cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16936
Views
12
Helpful
9
Replies

Cisco ISE 2.2 - Managing Internal Endpoints Store

PiotrekJ
Level 1
Level 1

Hello,

I'm looking for help.

After update to latest version of ISE 2.2 with latest Patch I have a lot of problems with adding/deleting MAC address in Internal Endpoint.

Where is correct place or how I should manage MACs.

I use lot of MAB devices and need to add/remove few entries per day.

How to achive this?

In version 1.3 was simple - add MAC to specific group.

Since version 2.X there is a Context Visibility Page where I was able to add/delete MAC address.

Also in version 2.X appear new functionality - new MAC addresses of devices appear on Context Visibility, after this I have edit them and assign to correct group.

Now I have problem with ElasticSearch (opened TAC), and only working method is importing new entries with CSV.

But how to find specific MAC and delete it???

1 Accepted Solution

Accepted Solutions

Hi Piotr,

Here are few recommendations

a. Are you using policies in Policy set more or default mode?

    Using it in Policy set mode is recommended so that you can categorize the incoming requests and apply suitable     authentication/authorization policies.

   You can change it to policy set mode from Administration --> Settings. When you change the mode all the existing policies  will be under default policy set. You can create newer policy set with an entrance criteria to filter the MAB requests and apply authentication/authorization policies.

b. Please make sure your authorization policy is configured where the least permissive policy is on the top and most   

permissive is at the bottom. Please do not allow authorization policy to for unknown group.

   Configure the default authorization policy to deny access.

   When a device is authenticated and authorized, you will see an entry in operations --> Logs. When you click on the details

   on the entry, you will see the authentication and authorization policy it is hitting. The log entries will have these as well in 

   the columns. You will know what authorization policy is used and you can optimize these policies.

c, What kind of deployment do you have? If you have a standalone deployment then you will see the profiling service greyed out. However you will have the option to turn off profiling services if ISE is configured as Primary Administration Node or PSN only node.

If you want to turn off profiling service, this can be done from UI when you go to Administration--> deployment, choose the ISE server node. You can edit the node and uncheck the profiling service. ISE services will be restarted after that. Please do not do this in production hours.

d. One of the best features of ISE is visibility where you will know what kind of endpoints are in the network. A lot of customers want to know what is out there so that they can protect it. By turning the profiling off, you are disabling such a critical feature that will save you a lot when done properly.

Here is the How to guide for ISE services including profiling that discusses all the best practices and provides insight on how it is done.

ISE Design & Integration Guides

Thanks

Krishnan

View solution in original post

9 Replies 9

ldanny
Cisco Employee
Cisco Employee

The profiling service collects attributes of endpoints from the network devices and the network, classifies endpoints into a specific group (Endpoint Identity Groups) according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database.

The profiling service identifies each endpoint on your network, and groups those endpoints according to their profiles to an existing endpoint identity group in the system, or to a new group that you can create in the system.

Have a look under

Administration>Identity Management>Groups>

On the left under "Endpoint Identity Groups" are built in default groups. If you haven't profiled your endpoints its likely they are under one of those groups e.g "Profiled" , "Unknown" .

It is best practice to profile your endpoints by using profile policies , in this way you can decide to which identity group they belong.

Here is a doc on profiling which should provide some clarity.

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Cisco ISE Endpoint Profiling Policies [Cisco Identity…

Hope this helps,

Danny

kthiruve
Cisco Employee
Cisco Employee

Hi Piotr,

Are you having problems with import/export of MAC addresses from WorkCenter --> Network Access --> Identities --> Endpoints?

Or issue with context visibility list under endpoint classification. There are couple of ways to add endpoints.

As Danny mentioned, profiling functionality gathers the MAC address information and adds it automatically.

You can use filters under endpoints or Context visibility to filter the endpoints based on MAC address or other attributes and delete that.

Please let us know the use case that will help us answer your question.

In any case, if it is a production environment and you are having issues of adding/removing MAC address, calling TAC is the right thing to do.

Thanks

Krishnan

PiotrekJ
Level 1
Level 1

Thanks for reply...

Like I mention earlier - in my environment are two types of devices:

- dot1x authenticated (no problem with that),

- MAB authenticated.

In ISE 1.x releases MAB authentication was very clear - if MAC address exist in ISE Internal Database (with policy and group assignment (IP-Phone,CiscoIPPhone), then device was successfully authenticated by switch and get access to network.

In ISE 2.x MAC addresses appears in ContextVisibility with assignment Unknown/Unknown - mentioned auto profilng.

So what with authentication - it should be possible only after adding static assignment to group/policy?

Case:

In last month, after ransomware attack, I try to find all MAC addresses belong to Guests PC.

Part of them was added to static group X, part to Y and maybe something was added by mistake to other group.

So I have exported all addresses (export csv function in Context Visibility/Identity Endpoint), find suspected entries and one by one find them in ContextVisibility, select and delete.

But after that, those devices was still able to authenticated in network (find them in Identity Group)

Generally I'm not sure how to correctly add/remove MAC in Internal Database.

And extra question - it is possible to turn off auto profiling/adding mac to ISE?

Hi Piotr,

Here are few recommendations

a. Are you using policies in Policy set more or default mode?

    Using it in Policy set mode is recommended so that you can categorize the incoming requests and apply suitable     authentication/authorization policies.

   You can change it to policy set mode from Administration --> Settings. When you change the mode all the existing policies  will be under default policy set. You can create newer policy set with an entrance criteria to filter the MAB requests and apply authentication/authorization policies.

b. Please make sure your authorization policy is configured where the least permissive policy is on the top and most   

permissive is at the bottom. Please do not allow authorization policy to for unknown group.

   Configure the default authorization policy to deny access.

   When a device is authenticated and authorized, you will see an entry in operations --> Logs. When you click on the details

   on the entry, you will see the authentication and authorization policy it is hitting. The log entries will have these as well in 

   the columns. You will know what authorization policy is used and you can optimize these policies.

c, What kind of deployment do you have? If you have a standalone deployment then you will see the profiling service greyed out. However you will have the option to turn off profiling services if ISE is configured as Primary Administration Node or PSN only node.

If you want to turn off profiling service, this can be done from UI when you go to Administration--> deployment, choose the ISE server node. You can edit the node and uncheck the profiling service. ISE services will be restarted after that. Please do not do this in production hours.

d. One of the best features of ISE is visibility where you will know what kind of endpoints are in the network. A lot of customers want to know what is out there so that they can protect it. By turning the profiling off, you are disabling such a critical feature that will save you a lot when done properly.

Here is the How to guide for ISE services including profiling that discusses all the best practices and provides insight on how it is done.

ISE Design & Integration Guides

Thanks

Krishnan

pohjaton1
Level 1
Level 1

Hi,

One way of deleting an endpoint information would be to use the endpoint purge rules which you can find under identities settings. If you have endpoints f.ex unknown which you would like to clean up in certain interval, you can set a rule in purge settings to get them removed

Arne Bier
VIP
VIP

I have the same questions as Piotr and I eventually opened a TAC case because I wanted to know why I was unable to delete endpoints with the "Remove" button - I am unable to remove anything.  I can move Endpoints from one Group to another though.

I only have BASE license and I don't need profiling.

Removing Endpoints manually is an important function (e.g. when testing guest portal) - the only way I can delete the endpoint is to go to the Context Visibility > Endpoints and then search and click on trash can icon.

In previous versions of ISE I could go to Administration > Identity Management . Groups > Endpoint Identity Groups > and find the MAC address there.  The Remove button is still there, and after clicking it, ISE tells you the Endpoint was successfully removed, but it never does.

The Endpoint Purge does work in patch 2.2 without any Plus license).  I made the schoolboy error of not thinking about the Endpoint Purge Policy rule correctly - e.g. ElapsedDays GREATERTHAN 1 means the endpoint must have been in that Endpoint for >=48 hours.  So if you want 24 hours then you must use GREATERTHAN 0.

One thing I also noticed is that I am unable to add MAC addresses into Endpoint Identity Groups in advance - in advance means, that the MAC has never been seen before in ISE (e.g. new Cisco Phone in the box) and in the past I could manually add those MAC addresses in advance.  In ISE 2.2 I also have to do this in Context Visibility.

I get the feeling that the Endpoint Identity Groups Add and Remove buttons are somewhat deprecated and should be removed from the interface.

You can go to WorkCenters -> Profiler -> endpoint classification where you should be able to add the mac addresses  of endpoints and profile them as registered devices. You can use registered devices in authentication and authorisation policies

I have an ISE 2.2 Patch 3. I am unable to delete or move endpoints to another identity group. It shows confirmation message as the deletion or the move has been completed successfully. Please help

Are you doing this under context visibility

Do you have the option to move to patch for I’m not sure if there’s a specific defect

Have you tried a different browser

If all else fails call the technical assistance center