topic Cisco ise profiling in Network Access Control

Cisco ise profiling

munish.dhiman1 — Fri, 21 Feb 2020 19:06:27 GMT

Hi,

Trying to understand the profiling behaviour,could you please correct me if my understanding is incorrect.

IP phone connects to the network and get profiled by ise and refects in endpoint repository.now i moved the mac adress data base to a new folder and create a authorizastion policy.

now i disconnect the ip phone and reconnect,will it get again reprofiled by plus license and show in endpoint repository or ise will skip the profiling 2nd time and just enforce the authorization policy.

regards,

Re: Cisco ise profiling

Mike.Cifelli — Mon, 03 Jun 2019 12:47:14 GMT

Just to clarify a few things here is an overview:
ISE collects attributes from device sensors (NADs). The attributes are used to profile your devices. There are several probes you can use (Radius, IP, DNS, Radius, etc.). The only time a plus license gets consumed in regard to profiling is if you use the profiled endpoint group as a authz condition in your policies. Re-profiling could occur if there has been a change or if you have enabled new profiles with different MCFs that your devices may match to depending on how they are setup. Good luck & HTH!

Re: Cisco ise profiling

Jason Kunst — Mon, 03 Jun 2019 17:12:22 GMT

this was brought up before and pointed to a possible defect depending on your release. please make sure you're running latest patch and if still a problem check through the TAC as well

Re: Cisco ise profiling

munish.dhiman1 — Mon, 03 Jun 2019 18:19:57 GMT

Jason,

This is not an issue, however trying to understand the expected behavior. As per the process ,ise process a request in following order

Profiling___authntication_____posture____than enforcement/authorization...
So if i move the profiled endpoint from known endpoint folder to any other folder ,and when next time same endpoint connects to the network ,will it show as unknown and ise will profil it again before authentication?
Reason of asking this :
1. Well ,I have a MAB policy and authorization is based on OUI (aa:cc:dd).After MAB ,device is checked for the OUI configured in the policy and access provided.
How can I detect Mac spoofing in this case and send coa?

2. I am thinking of using a combination of something like this. "If a mac start from aa:bb:cc and found in folder ABC ---provide vlans10.
But Now if someone spoofs the mac address he will also get full access.beacuse it's the same mac or starts with same oui. How can we prevent this,how profiling/plus license makes a difference here?

BR,
MD

Re: Cisco ise profiling

Mike.Cifelli — Mon, 03 Jun 2019 20:13:35 GMT

Check this out: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

This can aide in deterring spoofed macs. HTH!