Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
4
Replies

Profiling based on hostname

dgaikwad
Level 5
Level 5

‎02-10-2020 02:47 AM

Hi Experts,
Environment: ISE 2.2

Currently working on a requirement to check a certain encryption software which is only installed on laptops.
So decided to do the posture check using endpoints profiled based on hostnames, as they have already have a hostname naming scheme devices by type, e.g. Laptops, starts with LT and desktops with DT.

So based on this information I have created this profiling policy:
profile policy.jpg
Using this profiling I was able to profile only 127 endpoints... where as there are thousands that I see out there...
While looking at the Context Visibility -> Endpoints, I see that the host name columns is empty... 
Does this mean that there are some more probes that are needed to be enabled (already DNS, DHCP, Active Directory and Radius are enabled on all the PSNs).
The other thing that I see is that, when I check the attributes of an endpoint, I see the attribute Systemname has all the host-name of the endpoint... 
I am not able to find this attribute to do the profiling though, any idea where this could be found to do the profiling..?

1 person had this problem
0 Helpful
4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-10-2020 05:47 AM

Is it possible that certain NADs in the environment are missing configuration to be a device sensor? I would double check the configs to ensure that you have the proper config to support the dhcp probe. Something to ensure is setup is the device-sensor filter-list for dhcp to include the option name 'host-name'. Then assign the list to the dhcp filter-spec, and enable notify all-changes.
0 Helpful

dgaikwad
Level 5
Level 5
In response to Mike.Cifelli

‎02-10-2020 09:54 PM

Yes, I was thinking on the same lines.
Will update this post with further findings...

0 Helpful

dgaikwad
Level 5
Level 5
In response to dgaikwad

‎02-10-2020 10:25 PM

As expected, the device sensor commands are not enabled on every NAD out there.
The question is that, if these commands are enabled on all NADs, will that have any kind of a performance hit? Performance hit on NADs as well as ISE?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to dgaikwad

‎02-11-2020 09:48 AM

From ISE Profiling Guide 'Appliance Requirements':
ISE Profiling Services can only run on an ISE appliance configured for the Policy Service node (PSN) persona. ISE scale and performance tables posted to Cisco.com typically list the maximum concurrent sessions supported per PSN and per deployment. However, these values are specific to simultaneous authenticated endpoints, not the total that can be profiled. The total number of endpoints that can be profiled and persisted in the ISE database is much higher.

See here for further detail: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
0 Helpful
Customers Also Viewed These Support Documents