topic Re: Create Profiling Policies for a Group of Devices in Network Access Control

Create Profiling Policies for a Group of Devices

Matthew Martin — Mon, 28 Jun 2021 21:42:49 GMT

Hello All,

I have a group of devices that I want to create a new Profiling Policy for based off their MAC Addresses. All of the devices all start with the same first 8 characters of their Mac Address.

So I created a new Profiling Policy (*Policy > Profiling > Profiling Policies). In there I added 1 Rule, which is the only rule right now for "MAC:MACAddress STARTSWITH aabbccdd".

Then, I went to my Wired Policy Sets. Created a new Authorization Policy with only one condition for "Endpoint Identity Groups:Profiled: my_profile_name".

Lastly, I plugged in the device. But, it's showing up as Unknown, instead of matching the Profiling Policy...

I also noticed there's Profiling Conditions in Policy > Policy Elements > Conditions > Profiling.... So I also added a policy condition there that does the same thing as the Profiling Policy I described above with the Mac Address starts with.... But, I assume this "condition" needs to be applied somewhere.

I'm thinking I'm missing something. Could anyone lend a hand with this, or point me in the right direction?

Thanks in Advance,

Matt

Re: Create Profiling Policies for a Group of Devices

Marcelo Morais — Mon, 28 Jun 2021 22:24:55 GMT

Hi @Matthew Martin ,

at Policy > Profiling > Profiling Policies, double check if:
. the Policy is Enabled.
. the Minimum Certainty Factor matches the number of your rule

At Policy Set > Authorization Policy double check if you are using
IndentityGroup.Name EQUALS xxxx
or
Endpoint.EndpointPolicy EQUALS xxxx

Hope this helps !!!

Re: Create Profiling Policies for a Group of Devices

Matthew Martin — Tue, 29 Jun 2021 18:46:25 GMT

Hey Marcelo,

Thanks for the reply.

Checked the Profiling Policy and it is enabled and I had both Certainty Factors set to 10. Not sure if it mattered, so changed them both to 5 and saved the policy. The Policy Name is called "Zoom_Phones".

The only Rule is that it needs to match the first 8 characters of the MACAddress.

Here is the Policy Set:

Now, when I check Radius Live Logs, I just get "Deny Access", and the Endpoint Profile showing as "Unknown". The first 8 characters of the MAC Address definitely matches the Rule in the Profiling Policy. I also tried plugging in a second device, also with the same first 8 in the MAC and it's getting the same result.

Thanks Again,

Matt

Re: Create Profiling Policies for a Group of Devices

hslai — Mon, 05 Jul 2021 15:42:09 GMT

The separators might not have matched properly.

Also, we could use RADIUS:Calling-Station-ID directly in authorization conditions.