Network Access Control - Device Classification help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2025 06:00 AM - edited 02-18-2025 02:39 AM
I have currently been tasked with reviewing and improving the organisations NAC system (ISE), more specifically the classification policies. This involves reviewing and improving the current classification policies and aiming to reduce the number of false positives received. Any suggestions/advice or best practices on how to complete this?
For example we have 30 printer policies all of which classify different printer vendors. Would it be wise to combine these and have a more generic, catch all policy?
- Labels:
-
Compliance and Posture

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2025 12:01 PM
@TravisBuck - how is this related to Cisco? I would check out the Fortinet forums instead?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2025 12:37 AM
It was a general question regarding networking/ security. Thought as a community, people would be able to offer useful advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2025 03:59 AM
Here is my 2C worth about profiling too specifically (eg every sub model of printer). If you treat all your HP printers the same then don’t care about profiling them too closely. If you can match on “HP-Printer” then that’s good enough. Remember that MAB is a security bypass. Profiling doesn’t solve and security problems at all. The better approach for all of us security folks would be to convince vendors and peers to put long lived certificates on devices and not bother with all the profiling stuff. Leave profiling for the problem IOT devices that don’t do 802.1X. And spend time monitoring your client cert lifetime remaining countdowns. In terms of ISE and licensing, it’s also a darn side cheaper. And more secure.
I am not a fan of profiling because it’s very hard to get right and often requires help from the client (DHCP, CDP, LLDP, SNMP). If you don’t have that then you can use MAC address prefix matching.
A lot of bother isn’t it? Just because (most of the time) the end users of those IOT devices don’t support certs, or make it very tedious to manage certs on them.
