Re: Cisco ISE detection wrong profiling and always show Xerox-Device

oum-odom · ‎08-04-2025

Dear Cisco ISE lover,

I have inquiry refer to cisco ISE profiling detection which multi-domain mode on port configuration.
So we have wired with IP Phone and PC these two device is working properly, but in the live log we found another failed authentication with Xerox-Device on the same port which we don't use this xerox device, and also perform failed authentication every 15 minutes and OUI start from 00:00:00 .

While we go to profiling Policy this Xerox-Device is enable by Cisco default.
Question, what is any issue if we disable this Xerox-Device policy?

Thank you,

MHM Cisco World · ‎08-04-2025

Hi
can I see rule for this policy

MHM

oum-odom · ‎08-04-2025

Here

MHM Cisco World · ‎08-04-2025

Mim certainty factor = 10

And each rule have certainty 10

So this policy will apply if any rule success'

Try make min 20 so force ISE take decisions depend on two rules not only one.

MHM

oum-odom · ‎08-04-2025

So, We don't need to disable the profiler policy, just to reconfigure for 20 of certainty factor ?

oum-odom · ‎08-05-2025

Any idea just to disable the profiler policy (Xerox-Device) or reconfigure certainty factor 20 ?
@MHM Cisco World

MHM Cisco World · ‎08-05-2025

I will go with op2

Change certainty to be 20 if one condition (10) have wrong detect device as Xerox' certainty need two conditions at least to apply policy.

MHM

andrewswanson · ‎08-04-2025

Does the PC also have a wireless nic that it is configured to connect to a Xerox printer?

hth

Andy

oum-odom · ‎08-04-2025

Hi @andrewswanson There is no any Xerox used/connected in network.

Rob Ingram · ‎08-05-2025

@oum-odom disabling the Xerox policy doesn't really solve the problem, if the Xerox policy is disabled it would be profiled as another device type. There appears to be a device that is being authenticated by ISE, have you investigated what other device is connected to that switchport? What does the output on the switchport tell you? What attributes have been learnt on the endpoint profile on ISE?

oum-odom · ‎08-05-2025

Hi @Rob Ingram
There is just only 2 devices, PC and Phone connected to switch port.
Regarding to profiler and certainty factor, does it cause to this issue?

What if I disable this profiling policy?

Rob Ingram · ‎08-05-2025

Hi @oum-odom it seems there is a problem as to why you are seeing this other authentication being sent to ISE. I don't see why disabling the Xerox profile would solve it, whatever is triggering this will just be profiled as something else, or an "Unknown device".

Could it be a dock or a misbehaving client?

Can you provide a screenshot of the live logs for that endpoint and the output from the switchport on the NAD itself please

oum-odom · ‎08-06-2025

Hi @Rob Ingram @MHM Cisco World
At the same switch port, there are Xerox and unknown.
Kindly refer to figure below

MHM Cisco World · ‎08-06-2025

Context Visibility > Endpoints <<- see which profiling rule use for known device

MHM

Rob Ingram · ‎08-06-2025

@oum-odom have you checked the client devices? Are they running VMs on the workstations that are generating these MAC addresses?