Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1554
Views
5
Helpful
3
Replies

Device Identification over the Internet using ISE

Terence Lockette
Level 1
Level 1

‎01-04-2021 12:06 PM

Hello all,

I had a series of questions come my way regarding the profiling of devices that communicates to our internal/DMZ network either over the Internet or VPN tunnels.  It is my understanding that ISE will only profile devices directly attached to our internal network as there are some configs that needs to be added to switches in order to ensure the necessary probes being used can profile the device appropriately.

 

Question: Is it possible to use ISE to also profile a device coming from an external network, such as the Internet or VPN tunnel, for the sole purpose of simply identifying (device type & IP address) that device for security purposes?

 

My thinking is along the lines of how some Internet apps may use your device type to identify if you've ever logged into their service from that device before OR may send you a notification if a login was detected from a specific device that may be a security alert.

 

Thanks in advance!

Terence

0 Helpful
3 Replies 3

yalbikaw
Cisco Employee
Cisco Employee

‎01-05-2021 01:08 AM

all depends on the attributes that are being sent along with the authentication, so if vpn user is authenticated with ISE and the firewall sends the accounting, this accounting packets usually contains mdm-tlv attributes that can be used for profiling the endpoint 

 

Terence Lockette
Level 1
Level 1
In response to yalbikaw

‎01-05-2021 05:25 AM

Thanks for your reply.  I should've been clearer in my original post.  I'm referring to external devices that do not belong to our network coming across an external network such as the Internet or IPsec VPNs.  For instance, a vendor has a VPN tunnel set up to communicate with our internal servers, can ISE be used to identify the device attempting to talk to our server?  Or, an employee using their personal device to connect to a server over the Internet in our DMZ.  Can ISE be used to identify this device?

0 Helpful

Panos Bouras
Level 1
Level 1

‎01-05-2021 05:23 AM

Hi,

 

You can collect values for your VPN users via Anyconnect ACIDex, but there are limited on ISE.

Check the following presentation

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-2725.pdf

 

 

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful
Customers Also Viewed These Support Documents