Re: ISE Profiling Automatically Assign Endpoint Profile

mbaker33 · ‎04-09-2018

Hi there,

I am in the process of setting up ISE 2.3 (will probably upgrade to 2.4 if it matters) to perform wired 802.1x authentication/authorization and would like to know how the profiling service works. I have well over 1000 endpoints that will need to be touched in order to get them into the system. Most of what needs to be done can be done via GPO, but the one thing that seems to be escaping me is the profiling service. I have it configured such that it sees any new device on a port that I have configured to use dot1x, however, the system seems to be dead (i.e. no network access whatsoever) until I configure an Endpoint Profile in the Endpoints list. As soon as I do that, it works almost immediately.

My question is, does the profiling service automatically assign this if given enough time? So far, all of my tests have been with live computers so I didn't have the ability to let it sit and wait for an hour or two.

Any input welcomed.

Thanks,

Mark

Octavian Szolga · ‎04-10-2018

Hi Mark,

Profiling is used (generally speaking) for MAB requests, not for 802.1x.

So printers, cameras, anything not supporting 802.1x.

In a nutshell, profiling = check some attributes that ISE receives from NAD, add some points to each attribute/condition, use points to say that the MAC is an "x" device, move MAC into a "x" device group and authorize the session based on that group. (MAC belong to X group = allow or limit access)

https://communities.cisco.com/docs/DOC-68156

Thanks,

Octavian