topic Cisco ISE Device Profiling in Network Access Control

Cisco ISE Device Profiling

lnw-team — Wed, 17 Aug 2022 06:37:59 GMT

Hello,

We've recently connected XBox console to our network. New security rule has been configured on Cisco ISE to allow network access. The device should be recognized and granted network access based on device profile. Pre-defined profile "Gaming Devices" has been used for that purpose. However, the devices was not properly recognized and placed in a guest VLAN (another security policy). In order to make it work, another profiling policy with MAC address has been created. Is there any way to update the list of pre-defined device profiles?

Thank you in advance!

Re: Cisco ISE Device Profiling

balaji.bandi — Wed, 17 Aug 2022 07:18:17 GMT

If you are using OUI based List ( where all xbox come with same MAC address as first 4 or 5 as manufacturer)

Move the Policy above guest and test it.

Re: Cisco ISE Device Profiling

lnw-team — Wed, 17 Aug 2022 12:08:16 GMT

The policy is above guest but the devices is not recognized properly.

Re: Cisco ISE Device Profiling

balaji.bandi — Wed, 17 Aug 2022 16:13:31 GMT

check the Logs why the policy not matching ?

take one device and try to connect and see the order of operation.

Re: Cisco ISE Device Profiling

Rob Ingram — Wed, 17 Aug 2022 18:18:12 GMT

@lnw-team if the endpoint matches the new policy the devices should automatically update.

What is the certainty factor of one of the endpoints?

In the configuration of the new profiling policy what is the certainty factor you configured?

Is this higher than the certainty factor under the other policy? If not, it needs to be, otherwise the endpoint will continue to match the other policy.

Provide some screenshots of the new policy, the existing policy and the output of one of the endpoints.

Re: Cisco ISE Device Profiling

Arne Bier — Wed, 17 Aug 2022 21:35:22 GMT

ISE has built-in Profile Policies for Xbox360 and XboxOne. It's uses a combination of MAC OUI and DHCP attributes.

The main issue with any profiling is, what happens when ISE sees the device for the FIRST TIME? First time means, ISE only gets a MAC address to work with. That might be enough for very crude profiling. But you want to give ISE more time to do a more accurate job. That means, you don't deny/block a device that ISE has not been able to 100% identify (in other words, you failed through all the current Authorization Policies and ended on the Default one at the bottom). In Low-Impact mode you can return a dACL that allows DHCP, DNS and SNMP - in most cases this gives ISE a good chance to process the DHCP data, run an nmap and SNMP poll etc. Within a few seconds, ISE has learned that this is an XBOXONE, and then sends the switch a CoA Reauth. And then it will be caught in the correct Authorization Policy that you setup to put Xboxes in the right VLAN/ACL.

You don't have to use Cisco's Xbox profiles - but it's a good start.

Re: Cisco ISE Device Profiling

thomas — Sat, 20 Aug 2022 18:01:28 GMT

You are using the Gaming Devices logical profile which has these profiles:

Searching the ISE Profiles for "xbox" I see there is also "XBOXONE". Did you also add that? Is that not matching for you?

> the devices was not properly recognized

OK, then what device did it match? You did not provide any details so we cannot suggest corrections.

Why did it match this other device? Were there similar attributes? Were attributes missing such that the XBOX profiles did not have a match and get a higher certainty factor?

These are the profiling rules for both XBOX profiles:

XBOX360Rule1Check1 | DHCP:dhcp-class-identifier EQUALS Xbox 360
and
XBOXONERule1Check1 | DHCP:host-name CONTAINS XBOX-ONE
XBOXONERule1Check2 | DHCP:host-name EQUALS Xbox-SystemOS
XBOXONERule1Check3 | MAC:MACAddress STARTSWITH 50:1A:C5

Are you seeing these DHCP attributes for these endpoints?

Does profiling any other endpoints with DHCP work in your environment? Or is it only XBOX devices giving you an incorrect profile?

If you do not see DHCP attributes, how are you sending ISE DHCP attributes?

These are the necessary troubleshooting details you need to figure out.