ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network.
Based on the classification and profile of an endpoint we can authorize and permit the level of access permited on the network.
For example a device profiled as an IP-Phone may be placed in a voice VLAN , or even provide access based if the device is a corporate asset or personal device (ip phone).
ISE out of the box comes with 550+ pre built in profiles including 250+ Medical profiles , and also provides an online or offline feed service to keep profile definitions up to date , but what happens when you have an endpoint on your network that does not match any profile or is to generic?
ISE profiling enables you to create your own custom profiles .You might have an endpoint with an existing profile that ISE has classified but for what ever reason you would like modify it.
For a more depth and deep dive understanding for Profiling and how it works see the following:
We will check how this device was profiled as Android
Navigate to Work Centers > Profiler > Profiling Policies
Click on Android
Notice at the top
The list of attributes gathered by ISE are matched to conditions defined in the profile with a number at the end called a Certainty Factor. This is generic weighting scale , each condition may have its own weighting value and if it reaches the Minimum Certainty Factor value (in this case 30) the Profile will be chosen. In this example it would suffice to meet only one condition as each one has a CF of 30 and the minimum CF to reach is 30.
In the list of endpoint attributes above you will notice the CF value is 30 meaning one condition in Android profile was met.
In this example the 3rd rule in the list of conditions was met.
IP:User-Agent Contains Android (Notice the attribute in the list above)
ISE compared the list of attributes to the profile conditions (Rules) and matched the 3rd rule under profile Android which met the minimum CF of 30.
In this next section we will learn how to modify a device profile , with the same procedure we can create new profiles if no predefined profiles exist for a particular endpoint or IoT device.
For this example we would like the Endpoint Profile to show as MINIX.
Navigate to Work Centers > Profiler > Profiling Policies and click on Add
Fill in the values as below
Notice that the *Minimum Certainty Factor above is 40 , which is higher than the Android profile meaning if met the MINIX profile will be the preferred profile.
Click the Submit button .
The change takes place instantly and is now seen in Context Visibility>EndpointsMINIX
Hello everyone,I'm facing a strange problem with ISE 2.7 policy, I'm building Wireless Dynamic Vlan based on Active Directory users from specific OU and it works just fine I'm getting the right VLAN and IP, but unfortunately, it's not enough and I want to...
In 2018 the user dongill asked "Is it possible to do a email validation for “Known Guest” account creation in the sponsor portal? We have a need to prevent sponsors creating guest accounts with their corporate email addresses?"https://community.cisco.com/...
We have a Cisco ASA5545 running IOS 9.1. ASA currently has over 500 active ikev1 tunnels to different partners. We will like to enable ikev2 on the box while keeping all our ikev1 tunnels active with no service disruption. kindly assist with steps to take...
Hi,I have a ASA setup with 2 IPSEC VTI tunnels to the same remote site. I like to check if it may be possible to perform ECMP for outgoing and incoming traffic thru the VTI tunnels? The setup is a single ASA to a ios router on 2 x IPSEC VTI tunnels ...
I have a setup with 4 HA pairs of FTD's in the FMC Global domain all running 6.6.4.x. We intend to deploy many more, so have decided we need to segregate access based on geo-location of the FTD's. So I need to create new subdomains for the new FTD's aroun...