Solved: The ise Profiling function was used, but the oui value is UNKNOWN.

CCC3 · ‎08-11-2023

hello.

We are building a network using ise's profiling function.

Authentication was successful, but
If you check the other attributes in endpoints, the OUI value appears to be UNKNOWN.

What is the problem?

thomas · ‎08-11-2023

What OUI?

Did you check against the IEEE registry? http://standards.ieee.org/develop/regauth/oui/oui.txt

It's entirely possible to generate your own random MAC address or OUI. I talked about and demonstrated this in

▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20

00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting

Please provide more details in your questions for more complete answers from us. See How to Ask The Community for Help

View solution in original post

Damien Miller · ‎08-13-2023

If the MAC address is a real mac and it looks up in an online registry then you can open a tac case and have them evaluate why it's missing from the lookup table.

Your immediate option to resolve this is to create a custom profile or customize the existing profile in ISE you are wanting to match. From there you can specify the MAC address range that's missing and fix this issue yourself.

View solution in original post

Rob Ingram · ‎08-11-2023

@CCC3 is randomised MAC address enabled on the endpoints? Is ISE profiling feed up to date?

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-1136100618

CCC3 · ‎08-11-2023

Random mac enable/disable all happen the same.

And the profiling feed is difficult to check right away, which version is currently being used.

For reference, the current ise version is 3.2 patch 3.

thomas · ‎08-11-2023

What OUI?

Did you check against the IEEE registry? http://standards.ieee.org/develop/regauth/oui/oui.txt

It's entirely possible to generate your own random MAC address or OUI. I talked about and demonstrated this in

▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20

00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting

Please provide more details in your questions for more complete answers from us. See How to Ask The Community for Help

CCC3 · ‎08-11-2023

Currently, I am trying to give a vlan for each terminal through profiling.

So, for example, it is necessary to distinguish by oui such as apple / android.

Authentication seems to be successful

but actual endpoints -> In other attributes, oui is coming out as unknown.

Damien Miller · ‎08-13-2023

If the MAC address is a real mac and it looks up in an online registry then you can open a tac case and have them evaluate why it's missing from the lookup table.

Your immediate option to resolve this is to create a custom profile or customize the existing profile in ISE you are wanting to match. From there you can specify the MAC address range that's missing and fix this issue yourself.

dss470001 · ‎08-14-2023

I still lack a lot of knowledge about the ise profiling function.

How can I create Policies to apply to devices whose oui is Apple?

Charlie Moreton · ‎08-14-2023

This would be better asked as a new question instead of this question which is not going to answer yours.

thomas · ‎08-23-2023

@dss470001 please watch our ISE Webinars on our CiscoISE YouTube Channel and register for upcoming sessions to learn new things. I already mentioned ▷ MAC Authentication Bypass (MAB) with ISE in a response above and we are covering Getting Started with ISE Profiling on 2023/09/05 which is a more automated and dynamic way of detecting Apple OUIs.