Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3995
Views
15
Helpful
3
Replies

Profile via MAC OUI check with ISE

Go to solution
Y C
Level 1
Level 1

‎09-23-2020 02:24 PM

We have had an authorization policy for years now in ISE that says If HP-Printer result = Printer Vlan. This has worked for us relatively well.

 

We recently got an HP printer that uses a different OUI. Apparently there's some issue with our profiler service update fetching... in the meantime while that's being worked on I created a manual condition that looks for the specific characters within the mac.

 

I added this condition to the existing HP-Printer profile (If <condition> then <increase certainty by 10>). The condition for some reason isn't met and certainty factor isn't increased - the device gets tagged as unknown with certainty factor of zero.

 

If I create a new device profile (instead of using HP-Printer) and use the very same condition, and then create a new authorization profile to match the device profile, it matches and gets assigned the right vlan. I don't understand why the same condition is met in one profile but not the other.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-23-2020 02:56 PM

The reason lies in a single line that is easily overlooked. The Cisco provided "HP-Printer" profile is attached to a parent profile as indicated by "Parent Policy: HP-Device".

You must first match the "HP-Device" profile before being evaluated to match the "HP-Printer" profile. You would have to add the OUI to the "HP-Device" profile.

In the mean time you may also want to look in to requesting access to the manual profile feed. You can download it manually and upload it to ISE in the GUI.  

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-23-2020 02:56 PM

The reason lies in a single line that is easily overlooked. The Cisco provided "HP-Printer" profile is attached to a parent profile as indicated by "Parent Policy: HP-Device".

You must first match the "HP-Device" profile before being evaluated to match the "HP-Printer" profile. You would have to add the OUI to the "HP-Device" profile.

In the mean time you may also want to look in to requesting access to the manual profile feed. You can download it manually and upload it to ISE in the GUI.  

Go to solution
Y C
Level 1
Level 1
In response to Damien Miller

‎09-23-2020 03:19 PM

Yep, I'm on day 1 of the 2 day wait for the manual profile feed.

 

I knew HP-Printer was under HP-Device, but I guess I didn't realize you had to be in one before you could be in the other. I'm not sure why this printer won't even be picked up by HP-Device, perhaps it will be once I fetch the update.

 

I put my condition in HP-Device, Then in HP-Printer, then put my profile within HP-Printer. Whew that was a workout. Thankyou!

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Y C

‎09-23-2020 04:35 PM

It's pretty common with new MAC address OUIs, ISE either won't have a hex to OUI name mapping, or it doesn't match the name for some reason such as an acquired company with a new MAC range.   

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents