Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
4
Helpful
8
Replies

VPN Connections have no Probe

Go to solution
DannyDulin
Level 1
Level 1

‎07-28-2023 10:46 AM

I am having difficulties implementing Profiling on ISE 3.1. I have roughly 500 hosts and 50% profile correctly to my profile policy and 50% do not. The ones that do not are hosts that have connected to VPN. If I look at the details of a connection, there's no Probe listed.

Any ideas?

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to DannyDulin

‎07-28-2023 11:11 AM

@DannyDulin on a VPN to validate corporate devices you can either use posture (if you have the licenses) to check the registry to determine the endpoint is connected to the AD domain. Or use machine certificiates issued by your internal PKI environment.

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎07-28-2023 10:51 AM

@DannyDulin what attributes are you looking for in your profiling policy? When an endpoint connects to a VPN ISE does not learn the same attributes via the same method as it does for wired/wireless. ACIDex attributes learnt from anyconnect are used by ISE to profile VPN clients.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

 

Go to solution
DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎07-28-2023 10:57 AM

Hi Rob. Thank you for your response.

I am looking for the below attributes:

ACTIVEDIRECTORY_PROBE:AD-Host-Join-Point contains ***Our Domain

IP:FQDN contains ***Our Domain

ACTIVEDIRECTORY_PROBE:AD-Host-Join-Point contains ***Our Domain

I can't seem to find any info on how to verify ACIDex is configured correctly.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to DannyDulin

‎07-28-2023 11:01 AM

@DannyDulin the guide I provided previously has a section on ACIDex, you can use the following attributes to aid profiling VPN clients.RobIngram_0-1690567160160.png

I don't believe you can use the AD probe to profile a VPN client.

 

Go to solution
MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎07-28-2023 11:04 AM

As @Rob Ingram  ACIDex work with radius.

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2023 11:10 AM

Thank you for your affirmation. It seems the guide doesn't detail how to actually ensure ACIDex is enabled in the connection profile.

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎07-28-2023 11:08 AM

Thanks Rob for clarifying you can't use the AD probe to profile a VPN client even though that's a little discouraging. Our ultimate goal is to identify hosts that are owned by our organization, allow those hosts to access VPN and deny non-org owned hosts. I thought that AD-host exists was the best way.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to DannyDulin

‎07-28-2023 11:11 AM

@DannyDulin on a VPN to validate corporate devices you can either use posture (if you have the licenses) to check the registry to determine the endpoint is connected to the AD domain. Or use machine certificiates issued by your internal PKI environment.

Go to solution
DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎07-28-2023 11:13 AM

That is extremely helpful Rob. Thank you!!

I've been banging my head against the Profiling wall all week, when Posture is really my answer.

0 Helpful
Customers Also Viewed These Support Documents