The following diagram is a High-Level Flow overview of how ISE makes decisions for authentication requests, particularly important for Posture and Profiler Decisions.
So looking at the diagram above we see the following process:
- An endpoint attempts to access the network via a Network Access Device (NAD) such as a Switch or Wireless LAN Controller
The endpoint will either use 802.1x, MAC Address Bypass (MAB) or WebAuth to authenticate onto the network
Based on the authentication process used, the logic, authentication succeeds and an authorization policy is selected. The Authorization policy will ensure the device gets controlled network access, for example the client receives an IP Address on the network but also has an Access List applied to ensure network access is limited. It’s important to apply an ACL that will at a minimum allow them to receive an IP Address and or a redirect ACL should also be applied.
For posturing services, an Authorization Profile restricting network access must be selected. So for example if a endpoint connecting to the network which has not been posture assessed would fall into the category of Posture Unknown, therefore you want to apply an Authorization Policy with appropriate restrictions whereby they must first be posture assessed before being allowed full access to the network. Once Posture Assessment has been completed and the device is deemed as Compliant a Change of Authorization (CoA) is sent from (ISE) to the (NAD) to remove the Access List and allow full network access. In the event the client is non-compliant the client would need to remediate before being allowed onto the network. It’s important to apply an ACL that not only restricts their network access but still allows the client to access the remediation server IP addresses so they grab the latest AV definitions etc.
Profiler services also use the CoA feature. If a profiler is deployed, when a new endpoint connects to the network, they are connecting to the unknown devices authorization profile (you must define), which will allow the endpoint to receive an IP with restricted access to the network, similar to a unknown/non-compliant device. After the endpoint has been profiled using one of the supported profiling methods, ISE will send a CoA to the NAD to communicate that the authorization profile must be changed. At which point a new Authorization Profile is applied to the device and it receives the correct network access.
Each endpoint profile probe result is stored in the ISE internal endpoint database, which can be viewed by going to Administration > Identity Management > Identities > Endpoints. The MAC Address is the key attribute and it identifies the endpoint uniquely. On any subsequent access attempts from the endpoint, the endpoint classification from the last profiler update is available for the initial authorization assignment and the client would not need to be re-profiled.
*** The ISE Feed Service downloads on demand or on schedule the latest profiler definitions from Cisco, however these definitions do have the ability to change already profiled endpoints and issue CoA’s, depending on how you have setup your ISE deployment.
I hope that makes sense and how the Flow of authentications for posturing and profiler events take place, although this blog post only discusses the theory it should be fairly straight forward to follow the logic and apply it your environment.