01-13-2023 05:39 AM
Dear ISE Gurus,
I have 1 question regarding ISE profiling. I had a look at the ISE Profiling Design Guide, and can't find a clear answer.
Imagine my endpoints are profiled with a Profiling Policy "A". Now I decide to add a new Profiling Policy "B" and the endpoints previously profiled as "A", should be profiled as "B".
How long does it take for the change of profile? Do we have to delete the endpoint and wait , or is it "automatic"?
Thnks
Solved! Go to Solution.
01-13-2023 12:39 PM
hello @REJR77 , when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly, change any of the following attributes within the authentication you're doing :
ip
EndPointPolicy
MatchedValue
StaticAssignment
StaticGroupAssignment
MatchedPolicyID
NmapSubnetScanID
PortalUser
DeviceRegistrationStatus
BYODRegistration
Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html
01-13-2023 10:01 AM
- When you update a Profiling Policy, the change will be applied to all endpoints that match the conditions defined in the policy. The time it takes for the change to take effect will depend on the number of endpoints that need to be updated and the resources available on the ISE server. In general, it should be a relatively quick process.
If you want to change the profile of an endpoint from "A" to "B", you can simply add the conditions for "B" to the Profiling Policy "B" and remove the conditions for "A" from Profiling Policy "A". The endpoint should then match the conditions in "B" and be re-profiled accordingly.
Alternatively, you can also delete the endpoint and wait for the endpoint to come back online and it will be profiled with the updated profiling policy.
M.
01-13-2023 10:08 AM
@REJR77 set the certainty factor score on the new profile policy higher than the old policy.
01-13-2023 12:39 PM
hello @REJR77 , when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly, change any of the following attributes within the authentication you're doing :
ip
EndPointPolicy
MatchedValue
StaticAssignment
StaticGroupAssignment
MatchedPolicyID
NmapSubnetScanID
PortalUser
DeviceRegistrationStatus
BYODRegistration
Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide