03-14-2023 12:14 AM
I had an unfortunate experience today after a few hundred wired MAB devices stopped working - the reason was that the vendor's MAC OUI Identifier changed (due to an ISE Profiler Feed update). The reason for the MAC OUI update in ISE, was that the vendor decided to rebrand themselves some time back in Sept 2022. The old vendor name was Exterity, and was renamed to Vitec. The MAC OUI hex prefix remained the same: 00:18:1C
Surely in cases where ISE comes with built-in MAC OUI Database, or is later updated by the Profiler feed , the ISE Profiler Feed should not overwrite an existing entry? Because that causes an upheaval when the Profiling Policy Elements look for "Exterity" - which has been working for years. I can imagine if someone writes their Policy Rules based on what is in the ISE database today, could not work tomorrow if Cisco changes that definition.
How does a customer/partner even know what changes are coming in the ISE Profiler Feed? We get no warning.
Solved! Go to Solution.
04-13-2023 05:51 AM - edited 04-13-2023 05:52 AM
The automatic profiler feed sounds great in theory but it's hit us badly a few times already, so we had to turn it off and come up with a quarterly testing procedure in our lab on a temp VM to test it against a working backup. We've had a few different types of equipment (thousands of units each) drop off the network because we profiled using MAC:OUT contains/matches/etc. yet the vendor went to the IEEE org and changed their official organization name, blowing up a few MAB profiles / fingerprints.
Wishlist item: Have a feature to download and test the file against every endpoint who's profiling policy contains a reference to any type of MAC:OUI comparison, then report any mismatches. Then, maybe you can add some conditions to your profiling policies to make the profiler feed update zero impact.
04-13-2023 01:17 AM - edited 04-13-2023 01:18 AM
Hi Arner ,
Customers and partners can stay up to date on changes coming to the Cisco Identity Services Engine (ISE) Profiler Feed by reviewing the release notes and product documentation provided by Cisco.
Cisco typically publishes release notes for each ISE software release, which outline the new features, enhancements, and bug fixes included in the release. These release notes often include information about changes to the Profiler Feed, such as new device types that are now supported or changes to existing device types.
Additionally, Cisco provides product documentation that covers how to configure and use ISE, including the Profiler Feed. This documentation is typically updated with each new software release and may include information on changes to the Profiler Feed.
Customers and partners can also subscribe to the Cisco Security Advisories and Alerts email notification service, which provides updates on security vulnerabilities, software releases, and other important information related to Cisco products, including ISE. This service can help customers and partners stay informed about any critical changes or updates to the Profiler Feed.
Finally, customers and partners can engage with Cisco's technical support team or their account representative to stay up to date on changes to the Profiler Feed and other ISE features. Cisco's support team can provide guidance on configuring and using ISE, as well as provide information on any upcoming changes or updates to the product.
-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------
Thanks,
G.Srinivasan
04-13-2023 05:39 AM - edited 04-13-2023 05:41 AM
But there are no specific release notes released for profiling feed updates right? Profiler feed updates are updated independently of any patch/major releases.....
For example, searching the 3.1 and 3.2 release notes, I see nothing regarding Profiler Feed updates:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html
https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/release_notes/b_ise_32_RN.html
04-13-2023 05:51 AM - edited 04-13-2023 05:52 AM
The automatic profiler feed sounds great in theory but it's hit us badly a few times already, so we had to turn it off and come up with a quarterly testing procedure in our lab on a temp VM to test it against a working backup. We've had a few different types of equipment (thousands of units each) drop off the network because we profiled using MAC:OUT contains/matches/etc. yet the vendor went to the IEEE org and changed their official organization name, blowing up a few MAB profiles / fingerprints.
Wishlist item: Have a feature to download and test the file against every endpoint who's profiling policy contains a reference to any type of MAC:OUI comparison, then report any mismatches. Then, maybe you can add some conditions to your profiling policies to make the profiler feed update zero impact.
04-13-2023 03:36 PM
thanks @davidgfriedman - I am on the same page as you. Once bitten, twice shy
I will disable the automatic feed update until this is sorted out. I see some options:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide