Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
1
Helpful
3
Replies

Cisco Ise profiling policy not profiling mac addresses

Nop86526
Level 1
Level 1

‎07-26-2024 07:41 AM

I am working with Cisco Ise and for certain reasons we are trying to add a few very basic profiling policy to pick up mac addresses that start with certain vendors. Obviously, I know that it's not optimal but that isn't the point when profiling doesn't seem to work right.

Mac > Starts With > AAAAAA

But when I add these policies, it does work for some, but it doesn't change the categorization of the endpoint profile in endpoints for others even though the endpoints mac matches. The ones that don't match just stay as 'unknown'. Seems pointless if these policies can't even recategorize reliably with mac info ISE already knows...

Anyone else run into this or know maybe how to get basic rules like this to reliably recategorize?
Any help would be greatly appreciated. 
Thanks. 

Preview file
49 KB
Preview file
14 KB
3 Replies 3

davidgfriedman
Level 1
Level 1

‎07-26-2024 07:54 AM

a) Did you reboot the device so it'll redo DHCP (assuming you relay that to ISE) and cause a re-auth?

b) How is it going to know that group? You didn't check the box "yes create matching identity group", so it wouldn't make a "Profiling_Test" group for this or other prefix matching endpoints.

0 Helpful

Nop86526
Level 1
Level 1
In response to davidgfriedman

‎07-29-2024 09:29 AM

Yes. And ISE does know what the mac address of the device is as it is clearly listed on the endpoints list so it should just be able to match the mac it already knows with the rule. That would be incredibly not worth the money if it couldn't at least do that with the info it already knows about the device.

As for the radio for the creation of the identity group, it's just a quick rule test and not the whole process. If that were truly the issue, we wouldn't be seeing it work for most the same way. It's just like 150 that are unknown cause the rule won't apply taking the info ISE knows about the device.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎07-28-2024 02:14 PM

▷ MAC Authentication Bypass (MAB) with ISE 2023-07-20

28:24 ISE Local & Global Exceptions
29:11 MAC Filtering Authorization Rules using MAC_* Operators
30:04 Demo: Local and Global Exceptions
31:53 - ISE Endpoint Identity Groups
32:55 - Add/Remove Endpoints to Identity Groups
33:44 - Override Global Exception with Policy Set Local Exception
35:00 - Random MAC Address Filtering
35:53 - Matching with EQUALS vs MAC_EQUALS using :'s and -'s
37:59 - MAC OUI matching using MAC_STARTS operator
39:01 - MAC_* Operators in Authorization Rules
40:13 Demo: Static Endpoint Groups

0 Helpful
Customers Also Viewed These Support Documents