This article is being written to explain the integration between Cisco AI Endpoint Analytics and Cisco ISE with particular focus on the attributes AI Endpoint Analytics sends to ISE and how ISE interprets them in order to assign Profiles and authorization results.
ISE needs to be connected to Cisco DNA Center. Here is a guide for making this integration.
Additionally, the ISE pxGrid probe needs to be enabled which allows pxGrid to receive endpoint context from Cisco DNA Center/Endpoint Analytics as shown in the following example:
Also ensure the 'Probe Data Publisher' is enabled as shown below. This is needed for ISE to publish endpoint probe data to Cisco DNA Center/Endpoint Analytics via pxGrid.
AI Endpoint Analytics Profile Labels
When endpoints are discovered by Endpoint Analytics, up to four profile labels are assigned. For example:
As can be seen from the above capture, the four profile label types are Endpoint Type, OS Type, Hardware Model and Hardware Manufacturer.
The discovered endpoint, a medical scanner in this instance, has labels in all four of these categories, as can be seen above.
When the MAC Address of the discovered endpoint is selected, further details are displayed on the right hand side of the display, including discovered attributes. The following capture shows the attributes placed under the IOTAsset heading:
These are the attributes sent over to ISE from Endpoint Analytics via pxGrid. There is an attribute per profile label, as follows:
NOTE: If Endpoint Analytics learns of an endpoint from SD-AVC enabled Cat9Ks but that endpoint is not learned from ISE, the attributes will NOT be sent back to ISE in the existing design.
AI Endpoint Analytics Attributes shown in ISE
Within ISE, the attributes can be seen for that MAC address within Context Visibility (the attributes can be found near the bottom of the list):
Once ISE has been sent these attributes, they can be used within custom Profiler Policies which in turn can be used in authorization conditions.
AI Endpoint Analytics Attributes used in ISE Custom Profiler Policies
The following is an example ISE custom Profiler Policy (called CT-Scanner-ISEProfile) which uses all four Endpoint Analytics labels within the conditions:
The rules used in the policy are as follows:
Operator (in this example)
As can be seen, the minimum certainty factor to assign this custom profile is 200 and the certainty factor for each matched condition is 50. Therefore all four conditions must match in order for this profile to be assigned.
Warning: Changing the Minimum Certainty factor to a higher number will affect all endpoints matched. So, care must be taken when adding custom profiling policies to ensure only the intended endpoints are affected. At this time of writing, the Value of 200 is much higher than the Total Certainty Factor of 130 in ISE. Total Certainty Factor is the aggregated value of all profiles ISE touches to profile endpoints. (From ISE user interface you can go to Context visibility > Endpoints > Endpoint Classification, click on the MAC address for details to view the Total Certainty Factor .You can also view this by adding additional column in Endpoint classification list table from the UI).
Best practice is toTest this with small number of endpoints by adding conditions based on AssetMACaddress, Calling station ID or other attributes such as Network Device or Network Device Group (NDG) so that the change is limited.
As stated, this is just an example and any number of conditions can be used with appropriate certainty factors depending on the requirements.
A link to the ISE Profiler design guide has been provided at the bottom of this document for reference if further information is required on ISE Profiler operation.
If this custom profile (CT-Scanner-ISEProfile) is matched and assigned to an endpoint then the assignment will be shown for the endpoint within the Live Session:
This ISE Profile can be used as a condition in authorization rules in order to authorize the endpoint (assign an SGT for example).
ISE Profiler Policies used in ISE Authorization Rules
The following is an ISE authorization rule using the CT-Scanner-ISEProfile as a matching condition:
The resulting authorization profile assigns the appropriate SGT (Scanners) and VLAN (1stdVLAN-BldgMgmt) as shown below:
An authorized endpoint matching the ISE Profiler Policy and matching the Authorization Rule will show the assigned profile and SGT within the Live Session:
Recap and Summary
As a recap and summary, each endpoint has up to four profile labels assigned by Endpoint Analytics and four corresponding IOTAsset attributes are sent to ISE. These attributes are used as conditions in ISE custom Profiler Policies. The resulting ISE Profiles are then used as conditions in the ISE authorization rules in order to authorize the endpoints.
Hi everyone, This is my first post here and I'm still learning the ins and outs of the network as it was set up before I arrived. So currently I have 3 SSID's set up for the school, SGC, Staff, and Student. I have a specific AP, a AIR-CAP3702I-Z...
Hello, I have a site to site VPN from my cisco asa’s to another customer - it works fine and both tunnels can ping the remote IP address I have routing to the customer subnets from my internal Layer 3 switchsw1-Layer3#ip route 10.108.x.x 255.255...
All my other phones say 3PCC in the model number. So will these phones work? and if so, how do I clear off the previous companies settings and passcodes? Or do I need to send these back and buy 3PCC phones only?
Hi team!I configuring ASA5506X with dual ISP obtaning ip addresses with dhcp...1. does this config looking correct?2. whay ASA doesn't accept both commands. dhcp-client client-id interface OUTSIDE
dhcp-client client-id interface YOTA