This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
My question is;
- Will the same endpoint be profiled (using probes) everytime it is connected to the network or it will be profiled only once,
when it connects to the network for the first time?
If only once, then how the ISE remembers the profiled device the next time it connects to the network? Through its MAC address?
No cisco document explains these things...would appreciate any help.
Thanks in advance,
I am playing Copy-Paste for you and emphasising certing things
The profiling service collects attributes of endpoints from the network devices and the network, classifies endpoints into a specific group according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database. You can use a list of possible attributes that includes any or all of the attributes defined in the system dictionaries. You can leverage the existing dictionaries as well as define an ad-hoc dictionary for any attribute during run-time. All the attributes that are handled by the profiling service need to be defined in the profiler dictionaries.
An endpoint is a network-capable device that connects to your enterprise network. The MAC address is always the unique representation of an endpoint, but you can also identify an endpoint with a varying set of attributes and the values associated to them, called an attribute-value pair. You can collect a varying set of attributes for endpoints based on the endpoint capability, the capability and configuration of the Network Access Devices (NADs), and the methods (probes) that you use to collect these attributes.
If you have an endpoint added statically to your network, the statically added endpoint is not profiled by the profiling service in Cisco ISE. For the statically added endpoint to be profiled, the profiling service computes a profile for the endpoint by adding a new MATCHEDPROFILE attribute to the endpoint. The computed profile is the actual profile of an endpoint when dynamically assigned. This allows you to find the mismatches between in profiling the statically added endpoint by using the computed profile with an endpoint profile for that endpoint when it is dynamically assigned.
The endpoint profiling policy is never changed for the statically added endpoint. For the endpoint that is statically assigned, the profiling service computes the MATCHEDPROFILE. For all the endpoints that are dynamically assigned, the MATCHEDPROFILEs are identical to the endpoint profiles.
ALSO and FYI: Once the endpoint is "profiled" enough to match a policy, the endpoint attribute building does not stop. The probes will continue to gather information and populate the endpoint record. The latest probe to add information will show in the EndPointSource line.
Hope this helps!
I have a question about this regarding the licensing.
Profiling an endpoint consumes 1 Advanced concurrent license, correct?
After that device is profiled and added to the database, does it then release the advanced license and use only a base license?
What about subsequent connections? Will this device ALWAYS use an Advanced license?
Yes. from the same page:
If you make the entry static, then it will be statically assigned and not use a license. :-)
It is kinda shady here, I have profiled around 800 devices and I haven't assigned them statically
Now there are like 40 active and advanced license shows 10/1000 meaning, 10 advanced are being used, opposing to ciscos above documentation.
What version and patch level are you running?
typo? 1.1.2 is fresh and does not have any patches yet? :-)
1.1.1 does have 4 pathches out.
Curios, how many of the 800 are online now and are in groups that are defined by authorization policies?
Cisco Identity Services Engine
Version : 126.96.36.199
Build Date : Fri Oct 26 14:10:35 2012
Install Date : Sun Nov 11 14:03:11 2012
You're right no patch, this is the newest version without any patches.
40 out of 800 are online but I meant 800 were profiled already because I think that's what he asked, if only profiling devices would consume licenses meaning everything that hits ISE will get profiled but will not consume licenses.
Licenses are used for concurrent (live) access. If only 40 online right now, only 40 lic. used.
yeah but why only 9 are using advanced and 37 are using base
maybe only 9 iphones were online.. I have a different policy for them.. and others are windows laptops maybe 37 who knows lol
Run a Endpoint Profiler Summary report
Reports > Catalog > Endpoint
P.S. I think this thread is morhphing into an different thread from the original post. :-)