ISE Profiler and RADIUS CoA - Part 3

The Profiler service implements the CoA in the following cases:

• Static assignment of an endpoint. The profiler service issues a CoA if you have an existing endpoint that has already successfully authenticated on your network and is now statically assigned to a different profile or a different endpoint identity group, and the endpoint profiling policy has changed.
• An exception action is configured. The Profiler service issues a CoA for an endpoint if there is an exception condition and an exception action configured per profile. This occurs when an unusual or unacceptable event from that endpoint triggers the Profiler service to move the endpoint to the corresponding static profile by issuing a CoA. In other words, Exception Actions are how ISE triggers a response to a profiling event or state change. By default, there are three predefined, non-configurable Exception Actions:

ISE Profiling service initiates CoA based on Exception Actions—either Cisco-defined or user-defined.

--> By selecting AuthorizationChange option, ISE sends a CoA when a profile transition results in a different authorization based on matching Authorization Policy rules.

--> By selecting EndpointDelete, ISE sends a CoA when the endpoint is deleted or transitions from a Profiled profile to the Unknown profile (no Profiling Policy match).

An endpoint that does not match any profile in ISE becomes a member of “Unknown” profile.

--> By choosing FirstTimeProfile,?ISE generates a CoA when the endpoint transitions from the Unknown profile to a specific Profiling Policy assignment.

• An endpoint is profiled for the first time. The Profiler service issues a CoA for an endpoint that is not statically assigned and is profiled for the first time, i.e., the profile changes from an unknown to a known profile. In other words, a CoA is automatically sent for any endpoint that transitions from unknown to any known profile. For example, an Exception Action would be to trigger a CoA when a device is profiled as a “Cisco-Device,” so it can match another condition after DHCP information is received following the initial connection.
• Endpoint deleted. The profiler service issues a CoA when an endpoint is deleted from the Endpoints page and the endpoint is most likely disconnected or removed from the network.

In addition to CoA, Exception Actions also can statically assign a new profile assignment to an endpoint. The system-defined Exception Actions do not change policy assignments; they only trigger CoA. The following figure shows the details for the “AuthorizationChange” Exception Action. Note that CoA will be forced but the Policy Assignment is set to?NONE.

The default CoA Type sent for each of the system-defined exception actions is configured under global settings at?Work Centers > Profiler > Settings > Profiler Settings. In addition to the global default behavior for Profiler CoA, it is also possible to configure the CoA type on a per profile basis. Each Profiler Policy allows a unique CoA type to apply to endpoints matching this profile—No CoA, Port Bounce, Reauth, and Global Settings. Global Settings is the default and instructs ISE to use the globally configured Profiler CoA setting. When explicitly set, per-profile CoA settings override global settings.

System-defined Exceptions Actions are not configurable and cannot be assigned as actions under the Profiling Policy. They are triggered automatically based on the defined transition. However, an administrator can define custom Exception Actions. These user-defined exceptions can be used in a Profiling Policy to apply a static profiling policy assignment and specify if CoA is sent.

User-defined exception actions are appropriate for statically assigning endpoints to a preferred policy assignment once a specific condition is met and optionally for preventing a CoA being sent on policy assignment. An example use case would be a critical network device such as a process control endpoint in a manufacturing facility, or a networked medical device in a healthcare facility. In these examples, the administrator may want to statically assign the endpoint to a policy. A static assignment through exception can prevent the risk that spurious profile data reverts and endpoint’s profile and affects its network connectivity.

A few environments in ISE where the profiler does not issue a CoA:

• An endpoint disconnected from the network. The profiler service does not issue a CoA when a disconnected endpoint from your network is discovered.
• Authenticated Wired EAP-Capable Endpoint. The Profiler service does not issue a CoA when an authenticated wired EAP-capable endpoint is discovered.
• Multiple Active Sessions per Port. The profiler service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option when you have multiple active sessions (every endpoint with unique MAC address is considered as one active session) on a single port. This function potentially avoids disconnecting other sessions as might occur with the Port Bounce option.

There is a built-in failsafe to never send a port bounce when there is more than one MAC address on a switch port. This failsafe ensures that there is no negative impact on IP telephony. When more than one MAC address exists on a switch port, a Reauth CoA is sent instead. In another words, if you have multiple active sessions on a single port, the profiler service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function potentially avoids disconnecting other sessions as might occur with the Port Bounce option.

To allow ISE to send CoA actions to a Network Access Device, you must configure NAD to accept these RADIUS messages.