Hi,

Further to my previous posts around profiling, I've now stumbled on another issue and wondered if the community has any ideas or can point to the documentation source that sheds light.

Say I have a profiling policy with a rule that matches an arbitrary OUI and sets the CF to 100.  I then write a newer, more complex profiling policy with rules that match other attributes and sets the CF to 10000.  Within a couple of minutes of enabling the new policy, I see my endpoints with CF of 10000 in the endpoint classification page.  Up to this point, ISE is behaving as I'd expect.  However, if I decide I don't want to use the new rule and unticked "enabled" on my new profiling policy, should ISE reclassify the endpoints back to the first policy with CF of 100?  If so, this did not happen to me recently.

I didn't have time to troubleshoot this at the time, but is there a mechanism to trigger profiling?  Does ISE continually evaluate all endpoints against all policies?  Does it only re-evaluate an endpoint against a profiling policy that is changed?  ie if I changed something about the original profiling policy like name, CF or description would this have triggered?  I'm 99% sure the endpoints were unclassified because they were hitting my default MAB rule which is an access_reject and on the switch I was seeing AuthC and AuthZ as stopped.

Once again, ISE (3.3 patch 7) behaviour has thrown me a little as it's not operating the way I would expect.

Thanks.