https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954793#M37909 <P>Hello Andy-</P> <P>What you are experiencing is correct and expected behavior with the current mechanics of ISE. There is an enhancement request that was put in place a while back but it hasn't seen much traction:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur48184">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur48184</A></P> <P>The only time a device would move from one profile group to another is when a profiling rule with higher Certainty Factor is hit. For instance, if you create a custom rule with CF of 100 and if that rule is hit then a profiled device will never move to another rule that has CF that is &lt;= to 100.&nbsp;</P> <P>As you can tell, profiling is not bullet-proof. This is why it is best practice to limit the network access for profiled devices. For instance, IP Phones should only need access to the voice subnets and the PBX, Printers should only need access to print servers on specific ports, etc</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Fri, 21 Oct 2016 02:09:24 GMT nspasov 2016-10-21T02:09:24Z https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954792#M37907 <P>Hello</P> <P>I was having a look at MAC spoofing with ISE 2.1.0.474</P> <P>I am using RADIUS/SNMP trap and query and DHCP probes. A Cisco 7911 phone correctly gets profiled as "Cisco-IP-Phone-7911". The endpoint in ISE shows all the correct cdp/lldp/dhcp details</P> <P>When I connect my windows laptop (spoofing the phones MAC), the laptop is authenticated as the phone. The endpoint is still profiled as "Cisco-IP-Phone-7911" - the endpoint shows the correct dhcp details for the laptop but retains the cdp/lldp details of the phone previously profiled. I checked the NAD and the device-sensor cache has no cdp/lldp details for the connected laptop and device-sensor accounting sends only the laptop dhcp tlv's to ISE.</P> <P>If I delete the endpoint from ISE and connect my laptop (again spoofing the phones MAC), ISE correctly profiles the laptop as "Microsoft-Workstation"</P> <P>When I disconnect the laptop and reconnect the phone, ISE re-profiles the endpoint as a "Cisco-IP-Phone-7911" based on the newly learnt cdp/lldp info.</P> <P>ISE can learn new endpoint details through the probes and re-profile an endpoint as shown above. Am I right in saying that ISE won't re-profile an endpoint based on the fact that some attributes (e.g. cdp/lldp) have stopped appearing - only when new attributes are learnt?</P> <P>Thanks<BR />Andy</P> Mon, 11 Mar 2019 07:09:48 GMT https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954792#M37907 andrewswanson 2019-03-11T07:09:48Z https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954793#M37909 <P>Hello Andy-</P> <P>What you are experiencing is correct and expected behavior with the current mechanics of ISE. There is an enhancement request that was put in place a while back but it hasn't seen much traction:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur48184">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur48184</A></P> <P>The only time a device would move from one profile group to another is when a profiling rule with higher Certainty Factor is hit. For instance, if you create a custom rule with CF of 100 and if that rule is hit then a profiled device will never move to another rule that has CF that is &lt;= to 100.&nbsp;</P> <P>As you can tell, profiling is not bullet-proof. This is why it is best practice to limit the network access for profiled devices. For instance, IP Phones should only need access to the voice subnets and the PBX, Printers should only need access to print servers on specific ports, etc</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Fri, 21 Oct 2016 02:09:24 GMT https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954793#M37909 nspasov 2016-10-21T02:09:24Z https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954794#M37910 <P>Thanks Neno - I'll contact TAC and add some weight to the enhancement request. Once we are out of Monitor mode the key thing will be strict authorization for ISE profiled devices.</P> <P></P> <P>Cheers</P> <P>Andy</P> Fri, 21 Oct 2016 06:12:55 GMT https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954794#M37910 andrewswanson 2016-10-21T06:12:55Z https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954795#M37911 <P>Great! Thanks Andy! Let us know what Cisco/TAC has to say about it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Neno</P> Fri, 21 Oct 2016 18:01:10 GMT https://community.cisco.com/t5/network-access-control/re-validating-previously-profiled-ise-endpoints/m-p/2954795#M37911 nspasov 2016-10-21T18:01:10Z