topic Re: ISE profiling an IP range in Network Access Control

ISE profiling an IP range

KevinR99 — Tue, 09 Sep 2025 09:26:46 GMT

I have a requirement to profile devices based on IP range. This is easy if my subnets are on octet boundries. So I can match the 10.10.10.0/24 subnet with startswith 10.10.10 and that works fine.

However if my subnet is, for example, 10.10.0.0/20 I need to match 10.10.0.0 to 10.10.15.255 and I would like to match this with a startswith statement. Is there any way I can insert a range of 0-15 in the startswith field or is there any other way I could do this?

Thanks, Kev.

Re: ISE profiling an IP range

balaji.bandi — Tue, 09 Sep 2025 11:19:42 GMT

i do not believe that have option as per i know, its wish list, but not a good idea have 3rd octet range.

Re: ISE profiling an IP range

andrewchawen — Fri, 26 Sep 2025 19:16:06 GMT

@KevinR99 wrote:
Hi
I have a requirement to profile devices based on IP range. This is easy if my subnets are on octet boundries. So I can match the 10.10.10.0/24 subnet with startswith 10.10.10 and that works fine.
However if my subnet is, for example, 10.10.0.0/20 I need to match 10.10.0.0 to 10.10.15.255 and I would like to match this with a startswith statement. Is there any way I can insert a range of 0-15 in the startswith field or is there any other way I could do this? y999
Thanks, Kev.

I see what you’re running into. A /20 subnet like 10.10.0.0/20 spans multiple /24 networks (10.10.0.0/24 through 10.10.15.0/24). A simple startswith string match works fine for octet boundaries (like /24), but it won’t handle ranges inside an octet (like 0–15) because startswith is just a string check — it can’t do numeric ranges.

Re: ISE profiling an IP range

ahollifield — Wed, 10 Sep 2025 19:54:58 GMT

Why is that your requirement at all? What information are you not getting from Device Sensor?

Re: ISE profiling an IP range

KevinR99 — Thu, 11 Sep 2025 15:52:59 GMT

My problem is I have 10 floors in my buiding. Each has a different subnet for door entry systems and those have static IP's applied. So I want to profile them based on the static IP and place them in an endpoint group specific to their IP subnet. I can't profile on MAC OUI or any other info like that because they are all the same type of device. I will then use the endpoint group in a mab policy to authenticate the port and place it in the appropriate vlan. So, if my subnets are not on octet boundries I cannot match with startswith. If my subnet is 10.10.0.0/20 I would need to match on starts with 10.10.0. up to 10.10.15. I could create 16 profiling rules but that's getting a bit labour intensive especially as the subnets get bigger.

I had hoped I could apply a regex expression to match 0-15 in the 3rd octet but I can't find a way to do that.

Kev.

Re: ISE profiling an IP range

ahollifield — Thu, 11 Sep 2025 16:26:23 GMT

Got it. Are those ports exposed to the general user population? Or are they protected in a locked area? Have you considered removing the ISE authentication commands from those ports entirely and just manually configuring the VLANs?

For static IP devices like this, I typically recommend my customers use a SPAN-based profiler like Ordr, Armis, or Cisco Endpoint Analytics.