How to block profiling on specific NAD

Tim Baum · ‎09-18-2016

Is there a way to block ISE from profiling endpoints that are on a specific NAD? There is a profiling rule that causes a NMAP-SNMP scan of a device if it matches a certain rule. These devices are wired and never on wireless. ISE is scanning wireless devices that match the initial rule but fail the scan since SNMP is not configured on these endpoints.

There is no condition that allows a check of network device group. Best option appears to be to check the calling station ID for known devices that should not use the NMAP-SNMP scan. But that means a long condition list.

Looking for a better way to block these profile scans on WLCs.

Thanks

Marvin Rhoads · ‎09-18-2016

How about using the condition wireless 802.1x vs wired 802.1x (and add MAB if you're using that as well) as a discriminator?

Tim Baum · ‎09-19-2016

How do you select those condition for the profiler policy? The only library conditions are for profiling. And building a condition is also limited to the profile attributes. Which is my question, is there a better way to add a condition to check for a NDG:Type in profile when that attribute is not available than to create checks for MAC addresses?

I think this is a new feature but hoping others have a need to be able to tune profiling based on NAD.

Thanks

Marvin Rhoads · ‎09-19-2016

I'm sorry - I misunderstood the context of your original posting.

You'r correct - there doesn't seem to be an easy way to configure this. I even checked the Profiling Design Guide and it doesn't even seem to anticipate that one would ever want to do such a thing.

Since you're internal Cisco, I recommend you pass on the request to the BU TMEs.