topic Re: ISE profiler feeds updates in Network Access Control

ISE profiler feeds updates

adamgibs7 — Fri, 21 Feb 2020 18:55:20 GMT

Dears,

My ISE is not able to connect to the internet for the profiler feed update so I am looking to download the updates offline and then upload to ISE is it possible ??? but I am not able to find the path to download.
HP printer model (HP-LASER JET2055dn) are not available in the ISE 2.2 patch 7 and they are detected as a HP device so in such situation it is a security risk to allow them by profiling HP-Device how I can restrict these printers, if I m not wrong I can do by creating a separate profiler group and add these printers in that group and restrict them to a specific permission. Please correct me if I m wrong ??
I am following the below link in which it says use the NMAP scanning by using that it falls in the HP-Printers group so what NMAP really helped is that it detects insight probe on the device to profiled accordingly ?? please clarify, so for any device if it failing I have to run a NMAP scan on that endpoint.

https://supportforums.cisco.com/t5/intrusion-prevention-systems-ids/securing-network-with-ise-profiling-hp-devices/m-p/2687522#M22095

4.Please find the attached screenshot and explain what actual expression it is looking to profile this HP-Color-LaserJet-2500

thanks

Re: ISE profiler feeds updates

RichardAtkin — Mon, 07 May 2018 09:02:09 GMT

My ISE is not able to connect to the internet for the profiler feed update so I am looking to download the updates offline and then upload to ISE is it possible ??? but I am not able to find the path to download.
1. Go to http://ise.cisco.com/partner and register for an account. Once registered, you will be able to download the updates for use offline.
HP printer model (HP-LASER JET2055dn) are not available in the ISE 2.2 patch 7 and they are detected as a HP device so in such situation it is a security risk to allow them by profiling HP-Device how I can restrict these printers, if I m not wrong I can do by creating a separate profiler group and add these printers in that group and restrict them to a specific permission. Please correct me if I m wrong ??
1. You are correct.
I am following the below link in which it says use the NMAP scanning by using that it falls in the HP-Printers group so what NMAP really helped is that it detects insight probe on the device to profiled accordingly ?? please clarify, so for any device if it failing I have to run a NMAP scan on that endpoint.
1. I don't really understand the question. NMAP Scanning is just another way of learning more information about the device to help you profile it. Depending on how your particular printer works and how it is seen by the network, NMAP may or may not provide you with enough additional information to profile it successfully. Unfortunately I don't have access to one to test.

4.Please find the attached screenshot and explain what actual expression it is looking to profile this HP-Color-LaserJet-2500

1. Nothing attached.

Re: ISE profiler feeds updates

adamgibs7 — Mon, 07 May 2018 18:36:29 GMT

Dear

My printers were detecting as HP device, when I run a NMAP on those specific HP printers IP address it start detected them as a HP printers, so what special NMAP probe is doing here.

Please find the attached screenshot and explain what actual expression it is looking to profile this HP-Color-LaserJet-2500

Please find the attached

Re: ISE profiler feeds updates

Rob Ingram — Mon, 07 May 2018 20:14:29 GMT

When you run an NMAP probe it will run OS Scan, SNMP Port Scan and common ports etc. By the looks of the profiling policy for the HP Color Laserjet 2500 it needs the snmp probe to return the attribute "hrDeviceDescr" and it must contain "HP Color LaserJet 2500".

As there is no profiling policy defined for the 2550dn that you have, I suggest running an NMAP SNMP scan probe and see what the "hrDeviceDescr" is, from there create a new profiling rule for that model of printer.

The ISE profiling guide states the NMAP probe can only use the default community string "public" to directly query endpoints. In other words if you've disabled or change SNMP on those printers, you won't get the information you require from NMAP.

HTH

Re: ISE profiler feeds updates

adamgibs7 — Tue, 08 May 2018 19:10:19 GMT

Dear

By the looks of the profiling policy for the HP Color Laserjet 2500 it needs the snmp probe to return the attribute "hrDeviceDescr" and it must contain "HP Color LaserJet 2500".

the attribute hrDeviceDescr means the device description should contain HP Color LaserJet 2500 then only it will be profiled as a HP color laserJet 2500 printer ???

Please correct me if I m wrong.

Re: ISE profiler feeds updates

Rob Ingram — Tue, 08 May 2018 20:02:07 GMT

Correct, if the nmap probe gets that information back from snmp, it will determine the device to be a HP Color Laserjet printer and therefore classify the endpoint as such.

Re: ISE profiler feeds updates

adamgibs7 — Tue, 08 May 2018 20:27:35 GMT

thanks for confirming +5 for you,

Any suggestion or best practices for profiling,,, the cisco document for profiling should be referred for every aspect of profiling configuration.