Cisco ISE Device Profiling

lnw-team · ‎08-16-2022

Hello,

We've recently connected XBox console to our network. New security rule has been configured on Cisco ISE to allow network access. The device should be recognized and granted network access based on device profile. Pre-defined profile "Gaming Devices" has been used for that purpose. However, the devices was not properly recognized and placed in a guest VLAN (another security policy). In order to make it work, another profiling policy with MAC address has been created. Is there any way to update the list of pre-defined device profiles?

Thank you in advance!

balaji.bandi · ‎08-17-2022

If you are using OUI based List ( where all xbox come with same MAC address as first 4 or 5 as manufacturer)

Move the Policy above guest and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lnw-team · ‎08-17-2022

The policy is above guest but the devices is not recognized properly.

balaji.bandi · ‎08-17-2022

check the Logs why the policy not matching ?

take one device and try to connect and see the order of operation.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎08-17-2022

@lnw-team if the endpoint matches the new policy the devices should automatically update.

What is the certainty factor of one of the endpoints?

In the configuration of the new profiling policy what is the certainty factor you configured?

Is this higher than the certainty factor under the other policy? If not, it needs to be, otherwise the endpoint will continue to match the other policy.

Provide some screenshots of the new policy, the existing policy and the output of one of the endpoints.

Arne Bier · ‎08-17-2022

ISE has built-in Profile Policies for Xbox360 and XboxOne. It's uses a combination of MAC OUI and DHCP attributes.

The main issue with any profiling is, what happens when ISE sees the device for the FIRST TIME? First time means, ISE only gets a MAC address to work with. That might be enough for very crude profiling. But you want to give ISE more time to do a more accurate job. That means, you don't deny/block a device that ISE has not been able to 100% identify (in other words, you failed through all the current Authorization Policies and ended on the Default one at the bottom). In Low-Impact mode you can return a dACL that allows DHCP, DNS and SNMP - in most cases this gives ISE a good chance to process the DHCP data, run an nmap and SNMP poll etc. Within a few seconds, ISE has learned that this is an XBOXONE, and then sends the switch a CoA Reauth. And then it will be caught in the correct Authorization Policy that you setup to put Xboxes in the right VLAN/ACL.

You don't have to use Cisco's Xbox profiles - but it's a good start.

thomas · ‎08-20-2022

You are using the Gaming Devices logical profile which has these profiles:

Searching the ISE Profiles for "xbox" I see there is also "XBOXONE". Did you also add that? Is that not matching for you?

> the devices was not properly recognized

OK, then what device did it match? You did not provide any details so we cannot suggest corrections.

Why did it match this other device? Were there similar attributes? Were attributes missing such that the XBOX profiles did not have a match and get a higher certainty factor?

These are the profiling rules for both XBOX profiles:

XBOX360Rule1Check1 | DHCP:dhcp-class-identifier EQUALS Xbox 360
and
XBOXONERule1Check1 | DHCP:host-name CONTAINS XBOX-ONE
XBOXONERule1Check2 | DHCP:host-name EQUALS Xbox-SystemOS
XBOXONERule1Check3 | MAC:MACAddress STARTSWITH 50:1A:C5

Are you seeing these DHCP attributes for these endpoints?

Does profiling any other endpoints with DHCP work in your environment? Or is it only XBOX devices giving you an incorrect profile?

If you do not see DHCP attributes, how are you sending ISE DHCP attributes?

These are the necessary troubleshooting details you need to figure out.

How to Ask The Community for Help