Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2559
Views
4
Helpful
3
Replies

Understanding ISE endpoints

Go to solution
Arne Bier
VIP
VIP

‎02-14-2018 04:00 PM

Dear Cisco TME/BU

Most of my confusion/frustration with ISE seems to revolve around my lack of understanding of how endpoints work.  Don't get me wrong - I know that I can create Endpoint Identity Groups for my guest types and I use this for my Sponsored Guest flows (MAB/Remember Me).

The problem I have is that my endpoints table is growing and I don't know why.

Our production deployment is fairly small right now and we are in a luxurious position to be able to keep an eye on this thing while it's relatively quiet to study its behaviour.  Once we unleash the monster (i.e. total ACS to ISE migration) I want to sleep easy knowing that ISE is doing the right thing.  My ACS system is handling hundreds of thousands of auths per day.

I have a look at the Context Visibility almost on daily basis and I can't see the real information that I need to see (i.e. my guest users).  I have exported the Endpoint database from the PAN and played with Excel filters to try understand why I have more noise than real data here.  The Endpoint Analysis Tool in my opinion doesn't help me at all - I have downloaded and installed version 2.0.2 - seems like an abandoned tool. And the reports contain nothing new, other than haphazard blank lines that make a mess of the resultant .csv file.  What is the real point of that tool?

I have asked this before and I will ask again (maybe someone at CiscoLive 2018 Melbourne can give a tech workshop on this ?)

Can we please have a deep-dive session from the Experts on how ISE treats Identities, and how one is supposed to interpret the Exported Endpoint database from the PAN?

This file seems to contain key information behind the workings of ISE and how the network behaves.

I am mainly confused about the three topics below, given the fact that I don't have Profiling enabled on any of my PSN's -  and using ISE 2.3 patch 1

Authentication Identity Store

What I think I know: These are internal data structures that the user cannot control (add/delete endpoints) but that the user can refer to in his Authentication policies.

What I don't know: Why do I see null values "blank" in this column? Or often times I see entries with 'Guest Users', or even AD domains?

Identity Group

What I know:  This is what I (Admin) can influence and I put the MAC addresses in these Groups for my Policy Set logic.

What I don't know:  Why does ISE assign values to this Group (e.g. Workstation, Android, Profiled, etc)?

Endpoint Profile

What I think I know:  This is used when you have profiling enabled on PSN's - since I don't use profiling, I expected this to be blank

What I don't know:  What does ISE use this for when Profiling is disabled? It contains all sorts of random information - nothing makes sense.

As far as I know, an endpoint can only be in one Identity Group at a time - makes sense.

1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DannyDulin

‎08-16-2023 05:46 PM

You can find Craig's 2018 session on-demand here:
https://www.ciscolive.com/on-demand/on-demand-details.html?#/session/1636061839986001mCb5

You should note that this session (and discussion) are from five years ago, so some of the information might be outdated as there have been significant changes to ISE since then.

If you have specific information you're looking for, you would be best starting a new discussion to ask your specific questions and seek help from the Community.

View solution in original post

3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎02-15-2018 04:58 AM

Arnie,

Please email me a sample report and highlight or comment cells of particular confusion that I can reference.

On a related note, I am waiting to see if my session on ISE Best Practices, Tips, and Tricks will be accepted for Orlando as I plan to include a discussion on this topic.  I will not be in Melbourne this year, but Jason K will be! 

Craig Hyps

Go to solution
DannyDulin
Level 1
Level 1
In response to Craig Hyps

‎08-16-2023 12:38 PM

Hi Craig.

Did you present at CL Orlando on this topic?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DannyDulin

‎08-16-2023 05:46 PM

You can find Craig's 2018 session on-demand here:
https://www.ciscolive.com/on-demand/on-demand-details.html?#/session/1636061839986001mCb5

You should note that this session (and discussion) are from five years ago, so some of the information might be outdated as there have been significant changes to ISE since then.

If you have specific information you're looking for, you would be best starting a new discussion to ask your specific questions and seek help from the Community.

Customers Also Viewed These Support Documents