Solved: Re: Profiling for a certain OUI not working

kevin.twaddell · ‎09-30-2021

HI Guys,

Very new to ISE, so much I don't get yet (inc terminology), but I'm working on it, anyway

Needed to configured to profiles for 2 different OUI's (not the same ID group), 1 for Building Management systems and 1 for door access controllers.

I started on the BMS devices first and got them to work, so when a new BMS devices came up it profiled it correctly.

Using the lessons learnt from getting the BMS devices working I started on Door Access devices, but it's still going under the wrong authorization policy, I have set to match with RADIUS and OUI name, set the certainty factor to even a stupid high figure of 50 and still fails.

Any help please guys?

Thanks

Kevin

Oliver Laue · ‎10-04-2021

Rewrite your Rule to use EndPointPolicy instead of IdentityGroup.

According to the ISE Detail log the Device has the IdentityGroup: Profiled

View solution in original post

ComputerRick · ‎09-30-2021

In the authentication details from the Radius Live Logs page, do those devices show being profiled correctly?
If you can share the device profile and the auth details, it might help provide a better response.

kevin.twaddell · ‎10-01-2021

No that's my point or I'm missing the point

Do you mean show the Endpoint Context Visibility info?

I'm on a massive learning curve so please bear with me.

Rob Ingram · ‎10-01-2021

@kevin.twaddell please provide the screenshot of the new profiling policy you created. Also go to Work Centers > Profiler > Endpoints, select the MAC address of the endpoint and provide a screenshot for review. We'll need the information such as OUI, Total Certainty Factor, Endpoint Policy amongst others etc.

FYI, Here is the offical Cisco ISE profiling guide.

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

ComputerRick · ‎10-03-2021

If it's hitting the wrong authz policy, I prefer to get the auth details from the Radius Live Logs page.

Find a device that fails, and in the 3rd column from the left should be a paper icon, if you click that, it shows all of the info and logic for that session.

That, in addition to the profile should be everything needed for someone here to help you resolve this.

kevin.twaddell · ‎10-04-2021

Hi all,

So back on this today, its matching against our default Authorization Policy, so everything goes in this unless it a different matching policy which is what I'm trying to create.

I've attached the log from it doing this but I'm not seeing why, if one of you kind chaps could point me in the right direction please?

Thanks

Kevin

Oliver Laue · ‎10-04-2021

Maybe you have a logic error in your Policy, because the Log shows 2 Logical Profiles the Device is assigned to.

What does your Policy look like for this device?

kevin.twaddell · ‎10-04-2021

so PAH-BMS-Door-Access was the profile used before I create this one, it never worked then either, but we needed to split the profiles up so I created 2 new ones, as my opening message BMS works fine, there are NO conditions in the old PAH-BMS-Door-Access profile

I've attached the PAH-Door-Access profile

Thanks

Kevin

Oliver Laue · ‎10-04-2021

Sorry, I meant your Authorization Policy.

Bildschirmfoto 2021-10-04 um 14.05.11.png

if you do a combined rule which should match multiple Profiles you have to check to do an "or" instead of on "and".

kevin.twaddell · ‎10-04-2021

Is this what you mean?

the working BMS is not set that way though!

Oliver Laue · ‎10-04-2021

Rewrite your Rule to use EndPointPolicy instead of IdentityGroup.

According to the ISE Detail log the Device has the IdentityGroup: Profiled

kevin.twaddell · ‎10-04-2021

That appears to have sorted it, I don't know the difference yet but I'll read up and try and work out what it is, thank you very much for your help.

Kevin