Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3546
Views
10
Helpful
5
Replies

Cisco ISE Profiling Policy

Go to solution
gtuthill
Level 1
Level 1

‎10-03-2014 05:34 AM - edited ‎03-10-2019 10:05 PM

If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to gtuthill

‎10-06-2014 12:11 AM

No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.

I hope this makes sense

 

Thank you for rating helpful posts!

View solution in original post

5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-04-2014 09:12 PM

A profiling policy that has higher certainty factor would take precedence over any lower ones. That is why if you have custom created policies it is a good practice to have them with higher certainty factors than the default ones. I always created mine with a level of 100.

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
gtuthill
Level 1
Level 1
In response to nspasov

‎10-05-2014 08:40 AM

Thanks Neno for your input it sheds a little bit more light on my understanding.

I wonder what would happen if you had two rules both with a certainty factor of 100 or even the max 65535 and a single endpoint was profiled into both rules which one would win? Would it be the first in the list in ISE or alphabetical order. Once I get my hands on ISE again I will try to confirm the order.

Thanks again Neno for taking the time to answer my question.

 

Graham.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to gtuthill

‎10-06-2014 12:11 AM

No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.

I hope this makes sense

 

Thank you for rating helpful posts!

Go to solution
gtuthill
Level 1
Level 1
In response to nspasov

‎10-06-2014 12:40 PM

Brilliant.

Many thanks for your answer Neno, 

Really clear and useful :-)

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to gtuthill

‎10-06-2014 12:55 PM

You are welcome! Glad I could help! :)

0 Helpful
Customers Also Viewed These Support Documents