Solved: ISE endpoint belonging to multiple endpoint groups

imihajlo · ‎08-28-2018

Hello All

My current understanding is that today endpoint can not belong to multiple endpoint groups.

Could you please advise me - do we maybe have a capability on the roadmap which will allow endpoint to belong to multiple endpoint groups?

Can we today use profiling Endpoint Profiles (not Endpoint Groups) in the authorization rules as condition?

I am not sure I understand the difference between Endpoint Profile and Endpoint Group - they will be the same, for example Cisco-IP-Phone. What is exactly the difference between these two terms?

Regards,

Ivana

paul · ‎08-28-2018

Okay there are a lot of concepts to master here. A MAC address can exist in three places:

Endpoint Profile- this is the profiling policy the endpoint was matched against. An endpoint can exist in only one Endpoint Profile.
Endpoint Identity Group- this is either a static whitelist, mapped over from profiling or managed through a portal process. An endpoint can only exist in one Endpoint Identity Group.
Logical Profiles- local grouping of endpoint profiles that can be used in rules, i.e. Printers, Phones, etc. An endpoint can exist in more than one logical profile.

I typically use #2 (despite what advanced tips and tricks says) because it utilized the profiling structure the way it was meant to be used. In a profiling policy you have the option to map over to an endpoint identity group at any level in the profiling tree.

As an example Cisco has all their phone models profiles, but I don't care about which model of phone it is from my rule base. I simply make sure the Cisco-IP-Phone profile has the "Create matching identity group" option set and I can then use that identity group in my rule.

In this way, everything is easily seen on the Context Visibility screen. You can't see logical profile assignments on the CV screen but you can see Endpoint profiles and endpoint identity groups on the CV screen.

I use the profiling tree much like logical profiles. I create a top level rule for Medical_Devices as I see them on the network then create sub profiles for the types of medical devices I see on the network. Only the parent Medical_Devices is mapped over to Endpoint Identity Group and used in rule, but all the sub profiles are viewable on the CV screen.

View solution in original post

paul · ‎08-28-2018

Okay there are a lot of concepts to master here. A MAC address can exist in three places:

Endpoint Profile- this is the profiling policy the endpoint was matched against. An endpoint can exist in only one Endpoint Profile.
Endpoint Identity Group- this is either a static whitelist, mapped over from profiling or managed through a portal process. An endpoint can only exist in one Endpoint Identity Group.
Logical Profiles- local grouping of endpoint profiles that can be used in rules, i.e. Printers, Phones, etc. An endpoint can exist in more than one logical profile.

I typically use #2 (despite what advanced tips and tricks says) because it utilized the profiling structure the way it was meant to be used. In a profiling policy you have the option to map over to an endpoint identity group at any level in the profiling tree.

As an example Cisco has all their phone models profiles, but I don't care about which model of phone it is from my rule base. I simply make sure the Cisco-IP-Phone profile has the "Create matching identity group" option set and I can then use that identity group in my rule.

In this way, everything is easily seen on the Context Visibility screen. You can't see logical profile assignments on the CV screen but you can see Endpoint profiles and endpoint identity groups on the CV screen.

I use the profiling tree much like logical profiles. I create a top level rule for Medical_Devices as I see them on the network then create sub profiles for the types of medical devices I see on the network. Only the parent Medical_Devices is mapped over to Endpoint Identity Group and used in rule, but all the sub profiles are viewable on the CV screen.