Since there is no re

nir-r · ‎02-10-2015

I'm using NMAP for profiling and it seems that it runs only once for new devices on DB.

There is no re-profiling after the device was discover for the first time and populate into endpoint identity groups with attribute list.

In this case if profiled endpoint change his NMAP attriube list it will stay on the same identity group despite of the fact that there is no match on profile

policy and it will not be moved dynamically to a different identity group.

Is it possible to run re-profiling on an existing device and dynamically move it to a different identity group for example each time device is reauthenticated?

If there is an option to have continues profiling it will add some security to MAB

nspasov · ‎02-10-2015

I believe the profiling function continues to happen and ISE continues to collect attributes. However, a device will only be re-profiled/moved to a different group if the "certainty factor" for that new profiling rule is higher than the current one. If the certainty factor is lower or the same then the device will remain in the existing profiled group.

Thank you for rating helpful posts!

nir-r · ‎02-10-2015

Unfortunately is doesn't work with NMAP. If for example you profile a device for SSH port and device id profiled to this group and then you stop SSH service. endpoint device will stay on the same profiled group until you delete the mac and device will be profiled once again.

nir-r · ‎02-11-2015

Since there is no re-profiling after mac is in relevant profiled group, you can take any device with the same mac and getting an access to the network (of course with the right VLAN and dACL correspond to profile group)

Profiling with NMAP