ISE Profiler and RADIUS CoA - Part 3
The Profiler service implements the CoA in the following cases:
ISE Profiling service initiates CoA based on Exception Actions—either Cisco-defined or user-defined.
--> By selecting AuthorizationChange option, ISE sends a CoA when a profile transition results in a different authorization based on matching Authorization Policy rules.
--> By selecting EndpointDelete, ISE sends a CoA when the endpoint is deleted or transitions from a Profiled profile to the Unknown profile (no Profiling Policy match).
An endpoint that does not match any profile in ISE becomes a member of “Unknown” profile.
--> By choosing FirstTimeProfile, ISE generates a CoA when the endpoint transitions from the Unknown profile to a specific Profiling Policy assignment.
In addition to CoA, Exception Actions also can statically assign a new profile assignment to an endpoint. The system-defined Exception Actions do not change policy assignments; they only trigger CoA. The following figure shows the details for the “AuthorizationChange” Exception Action. Note that CoA will be forced but the Policy Assignment is set to NONE.
Recommended by LinkedIn
The default CoA Type sent for each of the system-defined exception actions is configured under global settings at Work Centers > Profiler > Settings > Profiler Settings. In addition to the global default behavior for Profiler CoA, it is also possible to configure the CoA type on a per profile basis. Each Profiler Policy allows a unique CoA type to apply to endpoints matching this profile—No CoA, Port Bounce, Reauth, and Global Settings. Global Settings is the default and instructs ISE to use the globally configured Profiler CoA setting. When explicitly set, per-profile CoA settings override global settings.
System-defined Exceptions Actions are not configurable and cannot be assigned as actions under the Profiling Policy. They are triggered automatically based on the defined transition. However, an administrator can define custom Exception Actions. These user-defined exceptions can be used in a Profiling Policy to apply a static profiling policy assignment and specify if CoA is sent.
User-defined exception actions are appropriate for statically assigning endpoints to a preferred policy assignment once a specific condition is met and optionally for preventing a CoA being sent on policy assignment. An example use case would be a critical network device such as a process control endpoint in a manufacturing facility, or a networked medical device in a healthcare facility. In these examples, the administrator may want to statically assign the endpoint to a policy. A static assignment through exception can prevent the risk that spurious profile data reverts and endpoint’s profile and affects its network connectivity.
A few environments in ISE where the profiler does not issue a CoA:
There is a built-in failsafe to never send a port bounce when there is more than one MAC address on a switch port. This failsafe ensures that there is no negative impact on IP telephony. When more than one MAC address exists on a switch port, a Reauth CoA is sent instead. In another words, if you have multiple active sessions on a single port, the profiler service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function potentially avoids disconnecting other sessions as might occur with the Port Bounce option.
To allow ISE to send CoA actions to a Network Access Device, you must configure NAD to accept these RADIUS messages.