Solved: Re: ISE Profiling finds more devices than are actually there

Arne Bier · ‎09-06-2018

Hello Profiling experts

In ISE 2.4 patch 2 I enabled profiling. To start with, just the SNMP probes enabled and adding three Cisco switches to ISE Devices, with SNMP RO community enabled. I wanted to see what ISE would find.

The Profiler finally discovered 45 "Cisco-Switches". I want to know what I did wrong here.

I expected ISE to tell me what devices were attached to the ports via an SNMP poll of the switches. But instead I looks to me as if I have 40+ new Cisco Switches. Luckily I know my environment well enough to be able to look at this data with some concern ...

Below is just a short snippet from the Context Visibility

paul · ‎09-06-2018

Basically you just need to look at the data ISE is learning on the endpoints, DHCP, SNMP, CDP, NMAP, etc. and decide what information you want to use to profile the device. Cisco has many built in profiles to help you, but you will end up building your own custom profiles. There are two key things to remember about profiling:

1) The matched profile with the highest minimum certainty factor (MCF) should win the tie breaker.

2) Profiling is just a game of math. The certainty factor increases on your conditions need to match the minimum certainty factor on the profiling policy. So you can create one factor profiles or 10 factor profiles. As long as the math adds up to the MCF it will be a match.

All my customer profiles have MCFs in the 500+ range to ensure my custom profiles are used over the Cisco defaults.

View solution in original post

paul · ‎09-06-2018

Check the information under those MAC addresses. I bet you see CDP information showing up even though those devices aren't Cisco devices. I have seen this issue in 2.4 especially with things getting misprofiled as phones. It seems like there is a correlation issue with CDP information.

So say for example you SNMP poll a switch and there is another switch hanging off it. ISE will see in the MAC address table there are a bunch of MACs on one port, i.e. the link to the other switch. It will also see that there is a CDP neighbor on that same port. ISE may mistakenly assign those CDP attributes to all those MAC addresses.

That is what I see with PCs attached behind phones. In some cases the PC is also getting assigned the CDP attributes of the phones. It is annoying, but in my case I have other custom profiles that use other attributes with higher certainty factors that reprofile the PC behind the phone.

That would be my guess. Otherwise look at what attributes on the MAC are making ISE think Cisco Switch. It is going to be either CDP attributes or NMAP OS scan.

Arne Bier · ‎09-06-2018

Would you mind sharing your custom profiling logic? It sounds very much like that is the case here, although I don't think we have that many Cisco phones in our office. I need to spend some time to look into this.

I thought this was going to be simple ... ha ha. never is. They said "Just turn the Profiling feature on and like magic, discover what's on your network"

paul · ‎09-06-2018

Basically you just need to look at the data ISE is learning on the endpoints, DHCP, SNMP, CDP, NMAP, etc. and decide what information you want to use to profile the device. Cisco has many built in profiles to help you, but you will end up building your own custom profiles. There are two key things to remember about profiling:

1) The matched profile with the highest minimum certainty factor (MCF) should win the tie breaker.

2) Profiling is just a game of math. The certainty factor increases on your conditions need to match the minimum certainty factor on the profiling policy. So you can create one factor profiles or 10 factor profiles. As long as the math adds up to the MCF it will be a match.

All my customer profiles have MCFs in the 500+ range to ensure my custom profiles are used over the Cisco defaults.