It was a general question regarding networking/ security. Thought as a community, people would be able to offer useful advice.

I see you changed your original question about Forescout to look like an ISE question. ISE supports logical profiling which means you can create a hierarchy of policies into one. It makes the policy set very neat. But profiling in ISE comes at the expense of needing Advantage licenses.

Here is my 2C worth about profiling too specifically (eg every sub model of printer). If you treat all your HP printers the same then don’t care about profiling them too closely. If you can match on “HP-Printer” then that’s good enough. Remember that MAB is a security bypass. Profiling doesn’t solve and security problems at all. The better approach for all of us security folks would be to convince vendors and peers to put long lived certificates on devices and not bother with all the profiling stuff. Leave profiling for the problem IOT devices that don’t do 802.1X. And spend time monitoring your client cert lifetime remaining countdowns. In terms of ISE and licensing, it’s also a darn side cheaper. And more secure.

I am not a fan of profiling because it’s very hard to get right and often requires help from the client (DHCP, CDP, LLDP, SNMP). If you don’t have that then you can use MAC address prefix matching.

A lot of bother isn’t it? Just because (most of the time) the end users of those IOT devices don’t support certs, or make it very tedious to manage certs on them.