Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
10
Helpful
3
Replies

ISE Endpoint Profile updates when Profiling policies change

Go to solution
REJR77
Level 1
Level 1

‎01-13-2023 05:39 AM

Dear ISE Gurus,

I have 1 question regarding ISE profiling. I had a look at the ISE Profiling Design Guide, and can't find a clear answer.

Imagine my endpoints are profiled with a Profiling Policy "A". Now I decide to add a new Profiling Policy "B" and the endpoints previously profiled as "A", should be profiled as "B".

How long does it take for the change of profile? Do we have to delete the endpoint and wait , or is it "automatic"?

Thnks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎01-13-2023 12:39 PM

hello @REJR77 ,  when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger  the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly,  change any of the following attributes within the authentication you're doing :

  • ip

  • EndPointPolicy

  • MatchedValue

  • StaticAssignment

  • StaticGroupAssignment

  • MatchedPolicyID

  • NmapSubnetScanID

  • PortalUser

  • DeviceRegistrationStatus

  • BYODRegistration

Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html 

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎01-13-2023 10:01 AM

 

 - When you update a Profiling Policy, the change will be applied to all endpoints that match the conditions defined in the policy. The time it takes for the change to take effect will depend on the number of endpoints that need to be updated and the resources available on the ISE server. In general, it should be a relatively quick process.

If you want to change the profile of an endpoint from "A" to "B", you can simply add the conditions for "B" to the Profiling Policy "B" and remove the conditions for "A" from Profiling Policy "A". The endpoint should then match the conditions in "B" and be re-profiled accordingly.

Alternatively, you can also delete the endpoint and wait for the endpoint to come back online and it will be profiled with the updated profiling policy.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Rob Ingram
VIP
VIP

‎01-13-2023 10:08 AM

@REJR77 set the certainty factor score on the new profile policy higher than the old policy.

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎01-13-2023 12:39 PM

hello @REJR77 ,  when you do a profiling ISE will keep stored attributes about the endpoint within the PAN node database , in order to re-trigger  the profiling in your example and pass from one policy "A" to a policy "B" you need to firstly change the rules in order that policy "B" has precedence over "A" , secondly,  change any of the following attributes within the authentication you're doing :

  • ip

  • EndPointPolicy

  • MatchedValue

  • StaticAssignment

  • StaticGroupAssignment

  • MatchedPolicyID

  • NmapSubnetScanID

  • PortalUser

  • DeviceRegistrationStatus

  • BYODRegistration

Please refer to "Identified Endpoints Locally Stored in Policy Service Nodes Database " in the next link https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html 

Customers Also Viewed These Support Documents