservicetoreprofileendpointsbasedonlyonnewrequestsofINIT-REBOOT,and SELECTINGmessagetypes.ThoughotherDHCPmessagetypessuchasRENEWINGandREBINDING areprocessed,theyarenotusedforprofilingendpoints.AnyattributeparsedoutofDHCPpacketsismapped toendpointattributes. DHCPREQUEST Message Generated During INIT-REBOOT State IftheDHCPclientcheckstoverifyapreviouslyallocatedandcachedconfiguration,thentheclientmustnot fillintheServeridentifier(server-ip)option.InsteaditshouldfillintheRequestedIPaddress(requested-ip) optionwiththepreviouslyassignedIPaddress,andfillintheClientIPAddress(ciaddr)fieldwithzeroinits DHCPREQUESTmessage.TheDHCPserverwillthensendaDHCPNAKmessagetotheclientifthe RequestedIPaddressisincorrectortheclientislocatedinthewrongnetwork. DHCPREQUEST Message Generated During SELECTING State TheDHCPclientinsertstheIPaddressoftheselectedDHCPserverintheServeridentifier(server-ip)option, fillsintheRequestedIPaddress(requested-ip)optionwiththevalueoftheYourIPAddress(yiaddr)field fromthechosenDHCPOFFERbytheclient,andfillsinthe“ciaddr”fieldwithzero. Table 25: DHCP Client Messages from Different States REBINDINGRENEWINGSELECTINGINIT-REBOOT— broadcastunicastbroadcastbroadcastbroadcast/unicast MUSTNOTMUSTNOTMUSTMUSTNOTserver-ip MUSTNOTMUSTNOTMUSTMUSTrequested-ip IPaddressIPaddresszerozerociaddr Cisco Identity Services Engine Administrator Guide, Release 1.3 455 Network Probes Used by Profiling Service
Wireless LAN Controller Configuration in DHCP Bridging Mode WerecommendthatyouconfigurewirelessLANcontrollers(WLCs)inDynamicHostConfigurationProtocol (DHCP)bridgingmode,whereyoucanforwardalltheDHCPpacketsfromthewirelessclientstoCiscoISE. YoumustunchecktheEnableDHCPProxycheckboxavailableintheWLCwebinterface:Controller> Advanced>DHCPMasterControllerMode>DHCPParameters.YoumustalsoensurethattheDHCP IPhelpercommandpointstotheCiscoISEPolicyServicenode. DHCP SPAN Probe TheDHCPSwitchedPortAnalyzer(SPAN)probe,wheninitializedinaCiscoISEnode,listenstonetwork traffic,whicharecomingfromnetworkaccessdevicesonaspecificinterface.Youneedtoconfigurenetwork accessdevicestoforwardDHCPSPANpacketstotheCiscoISEprofilerfromtheDHCPservers.Theprofiler receivestheseDHCPSPANpacketsandparsesthemtocapturetheattributesofanendpoint,whichcanbe usedforprofilingendpoints. Forexample, switch(config)#monitorsession1sourceinterfaceGi1/0/4switch(config)#monitorsession1destinationinterfaceGi1/0/2 HTTP Probe InHTTPprobe,theidentificationstringistransmittedinanHTTPrequest-headerfieldUser-Agent,which isanattributethatcanbeusedtocreateaprofilingconditionofIPtype,andtocheckthewebbrowser information.TheprofilercapturesthewebbrowserinformationfromtheUser-Agentattributealongwith otherHTTPattributesfromtherequestmessages,andaddsthemtothelistofendpointattributes. CiscoISElistenstocommunicationfromthewebbrowsersonbothport80andport8080.CiscoISEprovides manydefaultprofiles,whicharebuiltintothesystemtoidentifyendpointsbasedontheUser-Agentattribute. HTTP SPAN Probe TheHTTPprobeinyourCiscoISEdeployment,whenenabledwiththeSwitchedPortAnalyzer(SPAN) probe,allowstheprofilertocaptureHTTPpacketsfromthespecifiedinterfaces.YoucanusetheSPAN capabilityonport80,wheretheCiscoISEserverlistenstocommunicationfromthewebbrowsers. HTTPSPANcollectsHTTPattributesofanHTTPrequest-headermessagealongwiththeIPaddressesinthe IPheader(L3header),whichcanbeassociatedtoanendpointbasedontheMACaddressofanendpointin theL2header.ThisinformationisusefulforidentifyingdifferentmobileandportableIP-enableddevices suchasAppledevices,andcomputerswithdifferentoperatingsystems.Identifyingdifferentmobileand portableIP-enableddevicesismademorereliablebecausetheCiscoISEserverredirectscapturesduringa guestloginorclientprovisioningdownload.ThisallowstheprofilertocollecttheUser-Agentattributeand otherHTTPattributes,fromtherequestmessagesandthenidentifydevicessuchasAppledevices. Unable to Collect HTTP Attributes in Cisco ISE Running on VMware IfyoudeployCiscoISEonanESXserver(VMware),theCiscoISEprofilercollectstheDynamicHost ConfigurationProtocoltrafficbutdoesnotcollecttheHTTPtrafficduetoconfigurationissuesonthevSphere client.TocollectHTTPtrafficonaVMwaresetup,configurethesecuritysettingsbychangingthePromiscuous ModetoAcceptfromReject(bydefault)ofthevirtualswitchthatyoucreatefortheCiscoISEprofiler.When Cisco Identity Services Engine Administrator Guide, Release 1.3 456 Network Probes Used by Profiling Service
theSwitchedPortAnalyzer(SPAN)probeforDHCPandHTTPisenabled,CiscoISEprofilercollectsboth theDHCPandHTTPtraffic. RADIUS Probe YoucanconfigureCiscoISEforauthenticationwithRADIUS,whereyoucandefineasharedsecretthatyou canuseinclient-servertransactions.WiththeRADIUSrequestandresponsemessagesthatarereceivedfrom theRADIUSservers,theprofilercancollectRADIUSattributes,whichcanbeusedforprofilingendpoints. CiscoISEcanfunctionasaRADIUSserver,andaRADIUSproxyclienttootherRADIUSservers.Whenit actsasaproxyclient,itusesexternalRADIUSserverstoprocessRADIUSrequestsandresponsemessages. Network Scan (NMAP) Probe About the NMAP Probe CiscoISEenablesyoutodetectdevicesinasubnetbyusingtheNMAPsecurityscanner.Youenablethe NMAPprobeonthePolicyServicenodethatisenabledtoruntheprofilingservice.Youusetheresultsfrom thatprobeinanendpointprofilingpolicy. EachNMAPmanualsubnetscanhasauniquenumericIDthatisusedtoupdateanendpointsourceinformation withthatscanID.Upondetectionofendpoints,theendpointsourceinformationcanalsobeupdatedtoindicate thatitisdiscoveredbytheNetworkScanprobe. TheNMAPmanualsubnetscanisusefulfordetectingdevicessuchasprinterswithastaticIPaddressassigned tothemthatareconnectedconstantlytotheCiscoISEnetwork,andthereforethesedevicescannotbediscovered byotherprobes. NMAP Scan Limitations Scanningasubnetishighlyresourceintensive.Scanningasubnetislengthyprocessthatdependsonthesize anddensityofthesubnet.Numberofactivescansisalwaysrestrictedtoonescan,whichmeansthatyoucan scanonlyasinglesubnetatatime.Youcancancelasubnetscanatanytimewhilethesubnetscanisin progress.YoucanusetheClicktoseelatestscanresultslinktoviewthemostrecentnetworkscanresults thatarestoredinAdministration>Identities>LatestNetworkScanResults. Manual NMAP Scan ThefollowingNMAPcommandscansasubnetandsendstheoutputtonmapSubnet.log: nmap-O-sU-pU:161,162-oN/opt/CSCOcpm/logs/nmapSubnet.log--append-output-oX- Table 26: NMAP Commands for a Manual Subnet Scan EnablesOSdetection-O UDPscan-sU Scansonlyspecifiedports.Forexample,U:161,162-p NormaloutputoN XMLoutputoX Cisco Identity Services Engine Administrator Guide, Release 1.3 457 Network Probes Used by Profiling Service
SNMP Read Only Community Strings for NMAP Manual Subnet Scan TheNMAPmanualsubnetscanisaugmentedwithanSNMPQuerywheneverthescandiscoversthatUDP port161isopenonanendpointthatresultsinmoreattributesbeingcollected.DuringtheNMAPmanual subnetscan,theNetworkScanprobedetectswhetherSNMPport161isopenonthedevice.Iftheportis open,anSNMPQueryistriggeredwithadefaultcommunitystring(public)withSNMPversion2c.Ifthe devicesupportsSNMPandthedefaultReadOnlycommunitystringissettopublic,youcanobtaintheMAC addressofthedevicefromtheMIBvalue“ifPhysAddress”.Inaddition,youcanconfigureadditionalSNMP ReadOnlycommunitystringsseparatedbyacommafortheNMAPmanualnetworkscanintheProfiler Configurationpage.YoucanalsospecifynewReadOnlycommunitystringsforanSNMPMIBwalkwith SNMPversions1and2cinthefollowinglocation:Administration>System>Settings>Profiling. Latest Network Scan Results ThemostrecentnetworkscanresultsarestoredinAdministration>IdentityManagement>Identities>Latest NetworkScanResults. TheLatestNetworkScanResultsEndpointspagedisplaysonlythemostrecentendpointsthataredetected, alongwiththeirassociatedendpointprofiles,theirMACaddresses,andtheirstaticassignmentstatusasthe resultofamanualnetworkscanyouperformonanysubnet.Thispageallowsyoutoeditpointsthatare detectedfromtheendpointsubnetforbetterclassification,ifrequired. CiscoISEallowsyoutoperformthemanualnetworkscanfromthePolicyServicenodesthatareenabledto runtheprofilingservice.YoumustchoosethePolicyServicenodefromtheprimaryAdministrationISEnode userinterfaceinyourdeploymenttorunthemanualnetworkscanfromthePolicyServicenode.Duringthe manualnetworkscanonanysubnet,theNetworkScanprobedetectsendpointsonthespecifiedsubnet,their operatingsystems,andcheckUDPports161and162foranSNMPservice. DNS Probe TheDomainNameService(DNS)probeinyourCiscoISEdeploymentallowstheprofilertolookupan endpointandgetthefullyqualifieddomainname(FQDN).AfteranendpointisdetectedinyourCisco ISE-enablednetwork,alistofendpointattributesiscollectedfromtheNetFlow,DHCP,DHCPSPAN,HTTP, RADIUS,orSNMPprobes. WhenyoudeployCiscoISEinastandaloneorinadistributedenvironmentforthefirsttime,youareprompted torunthesetuputilitytoconfiguretheCiscoISEappliance.Whenyourunthesetuputility,youwillconfigure theDomainNameSystem(DNS)domainandtheprimarynameserver(primaryDNSserver),whereyoucan configureoneormorenameserversduringsetup.YoucanalsochangeoraddDNSnameserverslaterafter deployingCiscoISEusingtheCLIcommands. DNS FQDN Lookup BeforeaDNSlookupcanbeperformed,oneofthefollowingprobesmustbestartedalongwiththeDNS probe:DHCP,DHCPSPAN,HTTP,RADIUS,orSNMP.ThisallowstheDNSprobeintheprofilertodoa reverseDNSlookup(FQDNlookup)againstspecifiednameserversthatyoudefineinyourCiscoISE deployment.Anewattributeisaddedtotheattributelistforanendpoint,whichcanbeusedforanendpoint profilingpolicyevaluation.TheFQDNisthenewattributethatexistsinthesystemIPdictionary.Youcan createanendpointprofilingconditiontovalidatetheFQDNattributeanditsvalueforprofiling.Thefollowing arethespecificendpointattributesthatarerequiredforaDNSlookupandtheprobethatcollectsthese attributes: Cisco Identity Services Engine Administrator Guide, Release 1.3 458 Network Probes Used by Profiling Service
•Thedhcp-requested-addressattribute—AnattributecollectedbytheDHCPandDHCPSPANprobes. •TheSourceIPattribute—AnattributecollectedbytheHTTPprobe •TheFramed-IP-Addressattribute—AnattributecollectedbytheRADIUSprobe •ThecdpCacheAddressattribute—AnattributecollectedbytheSNMPprobe DNS Lookup with an Inline Posture Node Deployment in Bridged Mode FortheDomainNameServiceprobetoworkwithInlinePosturedeploymentintheBridgedmode,youmust configurethecallStationIdTypeinformationsentinRADIUSmessagesfortheWirelessLANControllers (WLCs).TheFramed-IP-AddressattributeinRADIUSmessagesdoesnotcontaintheCallStationIDtypein theMACaddressformat.ThereforeRADIUSmessagescannotbeassociatedwiththeMACaddressof endpoints,andtheDNSprobeisunabletoperformthereverseDNSlookup.Inordertoprofileendpoints, youmustenabletheRADIUS,andDNSprobesinCiscoISE,andthenconfiguretheWLCstosendthecalling stationIDintheMACaddressformatinsteadofthecurrentIPaddressformatinRADIUSmessages.The WLCsmustbeconfiguredtosendthecallingstationIDintheMACaddressformatinsteadofthecurrentIP addressformatinRADIUSmessages.OncethecallStationIdTypeisconfiguredintheWLCs,theconfiguration usestheselectedcallingstationIDforcommunicationswithRADIUSserversandotherapplications.Itresults inendpointsauthentication,andthentheDNSprobedoesareverseDNSlookup(FQDNlookup)againstthe specifiednameserversandupdatetheFQDNofendpoints. Configure Call Station ID Type in the WLC Web Interface YoucanusetheWLCwebinterfacetoconfigureCallStationIDTypeinformation.YoucangototheSecurity taboftheWLCwebinterfacetoconfigurethecallingstationIDintheRADIUSAuthenticationServerspage. TheMACDelimiterfieldissettoColonbydefaultintheWLCuserinterface. FormoreinformationonhowtoconfigureintheWLCwebinterface,seeChapter6,“ConfiguringSecurity Solutions”intheCiscoWirelessLANControllerConfigurationGuide,Release7.2. FormoreinformationonhowtoconfigureintheWLCCLIusingtheconfigradiuscallStationIdTypecommand, seeChapter2,“ControllerCommands”intheCiscoWirelessLANControllerCommandReferenceGuide, Release7.2. Procedure Step 1LogintoyourWirelessLANControlleruserinterface. Step 2ClickSecurity. Step 3ExpandAAA,andthenchooseRADIUS>Authentication. Step 4ChooseSystemMACAddressfromtheCallStationIDTypedrop-downlist. Step 5ChooseColonfromtheMACDelimeterdrop-downlist. Cisco Identity Services Engine Administrator Guide, Release 1.3 459 Network Probes Used by Profiling Service
SNMP Query Probe InadditiontoconfiguringtheSNMPQueryprobeintheEditNodepage,youmustconfigureotherSimple ManagementProtocolsettingsinthefollowinglocation:Administration>NetworkResources>Network Devices. YoucanconfigureSNMPsettingsinthenewnetworkaccessdevices(NADs)intheNetworkDeviceslist page.ThepollingintervalthatyouspecifyintheSNMPqueryprobeorintheSNMPsettingsinthenetwork accessdevicesqueryNADsatregularintervals. YoucanturnonandturnoffSNMPqueryingforspecificNADsbasedonthefollowingconfigurations: •SNMPqueryonLinkupandNewMACnotificationturnedonorturnedoff •SNMPqueryonLinkupandNewMACnotificationturnedonorturnedoffforCiscoDiscoveryProtocol information •SNMPquerytimerforonceanhourforeachswitchbydefault ForaniDevice,andothermobiledevicesthatdonotsupportSNMP,theMACaddresscanbediscoveredby theARPtable,whichcanbequeriedfromthenetworkaccessdevicebyanSNMPQueryprobe. Cisco Discovery Protocol Support with SNMP Query WhenyouconfigureSNMPsettingsonthenetworkdevices,youmustensurethattheCiscoDiscoveryProtocol isenabled(bydefault)onalltheportsofthenetworkdevices.IfyoudisabletheCiscoDiscoveryProtocol onanyoftheportsonthenetworkdevices,thenyoumaynotbeabletoprofileproperlybecauseyouwill misstheCiscoDiscoveryProtocolinformationofalltheconnectedendpoints.YoucanenabletheCisco DiscoveryProtocolgloballybyusingthecdpruncommandonanetworkdevice,andenabletheCisco DiscoveryProtocolbyusingthecdpenablecommandonanyinterfaceofthenetworkaccessdevice.To disabletheCiscoDiscoveryProtocolonthenetworkdeviceandontheinterface,usethenokeywordatthe beginningofthecommands. Link Layer Discovery Protocol Support with SNMP Query TheCiscoISEprofilerusesanSNMPQuerytocollectLLDPattributes.YoucanalsocollectLLDPattributes fromaCiscoIOSsensor,whichisembeddedinthenetworkdevice,byusingtheRADIUSprobe.Seethe defaultLLDPconfigurationsettingsthatyoucanusetoconfigureLLDPglobalconfigurationandLLDP interfaceconfigurationcommandsonthenetworkaccessdevices. Table 27: Default LLDP Configuration FeatureFeature DisabledLLDPglobalstate 120secondsLLDPholdtime(beforediscarding) 30secondsLLDPtimer(packetupdatefrequency) 2secondsLLDPreinitializationdelay EnabledtosendandreceiveallTLVs.LLDPtlv-select Cisco Identity Services Engine Administrator Guide, Release 1.3 460 Network Probes Used by Profiling Service
FeatureFeature EnabledLLDPinterfacestate EnabledLLDPreceive EnabledLLDPtransmit EnabledtosendallLLDP-MEDTLVsLLDPmed-tlv-select CDP and LLDP Capability Codes Displayed in a Single Character TheAttributeListofanendpointdisplaysasinglecharactervalueforthelldpCacheCapabilitiesand lldpCapabilitiesMapSupportedattributes.ThevaluesaretheCapabilityCodesthataredisplayedforthe networkaccessdevicethatrunsCDPandLLDP. Example 1 lldpCacheCapabilitiesSlldpCapabilitiesMapSupportedS Example 2 lldpCacheCapabilitiesB;TlldpCapabilitiesMapSupportedB;T Example 3 Switch#showcdpneighborsCapabilityCodes:R-Router,T-TransBridge,B-SourceRouteBridge,S-Switch,H-Host,I-IGMP,r-Repeater,P-Phone,D-Remote,C-CVTA,M-Two-portMacRelay...Switch# Switch#showlldpneighborsCapabilitycodes:(R)Router,(B)Bridge,(T)Telephone,(C)DOCSISCableDevice(W)WLANAccessPoint,(P)Repeater,(S)Station,(O)Other...Switch# SNMP Trap Probe TheSNMPTrapreceivesinformationfromthespecificnetworkaccessdevicesthatsupportMACnotification, linkup,linkdown,andinforms.TheSNMPTrapprobereceivesinformationfromthespecificnetworkaccess deviceswhenportscomeuporgodownandendpointsdisconnectfromorconnecttoyournetwork,which resultsintheinformationreceivedthatisnotsufficienttocreateendpointsinCiscoISE. ForSNMPTraptobefullyfunctionalandcreateendpoints,youmustenableSNMPQuerysothattheSNMP Queryprobetriggersapolleventontheparticularportofthenetworkaccessdevicewhenatrapisreceived. TomakethisfeaturefullyfunctionalyoushouldconfigurethenetworkaccessdeviceandSNMPTrap. Cisco Identity Services Engine Administrator Guide, Release 1.3 461 Network Probes Used by Profiling Service
CiscoISEdoesnotsupportSNMPTrapsthatarereceivedfromtheWirelessLANControllers(WLCs) andAccessPoints(APs). Note Configure Probes per Cisco ISE Node YoucanconfigureoneormoreprobesontheProfilingConfigurationtabperCiscoISEnodeinyourdeployment thatassumesthePolicyServicepersona,whichcouldbe: •Astandalonenode—IfyouhavedeployedCiscoISEonasinglenodethatassumesallAdministration, Monitoring,andPolicyServicepersonasbydefault. •Multiplenodes—IfyouhaveregisteredmorethanonenodeinyourdeploymentthatassumePolicy Servicepersona. Before You Begin YoucanconfiguretheprobesperCiscoISEnodeonlyfromtheAdministrationnode,whichisunavailable onthesecondaryAdministrationnodeinadistributeddeployment. Procedure Step 1ChooseAdministration>System>Deployment. Step 2ChooseaCiscoISEnodethatassumesthePolicyServicepersona. Step 3ClickEditintheDeploymentNodespage. Step 4OntheGeneralSettingstab,checkthePolicyServicecheckbox.IfthePolicyServicecheckboxisunchecked, boththesessionservicesandtheprofilingservicecheckboxesaredisabled. Step 5ChecktheEnableProfilingServicescheckbox. Step 6ClicktheProfilingConfigurationtab. Step 7Configurethevaluesforeachprobe. Step 8ClickSavetosavetheprobeconfiguration. Setup CoA, SNMP RO Community, and Endpoint Attribute Filter CiscoISEallowsaglobalconfigurationtoissueaChangeofAuthorization(CoA)intheProfilerConfiguration pagethatenablestheprofilingservicewithmorecontroloverendpointsthatarealreadyauthenticated. Inaddition,youcanconfigureadditionalSNMPReadOnlycommunitystringsseparatedbyacommaforthe NMAPmanualnetworkscanintheProfilerConfigurationpage.TheSNMPROcommunitystringsareused inthesameorderastheyappearintheCurrentcustomSNMPcommunitystringsfield. YoucanalsoconfigureendpointattributefilteringintheProfilerConfigurationpage. Cisco Identity Services Engine Administrator Guide, Release 1.3 462 Configure Probes per Cisco ISE Node
Procedure Step 1ChooseAdministration>System>Settings>Profiling. Step 2ChooseoneofthefollowingsettingstoconfiguretheCoAtype: •NoCoA(default)—YoucanusethisoptiontodisabletheglobalconfigurationofCoA.Thissetting overridesanyconfiguredCoAperendpointprofilingpolicy. •PortBounce—Youcanusethisoption,iftheswitchportexistswithonlyonesession.Iftheportexists withmultiplesessions,thenusetheReauthoption. •Reauth—Youcanusethisoptiontoenforcereauthenticationofanalreadyauthenticatedendpointwhen itisprofiled. Ifyouhavemultipleactivesessionsonasingleport,theprofilingserviceissuesaCoAwiththeReauth optioneventhoughyouhaveconfiguredCoAwiththePortBounceoption.Thisfunctionavoids disconnectingothersessions,asituationthatmightoccurwiththePortBounceoption. Step 3EnternewSNMPcommunitystringsseparatedbyacommafortheNMAPmanualnetworkscanintheChange customSNMPcommunitystringsfield,andre-enterthestringsintheConfirmcustomSNMPcommunity stringsfieldforconfirmation. Step 4ChecktheEndpointAttributeFiltercheckboxtoenableendpointattributefiltering. Step 5ClickSave. Global Configuration of Change of Authorization for Authenticated Endpoints Youcanusetheglobalconfigurationoptiontodisablechangeofauthorization(CoA)byusingthedefault NoCoAoptionorenableCoAbyusingportbounceandreauthenticationoptions.IfyouhaveconfiguredPort BounceforCoAinCiscoISE,theprofilingservicemaystillissueotherCoAsasdescribedinthe“CoA Exemptions”section. YoucanusetheRADIUSprobeortheMonitoringpersonaRESTAPItoauthenticatetheendpoints.Youcan enabletheRADIUSprobe,whichallowsfasterperformance.IfyouhaveenabledCoA,thenwerecommend thatyouenabletheRADIUSprobeinconjunctionwithyourCoAconfigurationintheCiscoISEapplication forfasterperformance.TheprofilingservicecanthenissueanappropriateCoAforendpointsbyusingthe RADIUSattributesthatarecollected. IfyouhavedisabledtheRADIUSprobeintheCiscoISEapplication,thenyoucanrelyontheMonitoring personaRESTAPItoissueCoAs.Thisallowstheprofilingservicetosupportawiderrangeofendpoints.In adistributeddeployment,yournetworkmusthaveatleastoneCiscoISEnodethatassumestheMonitoring personatorelyontheMonitoringpersonaRESTAPItoissueaCoA. CiscoISEarbitrarilywilldesignateeithertheprimaryorsecondaryMonitoringnodeasthedefaultdestination forRESTqueriesinyourdistributeddeployment,becauseboththeprimaryandsecondaryMonitoringnodes haveidenticalsessiondirectoryinformation. Use Cases for Issuing Change of Authorization Theprofilingserviceissuesthechangeofauthorizationinthefollowingcases: Cisco Identity Services Engine Administrator Guide, Release 1.3 463 Setup CoA, SNMP RO Community, and Endpoint Attribute Filter
•Endpointdeleted—WhenanendpointisdeletedfromtheEndpointspageandtheendpointisdisconnected orremovedfromthenetwork. •Anexceptionactionisconfigured—Ifyouhaveanexceptionactionconfiguredperprofilethatleadsto anunusualoranunacceptableeventfromthatendpoint.Theprofilingservicemovestheendpointtothe correspondingstaticprofilebyissuingaCoA. •Anendpointisprofiledforthefirsttime—Whenanendpointisnotstaticallyassignedandprofiledfor thefirsttime;forexample,theprofilechangesfromanunknowntoaknownprofile. ◦Anendpointidentitygrouphaschanged—Whenanendpointisaddedorremovedfromanendpoint identitygroupthatisusedbyanauthorizationpolicy. TheprofilingserviceissuesaCoAwhenthereisanychangeinanendpointidentitygroup,and theendpointidentitygroupisusedintheauthorizationpolicyforthefollowing: ◦Theendpointidentitygroupchangesforendpointswhentheyaredynamicallyprofiled ◦Theendpointidentitygroupchangeswhenthestaticassignmentflagissettotruefora dynamicendpoint •Anendpointprofilingpolicyhaschangedandthepolicyisusedinanauthorizationpolicy—Whenan endpointprofilingpolicychanges,andthepolicyisincludedinalogicalprofilethatisusedinan authorizationpolicy.Theendpointprofilingpolicymaychangeduetotheprofilingpolicymatchor whenanendpointisstaticallyassignedtoanendpointprofilingpolicy,whichisassociatedtoalogical profile.Inboththecases,theprofilingserviceissuesaCoA,onlywhentheendpointprofilingpolicyis usedinanauthorizationpolicy. Exemptions for Issuing a Change of Authorization TheprofilingservicedoesnotissueaCoAwhenthereisachangeinanendpointidentitygroupandthestatic assignmentisalreadytrue. CiscoISEdoesnotissueaCoAforthefollowingreasons: •AnEndpointdisconnectedfromthenetwork—Whenanendpointdisconnectedfromyournetworkis discovered. •Authenticatedwired(ExtensibleAuthenticationProtocol)EAP-capableendpoint—Whenanauthenticated wiredEAP-capableendpointisdiscovered. •Multipleactivesessionsperport—Whenyouhavemultipleactivesessionsonasingleport,theprofiling serviceissuesaCoAwiththeReauthoptioneventhoughyouhaveconfiguredCoAwiththePortBounce option. •Packet-of-DisconnectCoA(TerminateSession)whenawirelessendpointisdetected—Ifanendpoint isdiscoveredaswireless,thenaPacket-of-DisconnectCoA(Terminate-Session)isissuedinsteadofthe PortBounceCoA.ThebenefitofthischangeistosupporttheWirelessLANController(WLC)CoA. •AnEndpointCreatedthroughGuestDeviceRegistrationflow—Whenendpointsarecreatedthrough deviceregistrationfortheguests.EventhoughCoAisenabledgloballyinCiscoISE,theprofiling servicedoesnotissueaCoAsothatthedeviceregistrationflowisnotaffected.Inparticular,the PortBounceCoAglobalconfigurationbreakstheflowoftheconnectingendpoint. Cisco Identity Services Engine Administrator Guide, Release 1.3 464 Setup CoA, SNMP RO Community, and Endpoint Attribute Filter