Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
1
Helpful
5
Replies

ISE 2.2 Reprofiling After Adding New Profile Policies

Go to solution
paul
Level 10
Level 10

‎06-14-2017 02:06 PM

I am working on an install at a customer and I am showing them how to build out their profile policies as we learn stuff in monitoring mode.  We are running 2.2 patch 1.  Usually when I add new profile policies that have higher minimum certainty factors than the current matched profiles, ISE will run my new policies against the endpoints and reprofile them within minutes.  In this customer's case we have waited hours and they haven't reprofiled.  If I delete the MAC address from the Endpoint database and have it reauthenticate it will profile correctly into my new policies.

Has this behavior changed in 2.2?  I am going to test it in my lab today if I have time, but wanted to send out the question to the group.

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-14-2017 02:10 PM

That is still the behavior or ISE 2.2 when you modify profiling policy.  I just recently tested this in my lab and can confirm that is the case.

Regards,

-Tim

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-14-2017 02:10 PM

That is still the behavior or ISE 2.2 when you modify profiling policy.  I just recently tested this in my lab and can confirm that is the case.

Regards,

-Tim

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎06-14-2017 02:21 PM

So what would cause the deployment to not do that? I couldn’t find any settings the customer may have mistakenly turned off. I was sure in the other deployments I had done with 2.2 it still worked as well.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to paul

‎06-15-2017 07:43 AM

Honestly, I'm not 100% sure since I know that if any of the profile policies are modified, ISE attempts to reprofile all endpoints it knows about.  If the behavior continues, I suggest reaching out to the TAC.

Regards,

-Tim

0 Helpful

Go to solution
Alex Martin
Level 1
Level 1
In response to paul

‎06-19-2017 08:59 PM

Paul,

I am seeing this same behaviour with my deployment with a customer and I have not yet contacted TAC about the issue but will soon be submitting a case with them.  My deployment is 3 physical appliances that we upgraded from ISE 2.0 to 2.2 Patch 1.  If you find any more information out about the issue, could you please update this post so I know as well.  I will also update once we have had a chance for TAC to investigate.

Thanks,

Alex Martin

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Alex Martin

‎06-20-2017 06:58 AM

I haven’t done more research on this yet. The devices eventually reprofiled, but it took some time. I know at least a half hour after I added the new profile rules they hadn’t changed, but when I worked with the customer the next day things had reprofiled.

I will let you know if I find anything else out.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents