topic Re: Profiling for a certain OUI not working in Network Access Control

Profiling for a certain OUI not working

kevin.twaddell — Thu, 30 Sep 2021 15:01:39 GMT

HI Guys,

Very new to ISE, so much I don't get yet (inc terminology), but I'm working on it, anyway

Needed to configured to profiles for 2 different OUI's (not the same ID group), 1 for Building Management systems and 1 for door access controllers.

I started on the BMS devices first and got them to work, so when a new BMS devices came up it profiled it correctly.

Using the lessons learnt from getting the BMS devices working I started on Door Access devices, but it's still going under the wrong authorization policy, I have set to match with RADIUS and OUI name, set the certainty factor to even a stupid high figure of 50 and still fails.

Any help please guys?

Thanks

Kevin

Re: Profiling for a certain OUI not working

ComputerRick — Thu, 30 Sep 2021 15:19:01 GMT

In the authentication details from the Radius Live Logs page, do those devices show being profiled correctly?
If you can share the device profile and the auth details, it might help provide a better response.

Re: Profiling for a certain OUI not working

kevin.twaddell — Fri, 01 Oct 2021 08:28:34 GMT

No that's my point or I'm missing the point 🙂

Do you mean show the Endpoint Context Visibility info?

I'm on a massive learning curve so please bear with me.

Re: Profiling for a certain OUI not working

Rob Ingram — Fri, 01 Oct 2021 09:35:23 GMT

@kevin.twaddell please provide the screenshot of the new profiling policy you created. Also go to Work Centers > Profiler > Endpoints, select the MAC address of the endpoint and provide a screenshot for review. We'll need the information such as OUI, Total Certainty Factor, Endpoint Policy amongst others etc.

FYI, Here is the offical Cisco ISE profiling guide.

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Re: Profiling for a certain OUI not working

ComputerRick — Sun, 03 Oct 2021 13:55:35 GMT

If it's hitting the wrong authz policy, I prefer to get the auth details from the Radius Live Logs page.

Find a device that fails, and in the 3rd column from the left should be a paper icon, if you click that, it shows all of the info and logic for that session.

That, in addition to the profile should be everything needed for someone here to help you resolve this.

Re: Profiling for a certain OUI not working

kevin.twaddell — Mon, 04 Oct 2021 09:31:27 GMT

Hi all,

So back on this today, its matching against our default Authorization Policy, so everything goes in this unless it a different matching policy which is what I'm trying to create.

I've attached the log from it doing this but I'm not seeing why, if one of you kind chaps could point me in the right direction please?

Thanks

Kevin

Re: Profiling for a certain OUI not working

Oliver Laue — Mon, 04 Oct 2021 10:36:23 GMT

Maybe you have a logic error in your Policy, because the Log shows 2 Logical Profiles the Device is assigned to.

What does your Policy look like for this device?

Re: Profiling for a certain OUI not working

kevin.twaddell — Mon, 04 Oct 2021 10:59:25 GMT

so PAH-BMS-Door-Access was the profile used before I create this one, it never worked then either, but we needed to split the profiles up so I created 2 new ones, as my opening message BMS works fine, there are NO conditions in the old PAH-BMS-Door-Access profile

I've attached the PAH-Door-Access profile

Thanks

Kevin

Re: Profiling for a certain OUI not working

Oliver Laue — Mon, 04 Oct 2021 12:06:40 GMT

Sorry, I meant your Authorization Policy.

if you do a combined rule which should match multiple Profiles you have to check to do an "or" instead of on "and".

Re: Profiling for a certain OUI not working

kevin.twaddell — Mon, 04 Oct 2021 12:21:48 GMT

Is this what you mean?

the working BMS is not set that way though!

Re: Profiling for a certain OUI not working

Oliver Laue — Mon, 04 Oct 2021 12:35:21 GMT

Rewrite your Rule to use EndPointPolicy instead of IdentityGroup.

According to the ISE Detail log the Device has the IdentityGroup: Profiled

Re: Profiling for a certain OUI not working

kevin.twaddell — Mon, 04 Oct 2021 12:50:54 GMT

That appears to have sorted it, I don't know the difference yet but I'll read up and try and work out what it is, thank you very much for your help.

Kevin