ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network.
Based on the classification and profile of an endpoint we can authorize and permit the level of access permited on the network.
For example a device profiled as an IP-Phone may be placed in a voice VLAN , or even provide access based if the device is a corporate asset or personal device (ip phone).
ISE out of the box comes with 550+ pre built in profiles including 250+ Medical profiles , and also provides an online or offline feed service to keep profile definitions up to date , but what happens when you have an endpoint on your network that does not match any profile or is to generic?
ISE profiling enables you to create your own custom profiles .You might have an endpoint with an existing profile that ISE has classified but for what ever reason you would like modify it.
For a more depth and deep dive understanding for Profiling and how it works see the following:
We will check how this device was profiled as Android
Navigate to Work Centers > Profiler > Profiling Policies
Click on Android
Notice at the top
The list of attributes gathered by ISE are matched to conditions defined in the profile with a number at the end called a Certainty Factor. This is generic weighting scale , each condition may have its own weighting value and if it reaches the Minimum Certainty Factor value (in this case 30) the Profile will be chosen. In this example it would suffice to meet only one condition as each one has a CF of 30 and the minimum CF to reach is 30.
In the list of endpoint attributes above you will notice the CF value is 30 meaning one condition in Android profile was met.
In this example the 3rd rule in the list of conditions was met.
IP:User-Agent Contains Android (Notice the attribute in the list above)
ISE compared the list of attributes to the profile conditions (Rules) and matched the 3rd rule under profile Android which met the minimum CF of 30.
In this next section we will learn how to modify a device profile , with the same procedure we can create new profiles if no predefined profiles exist for a particular endpoint or IoT device.
For this example we would like the Endpoint Profile to show as MINIX.
Navigate to Work Centers > Profiler > Profiling Policies and click on Add
Fill in the values as below
Notice that the *Minimum Certainty Factor above is 40 , which is higher than the Android profile meaning if met the MINIX profile will be the preferred profile.
Click the Submit button .
The change takes place instantly and is now seen in Context Visibility>EndpointsMINIX
Anyconnect VPN has stopped working. Running on windows 10 homesecurity services: Windows security & malwarebytesanyconnect version: 4.6.03049 multiple install/reinstall from company IT page, turning off windows security firewall, runnin...
Currently using FirePOWER, experiencing an unexpected SSL Block for some traffic, SSL rule has been created not to decrypt the traffic, URLs that are being accessed are whitelisted, SSL Flow error is Defer Cut Post CCs (0x0000197), SSL version TLSV1.2, Th...
Hi all, Need help creating different policies for different network access types. I want to have different posture policy for wireless, wired and vpn users. What is the best way to go about it. Thanks. TH
I recently just migrated to ISE 2.4 and now see that 2.6 has been released. Normally that wouldn't be a big deal, but to upgrade to 2.4, it was suggested to build all new VMs from scratch and manually migrate over all my settings, policies, etc. As you ca...
Hello, I am using an ASA 5545 with a 9.8(2)38 IOS and during an audit using Nipper I got flagged for aggressive mode being enabled.I can't find AM or aggressive (or MM or Main Mode) anywhere in the show run or the sh crypto isakmp sa detail. So ...