ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network.
Based on the classification and profile of an endpoint we can authorize and permit the level of access permited on the network.
For example a device profiled as an IP-Phone may be placed in a voice VLAN , or even provide access based if the device is a corporate asset or personal device (ip phone).
ISE out of the box comes with 550+ pre built in profiles including 250+ Medical profiles , and also provides an online or offline feed service to keep profile definitions up to date , but what happens when you have an endpoint on your network that does not match any profile or is to generic?
ISE profiling enables you to create your own custom profiles .You might have an endpoint with an existing profile that ISE has classified but for what ever reason you would like modify it.
For a more depth and deep dive understanding for Profiling and how it works see the following:
We will check how this device was profiled as Android
Navigate to Work Centers > Profiler > Profiling Policies
Click on Android
Notice at the top
The list of attributes gathered by ISE are matched to conditions defined in the profile with a number at the end called a Certainty Factor. This is generic weighting scale , each condition may have its own weighting value and if it reaches the Minimum Certainty Factor value (in this case 30) the Profile will be chosen. In this example it would suffice to meet only one condition as each one has a CF of 30 and the minimum CF to reach is 30.
In the list of endpoint attributes above you will notice the CF value is 30 meaning one condition in Android profile was met.
In this example the 3rd rule in the list of conditions was met.
IP:User-Agent Contains Android (Notice the attribute in the list above)
ISE compared the list of attributes to the profile conditions (Rules) and matched the 3rd rule under profile Android which met the minimum CF of 30.
In this next section we will learn how to modify a device profile , with the same procedure we can create new profiles if no predefined profiles exist for a particular endpoint or IoT device.
For this example we would like the Endpoint Profile to show as MINIX.
Navigate to Work Centers > Profiler > Profiling Policies and click on Add
Fill in the values as below
Notice that the *Minimum Certainty Factor above is 40 , which is higher than the Android profile meaning if met the MINIX profile will be the preferred profile.
Click the Submit button .
The change takes place instantly and is now seen in Context Visibility>EndpointsMINIX
Hi guys I have 2 ASA firewalls active/standby version 9.8(2) by ASDM I change the security level of the interface from 100 to 0then I found this message in below photo I didn`t read the message I want to finish this task quickly so I ...
I ma using Cisco ISE 2.6. I have enabled TLS 1.0 and TLS 1.1 in current deployment. Now i need to disable TLS 1.0I wanted to know that in my network is there any end device that using TLS 1.0, how can find that?Is there and recommendations for security se...
Greetings, First time doing ZBF configuration for brand new C1111x, and after reading posts here and on Cisco docs, with a simple target to grant users internet connection and block connections from outside to the router I did the following: int...