cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
10
Helpful
3
Replies

ISE Endpoint Profile updates when Profiling policies change

REJR77
Level 1
Level 1

Dear ISE Gurus,

I have 1 question regarding ISE profiling. I had a look at the ISE Profiling Design Guide, and can't find a clear answer.

Imagine my endpoints are profiled with a Profiling Policy "A". Now I decide to add a new Profiling Policy "B" and the endpoints previously profiled as "A", should be profiled as "B".

How long does it take for the change of profile? Do we have to delete the endpoint and wait , or is it "automatic"?

Thnks

 

1 Accepted Solution

Accepted Solutions

Rodrigo Diaz
Cisco Employee
Cisco Employee

hello @REJR77 ,  when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger  the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly,  change any of the following attributes within the authentication you're doing :

  • ip

  • EndPointPolicy

  • MatchedValue

  • StaticAssignment

  • StaticGroupAssignment

  • MatchedPolicyID

  • NmapSubnetScanID

  • PortalUser

  • DeviceRegistrationStatus

  • BYODRegistration

Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html 

View solution in original post

3 Replies 3

marce1000
VIP
VIP

 

 - When you update a Profiling Policy, the change will be applied to all endpoints that match the conditions defined in the policy. The time it takes for the change to take effect will depend on the number of endpoints that need to be updated and the resources available on the ISE server. In general, it should be a relatively quick process.

If you want to change the profile of an endpoint from "A" to "B", you can simply add the conditions for "B" to the Profiling Policy "B" and remove the conditions for "A" from Profiling Policy "A". The endpoint should then match the conditions in "B" and be re-profiled accordingly.

Alternatively, you can also delete the endpoint and wait for the endpoint to come back online and it will be profiled with the updated profiling policy.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

@REJR77 set the certainty factor score on the new profile policy higher than the old policy.

Rodrigo Diaz
Cisco Employee
Cisco Employee

hello @REJR77 ,  when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger  the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly,  change any of the following attributes within the authentication you're doing :

  • ip

  • EndPointPolicy

  • MatchedValue

  • StaticAssignment

  • StaticGroupAssignment

  • MatchedPolicyID

  • NmapSubnetScanID

  • PortalUser

  • DeviceRegistrationStatus

  • BYODRegistration

Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html