cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
10
Helpful
3
Replies

Create Profiling Policies for a Group of Devices

Matthew Martin
Contributor
Contributor

Hello All,

I have a group of devices that I want to create a new Profiling Policy for based off their MAC Addresses. All of the devices all start with the same first 8 characters of their Mac Address.

So I created a new Profiling Policy (*Policy > Profiling > Profiling Policies). In there I added 1 Rule, which is the only rule right now for "MAC:MACAddress  STARTSWITH  aabbccdd".

Then, I went to my Wired Policy Sets. Created a new Authorization Policy with only one condition for "Endpoint Identity Groups:Profiled: my_profile_name".

Lastly, I plugged in the device. But, it's showing up as Unknown, instead of matching the Profiling Policy...

I also noticed there's Profiling Conditions in Policy > Policy Elements > Conditions > Profiling.... So I also added a policy condition there that does the same thing as the Profiling Policy I described above with the Mac Address starts with.... But, I assume this "condition" needs to be applied somewhere.

I'm thinking I'm missing something. Could anyone lend a hand with this, or point me in the right direction?

 

Thanks in Advance,

Matt

3 REPLIES 3

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

Hi @Matthew Martin ,

 at Policy > Profiling > Profiling Policies, double check if:
. the Policy is Enabled.
. the Minimum Certainty Factor matches the number of your rule

ProfilerPolicy.png

 

At Policy Set > Authorization Policy double check if you are using
IndentityGroup.Name EQUALS xxxx
or
Endpoint.EndpointPolicy EQUALS xxxx

 

Hope this helps !!!

Hey Marcelo,

Thanks for the reply.

Checked the Profiling Policy and it is enabled and I had both Certainty Factors set to 10. Not sure if it mattered, so changed them both to 5 and saved the policy. The Policy Name is called "Zoom_Phones".

The only Rule is that it needs to match the first 8 characters of the MACAddress.

Profiling_Policy.jpg

Here is the Policy Set:

Policy-Set.jpg

 

Now, when I check Radius Live Logs, I just get "Deny Access", and the Endpoint Profile showing as "Unknown". The first 8 characters of the MAC Address definitely matches the Rule in the Profiling Policy. I also tried plugging in a second device, also with the same first 8 in the MAC and it's getting the same result.

 

Thanks Again,

Matt

hslai
Cisco Employee
Cisco Employee

The separators might not have matched properly.

Also, we could use RADIUS:Calling-Station-ID directly in authorization conditions.

Screen Shot 2021-07-05 at 8.38.37 AM.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: