Solved: ISE 3.0 - AD Profiling Probe Rescan

David Milne · ‎04-26-2023

Hello! I'm confused about the ISE AD profiling probe slightly.

The ISE 3.0 admin guide (https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_asset_visibility.html#id_17552) and the ISE profiling guide here on the Cisco Community (https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-1348091918) both have statements regarding the AD probe rescan timer that I'm not 100% clear on.

The admin guide says "If there is additional profiling activity on the endpoint, the AD is queried again." and the profiling guide says (with regard to the rescan interval) that "This value specifies the number of days the PSN waits before querying AD again for the same host when new profile data is learned."

Both of those make me think that ISE will only query AD for an endpoint after the rescan timer only if there is new profiling information for the endpoint received from other probes.

The profiling guide also says this however - "Once Microsoft AD is queried for the host, the Policy Service node will not attempt to query AD again for the same endpoint until a rescan timer expires." - which I read to mean that ISE will re-query AD for each endpoint after the rescan timer expires, irrespective of whether any new profiling data has been gathered.

My observations so far suggest that the rescan only happens if there's new information learned via other probes, is this the case?

What we're seeing are some endpoints showing up in ISE being profiled as a generic Windows10-Workstation profile when they are connected (via an SDA fabric, using MAB authentication because there's no 802.1x supplicant configured on the endpoints for reasons outside of my control!), rather than matching the custom profiling policy (let's call that other profile Windows10-DomainPC) the customer has (that is a child of that Windows10-Workstation one) to match their AD-joined machines, that relies on the AD-Host-Exists attribute being true.

If I disconnect the host, delete the endpoint, then reconnect it - it seems to get profiled as an AD-joined machine matching that custom profile (Windows10-DomainPC) rather than the generic Windows10-Workstation profile. If I leave it for several days so that the AD rescan timer has definitely expired, it never seems to get re-profiled to that Windows10-DomainPC profile.

Marcelo Morais · ‎04-28-2023

Hi @David Milne ,

what is my understanding about this ...

1st ISE does not attempt to Query AD again for the same Endpoint until a the Rescan Timer expires (configurable in Administration > System > Deployment > Profiling Configuration > Active Directory, field Days Before Rescan), this is to limit the load on AD for Attribute Queries.

Note: " ... Load due to Authentication is typically the Primary Source of load on AD, not Profiler activity ... "

2nd since ISE fetches the AD Attributes for a new Endpoint as soon as it receives a Hostname and the Hostname is typically learned from the DHCP or DNS Probes, via the following Profile Attributes:

Hostname (DHCP probe)
FQDN (DNS probe)

DHCP and/or DNS Probe must be enabled !!!

3rd if the Rescan Timer is expired AND there is additional Profiling activity on the Endpoint, then the AD is queried again.

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎04-28-2023