Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2387
Views
20
Helpful
5
Replies

Unknown endpoint profile and Misc Type

Ditter
Level 3
Level 3

‎03-19-2019 08:34 AM

Hi to all,

 

it seems that ISE has categorized around 70% of our network endpoints as type MISC and 32% out of this MISC type have been categorized as Unknown.

 

In almost all of my switches i  do not have dot1.x or MAB,  just SNMP, and all of the switches are in ISE Network Devices. .  ISE  polls them every 28800 sec (the default).

 

I also use simple DHCP (no DHCP Span)  and DNS probes for the profiling.

 

Is that normal to have so many devices of type misc and out of this type most of them are categorized as Endpoint Profile of Unknown?

 

And also where is type misc defined?

 

I tried to find the Unknown profile in the Profiling Policies under WorkCenters --> Profiling Policies but i did not find anything.

 

Any ideas of how i could improve the profiling capabilities of ISE 2.4 with patch6 installed?

 

I also have updated to the latest profile feeds.

 

Finally i noticed that under WorkCenters --> Settings --> Profiler Settings there is a SNMP community string value which i wonder if it should be the one configured to query the switches or should be left  "public" (because of many devices coming out of the box with this default community)?

 

Thank you,

 

Ditter.

0 Helpful
5 Replies 5

paul
Level 10
Level 10

‎03-19-2019 08:58 AM

That is pretty rare to have that many Unknowns.  I have no idea what you are referring to my MISC.  That is nothing I have seen before in profiling.   SNMP polling can help if you have custom SNMP strings on endpoints like printers.  Add any custom strings to the list, but keep public in there.  Most times customers don't update endpoints and public is fine.

 

 

0 Helpful

paul
Level 10
Level 10
In response to paul

‎03-19-2019 08:59 AM

Ohh by MISC type are you referring to the pie charts?  I never look at them.  I only look at the data on Context Visibility and how devices are being profiled and mapped to endpoint identity groups.

0 Helpful

Ditter
Level 3
Level 3
In response to paul

‎03-19-2019 02:28 PM

Thanks Paul, my environment is very diverse , there is no active directory and users are free to install their devices and have access to the network, so for example any  user can  install a new printer without asking for "permissions" .   So i suppose i can "catch" it by using snmp poll with public community.  I would like to know if you share my concern on this.

 

As far as the misc and unknown in profiled endpoint profile category,   please see the following extract of my endpoint visibility, there are too many unknowns.  Although i have their OUI and it is displayed .

 

Thanks !

 

Ditter.

Preview file
14 KB
0 Helpful

Ditter
Level 3
Level 3
In response to Ditter

‎03-19-2019 02:30 PM

Please refer to this attachment also:

Preview file
16 KB
0 Helpful
Customers Also Viewed These Support Documents