Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
2
Helpful
4
Replies

Cisco ISE profiling- OUI Lookup

Go to solution
Phillip Noret
Level 1
Level 1

‎06-14-2024 06:29 AM

Hi all,
I'm fairly new to using ISE profiling and we're keen to make a push from MAB to using device profiles. We have the ISE profiler feed enabled and it claims that new updates are applied.

What we've found is that some devices are showing as unknown which we know to correct is for additional work on creating and amending profiles. What is perplexing me is how ISE performs an OUI check. For example, we have 5 HP printers, 3 show their OUI as "Hewlett Packard" and the other two show as "unknown". When we check the mac addresses of the unknown devices on an OUI check, they show as "Hewlett Packard" just as the devices that ISE recognises as "Hewlett Packard". We have other, similar instances of this behaviour.

Is there something i have to do on ISE for it to periodically check an OUI database with unknown MAC addresses? Or should an OUI database be downloaded within the Profiler Feed update? Is there a way to view what OUI data ISE has currently?

We're currently using ISE 2.7 latest patch but we are also migrating to ISE 3.3 now. The above is observed in ISE 2.7 but i wanted to ask in case we experience the same in version 3.3

Best Wishes

Phillip Noret

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Phillip Noret
Level 1
Level 1

‎06-19-2024 03:21 AM

Hi all,

Thank you for taking the time to respond. We have spent some time with our ISE appliances and came to the conclusion that the profiler feed may not be working. We then disabled, reconfigured and re-enabled the feed and after five days we've started to observe that many devices, including HP printers that were showing as "Unknown" are now starting to match the vendor as listed in public OUI databases.

We're quite new to profiling and it's a shame we can't see the current OUI list ISE has, so we can match vendor names in profiling to what ISE has - so we can work on the remaining unknown devices. I suspect ISE will get this information from the IEEE Registration Authority?

Thanks,

Phill

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎06-14-2024 04:07 PM

Hi

Best guide for all this stuff is Profiling Design Guide maintained by @thomas  - very comprehensive

I haven't found a way to dump the internal MAC OUI database within ISE. There is a website that used to work, called ise.cisco.com/partner - but it's broken. That would allow you to download an XML file that contained the latest mappings.  I can't get it working any longer

Have you run the Download feed Now in your ISE and then checked the Operations > Reports > Audit to see that the OUI's were added? Usually on the first attempt it might download hundreds or thousands of new OUIs and Profiler Policies.

Also, regarding the Hewlett Packard vs unknown - are these all for the same MAC Address Prefix (check in context visibility by entering the first 6 hex digits of the MAC address). ISE should be profiling them all the same way with the default profiling. However, if some endpoints have SNMP or DHCP properties, then it could be that ISE is profiling them more specifically (eg. HP Laserjet 123).

Check and contrast the endpoints that are working, against the ones not working to see if you can spot differences. ISE does the updating dynamically - nothing for you to do but wait sometimes for the profiling engine to re-profile endpoints. It can take a few seconds sometimes.

One caveat is locally administered MAC addresses (aka "Private MAC Addresses") as used on mobile devices and PCs - these will always appear in ISE as "unknown" because their MAC address format is not related to a vendor.

 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-14-2024 04:12 PM - edited ‎06-18-2024 04:07 PM

@Phillip Noret ,

Which OUIs of your HP and other endpoints are reporting as Unknown by ISE?

It's impossible to check without knowing those details.

If you have the Profiling feed service enabled, it should be updating with the latest OUIs.

0 Helpful

Go to solution
Phillip Noret
Level 1
Level 1

‎06-19-2024 03:21 AM

Hi all,

Thank you for taking the time to respond. We have spent some time with our ISE appliances and came to the conclusion that the profiler feed may not be working. We then disabled, reconfigured and re-enabled the feed and after five days we've started to observe that many devices, including HP printers that were showing as "Unknown" are now starting to match the vendor as listed in public OUI databases.

We're quite new to profiling and it's a shame we can't see the current OUI list ISE has, so we can match vendor names in profiling to what ISE has - so we can work on the remaining unknown devices. I suspect ISE will get this information from the IEEE Registration Authority?

Thanks,

Phill

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Phillip Noret

‎06-20-2024 07:46 AM

Yes, ISE gets the OUIs from the offiicial IEEE registry.

I asked the PM & Engineering team and there is no way currently to view the available OUIs in ISE as of version 3.3.

0 Helpful
Customers Also Viewed These Support Documents