cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
4
Replies

Cisco ise profiling

munish.dhiman1
Beginner
Beginner

Hi,

Trying to understand the profiling behaviour,could you please correct me if my understanding is incorrect.

 

IP phone connects to the network and get profiled by ise and refects in endpoint repository.now i moved the mac adress data base to a new folder and create a  authorizastion policy.

now i disconnect the ip phone and reconnect,will it get again reprofiled by plus license and show in endpoint repository or ise will skip the profiling 2nd time and just enforce the authorization policy.

regards,

md

 

 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
Just to clarify a few things here is an overview:
ISE collects attributes from device sensors (NADs). The attributes are used to profile your devices. There are several probes you can use (Radius, IP, DNS, Radius, etc.). The only time a plus license gets consumed in regard to profiling is if you use the profiled endpoint group as a authz condition in your policies. Re-profiling could occur if there has been a change or if you have enabled new profiles with different MCFs that your devices may match to depending on how they are setup. Good luck & HTH!

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
Just to clarify a few things here is an overview:
ISE collects attributes from device sensors (NADs). The attributes are used to profile your devices. There are several probes you can use (Radius, IP, DNS, Radius, etc.). The only time a plus license gets consumed in regard to profiling is if you use the profiled endpoint group as a authz condition in your policies. Re-profiling could occur if there has been a change or if you have enabled new profiles with different MCFs that your devices may match to depending on how they are setup. Good luck & HTH!

Jason Kunst
Cisco Employee
Cisco Employee
this was brought up before and pointed to a possible defect depending on your release. please make sure you're running latest patch and if still a problem check through the TAC as well

Jason,

This is not an issue, however trying to understand the expected behavior. As per the process ,ise process a request in following order

Profiling___authntication_____posture____than enforcement/authorization...
So if i move the profiled endpoint from known endpoint folder to any other folder ,and when next time same endpoint connects to the network ,will it show as unknown and ise will profil it again before authentication?
Reason of asking this :
1. Well ,I have a MAB policy and authorization is based on OUI (aa:cc:dd).After MAB ,device is checked for the OUI configured in the policy and access provided.
How can I detect Mac spoofing in this case and send coa?

2. I am thinking of using a combination of something like this. "If a mac start from aa:bb:cc and found in folder ABC ---provide vlans10.
But Now if someone spoofs the mac address he will also get full access.beacuse it's the same mac or starts with same oui. How can we prevent this,how profiling/plus license makes a difference here?

BR,
MD
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers