question about ISE device profiling

baselzind · ‎12-08-2020

if I created two rules one is "android Samsung" the other is "android LG" with each matching device id with "android" and giving it both certainty of 30, what will happen if I have several devices rules with the same certainty value?

Rob Ingram · ‎12-08-2020

Hi @baselzind

It depends on the device, you might find when the device is profiled it may match the cisco provided profiles for "Android" or "Samsung-Device", which may mean your custom profiles are not matched. The certainty factor is cumulative, so you'd need to ensure you specify a high value.

If 2 profiles have the same certainty factor and a device matches both, then there is no tie-breaker logic. You'd need to provide additional attributes to ensure ensure the endpoint is matched to the correct profile.

Reference:

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-1242096268

baselzind · ‎12-08-2020

but what will ISE do if two profiles match in certainty? it will stay unknown?

Rob Ingram · ‎12-08-2020

No, it won't remain as unknown, ISE has enough information to profile the endpoint, it will be profiled using one of your custom profilers.

As per the reference I provided - Note: There is currently no tie-breaker logic if an endpoint matches two different profiles with the same TCF. In such cases, it may be necessary to augment the CF for a specific rule to bias the selection of one profile over another.

In other words, ensure the profilers are unique.