Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
2
Helpful
5
Replies

ISE Profiling Conflict

Go to solution
hpeters34
Level 1
Level 1

‎07-17-2025 06:11 AM

Hi all,

I’m relatively new to Cisco ISE, and I’m running into a profiling challenge I could use some help with.

We have an existing deployment of Device A that authenticates via MAB and is correctly profiled using a custom policy. I’ve now been tasked with deploying several newer models of Device A, but I’ve discovered that these models are now manufactured by the same vendor that produces Device B, which already exists in our environment and is profiled under a different policy—also using MAB.

Since both devices now share the same OUI, the newer Device A units are being misprofiled under the Device B policy.

Question:

Is there a way to continue using MAB for these newer Device A models while ensuring they are properly profiled separately from Device B—despite the shared OUI? Would leveraging additional profiling attributes (e.g., hostname via DHCP, CDP/LLDP, or custom DHCP fingerprinting) be the best route?

Any suggestions on best practices or rule order within the profiling policy would be much appreciated.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to hpeters34

‎07-17-2025 08:40 AM

live log <<- check dhcp packet (if you use dhcp ip helper)
check if dhcp send hostmane and how hostname is assign 
is it mac or hostname+domain 

MHM

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎07-17-2025 06:21 AM

image-asset.png
in profiling policy you can specify multi condition point for each condition 
for example 
profiling policy A get 40 points 
profiling policy B get 60 points 
then ISE will use policy B 

both policy run in same time 

MHM

0 Helpful

Go to solution
hpeters34
Level 1
Level 1

‎07-17-2025 08:00 AM

Thanks for the reply. 

I added an additional condition using DHCP hostname for the condition. When I run sh auth sess it shows the Device-Type as Un-classified and Status- Unauthorized. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hpeters34

‎07-17-2025 08:40 AM

live log <<- check dhcp packet (if you use dhcp ip helper)
check if dhcp send hostmane and how hostname is assign 
is it mac or hostname+domain 

MHM

Go to solution
hpeters34
Level 1
Level 1

‎07-17-2025 01:08 PM

thanks for the reply.

I found out that I had to add the correct profile to the authorization policy. 

For the conditions I used dhcp_host-name matching ^device A-1234.*

Thanks for your help

 

Go to solution
MHM Cisco World
VIP
VIP
In response to hpeters34

‎07-17-2025 01:29 PM

You are so welcome 

MHM

0 Helpful
Customers Also Viewed These Support Documents