cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3225
Views
0
Helpful
16
Replies

ISE Profiling - Will the same device be profiled everytime it connects to the network?

muthumohan
Level 1
Level 1

Hi,

My question is;

- Will the same endpoint be profiled (using probes) everytime it is connected to the network or it will be profiled only once,

when it connects to the network for the first time?

If only once, then how the ISE remembers the profiled device the next time it connects to the network? Through its MAC address?

No cisco document explains these things...would appreciate any help.

Thanks in advance,

Mohan

16 Replies 16

edondurguti
Level 4
Level 4

muthumohan,

ISE keeps a database of devices it profiles.

Administration > Identities and then click on EndPoints

jw.sl9
Level 1
Level 1

I am playing Copy-Paste for you and emphasising certing things

--------------

Understanding the Profiling Service

The profiling service collects attributes of endpoints from the network  devices and the network, classifies endpoints into a specific group  according to their profiles, and stores endpoints with their matched  profiles in the Cisco ISE database. You can use a list of possible  attributes that includes any or all of the attributes defined in the  system dictionaries. You can leverage the existing dictionaries as well  as define an ad-hoc dictionary for any attribute during run-time. All  the attributes that are handled by the profiling service need to be  defined in the profiler dictionaries.

An endpoint is a network-capable device that connects to your enterprise  network. The MAC address is always the unique representation of an  endpoint, but you can also identify an endpoint with a varying set of  attributes and the values associated to them, called an attribute-value  pair.  You can collect a varying set of attributes for endpoints based on the  endpoint capability, the capability and configuration of the Network  Access Devices (NADs), and the methods (probes) that you use to collect  these attributes.

....

Profiling Statically Added Endpoint

If you have an endpoint added statically to your network, the statically  added endpoint is not profiled by the profiling service in Cisco ISE. For the statically added endpoint to be profiled, the profiling service  computes a profile for the endpoint by adding a new MATCHEDPROFILE  attribute to the endpoint. The computed profile is the actual profile of  an endpoint when dynamically assigned. This allows you to find the  mismatches between in profiling the statically added endpoint by using  the computed profile with an endpoint profile for that endpoint when it  is dynamically assigned.

The endpoint profiling policy is never changed for the statically added endpoint. For the endpoint that is statically assigned, the profiling  service computes the MATCHEDPROFILE. For all the endpoints that are  dynamically assigned, the MATCHEDPROFILEs are identical to the endpoint  profiles.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555173

--------

ALSO and FYI:  Once the endpoint is "profiled" enough to match a policy, the endpoint attribute building does not stop.  The probes will continue to gather information and populate the endpoint record.  The latest probe to add information will show in the EndPointSource line.

Hope this helps!

It

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

I have a question about this regarding the licensing.

Profiling an endpoint consumes 1 Advanced concurrent license, correct?

After that device is profiled and added to the database, does it then release the advanced license and use only a base license?

What about subsequent connections?  Will this device ALWAYS use an Advanced license?

Thanks.

Yes. from the same page:

  • Cisco ISE consumes Advanced licenses when endpoints are matched to an authorization policy.

If you make the entry static, then it will be statically assigned and not use a license. :-)


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

edondurguti
Level 4
Level 4

It is kinda shady here, I have profiled around 800 devices and I haven't assigned them statically

Now there are like 40 active and advanced license shows 10/1000 meaning, 10 advanced are being used, opposing to ciscos above documentation.

Go figure

edondurguti
Level 4
Level 4

What version and patch level are you running?


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

1.1.2 patch 3

typo?  1.1.2 is fresh and does not have any patches yet? :-)

1.1.1 does have 4 pathches out.

Curios, how many of the 800 are online now and are in groups that are defined by authorization policies?


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Cisco Identity Services Engine

---------------------------------------------

Version      : 1.1.2.145

Build Date   : Fri Oct 26 14:10:35 2012

Install Date : Sun Nov 11 14:03:11 2012

You're right no patch, this is the newest version without any patches.

40 out of 800 are online but I meant 800 were profiled already because I think that's what he asked, if only profiling devices would consume licenses meaning everything that hits ISE will get profiled but will not consume licenses.

Cool.

Licenses are used for concurrent (live) access. If only 40 online right now, only 40 lic. used.


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

yeah but why only 9 are using advanced   and 37 are using base

maybe only 9 iphones were online.. I have a different policy for them.. and others are windows laptops maybe 37 who knows lol

Run a Endpoint Profiler Summary report

Reports > Catalog > Endpoint

P.S.  I think this thread is morhphing into an different thread from the original post.  :-)


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

it's ok