Thos document gives insight of a feature of Cisco ISE which is "Profiling".
I’ve been quite interested in how the magical ISE profiling works and its implications towards security. Apart from the profiling, ISE basically works as a Radius server, checking authentication and passing back attributes to switches or wireless LAN controllers. As a note, the profiling service requires an advanced license package on top of the base license.
Accuracy about device types increases as more probes are enabled. Cisco ISE probe options are NetFlow, DHCP, DHCP SPAN, HTTP, Radius, DNS and a few SNMP TRAP/Query options. Probes view network traffic seen by designated sensors (IE a ISE enabled switch). If you quickly plug and unplug a laptop into a switch, most likely ISE Profiling will only see the SNMP link up trap and know very little about the device. If the device is plugged in and attempts to access the Web, ISE Profiling will see more data and be able to make a more accurate determination of the device’s identity.
Cisco ISE profiling has categories for devices obtained from the cloud or through customization. Each category has specific “weights” assigned that are measured against the device data. As Cisco ISE profiling captures data, different specifications trigger categories as assign weight values are met. For example, a iPad will move from UNKNOWN to APPLE DEVICE based on MAC, network card manufacture type and other info. As more data is collected about the iPad, Cisco ISE profiling will use other attributes to match it from APPLE DEVICE to iPad. Custom categories can be created from UNKNOWN or existing profiles however the majority of device profiles are obtained through the cloud. Profiling is continuous meaning if a device is spoofed, its behavior will give away it’s true identity to provide continuous monitoring of device types on your network.
So basically, if either the host name or the user agent contains “iphone” then ISE is certain it’s an Apple device. Here are a few other examples.
Macbook – if MAC prefix is assigned to Apple and the useragent contains Macintosh and MAC OS.
VMWare device – if MAC prefix is assigned to VMWare.
Playstation3 – if MAC prefix is assigned to Sony.
Blackberry – if two of the following match: MAC prefix assigned to RIM, dhcp-class-identifier is blackberry or hostname contains blackberry.
Some common issues seen:
1) Profiling is not working:
Check to see ISE Profiling Services is enabled under General Settings
Verify which probes are enabled under the Probe Config Tab
Verify the switch you are testing is supporting the probe. For example, if you use SNMP RO, you need to have the switch use the SNMP-SERVER commands to send data to Cisco ISE Profiling. The switch also needs to be managed by ISE via network devices tab.
You may need an ip helper address of the ISE device when using the DHCP probe so ISE sees the data.
2) Devices remain as UNKNOWN
Verify which catalog/profile you are attempting to hit. Click the UNKNOWN device and review the characteristics. Make sure the probes that are enabled are used by the category you are looking to achieve. See AVAYA PHONE example above. You may need to adjust category weights if specific data is not used or not seen by ISE.
Click the UNKNOWN device and verify which probes are actually working. ISE Profiling will show what it knows. Go to the monitoring section and click the device details. ISE shows the communication in detail.
Make sure you have updated your ISE system. If you haven’t updated ISE, it won’t have any categories. There are Air-gap steps for customers who don’t want ISE to touch the internet.
3) Devices remain in a generic category.
This problem is similar to remaining UNKNOWN. Verify the desired category weight attributes and match it to what ISE is seeing for the device under monitoring. You may either have to tune weights or not have enough data due to lack of probe information. Options are enable more probes or use MAC address based (MAB) authentication to recognize devices.
Hi everyone, I encounter a problem that really strange and tried different ways can't solve the ASA 5515 9.1 not able to allow traffic from inside to outside.Any suggest much appreciated. Keith Here is the sanitized config:asa# sh run: Saved:ASA Vers...
Is this considered a major upgrade or minor? I need to upgrade my Active / Standby Failover pair with 0 downtime. I will upgrade standby and reboot, when it comes up with 9.9 code, will it break the failover with 9.8(4)3 or stay in failover with erro...
Hi all,I'm working on setting up an IKEv2/IPSec VPN tunnel from an FTD (6.2) managed by FMC to Azure. The tunnel is up and icmp is working fine but our server engineer is reporting issues with RDP and domain controller replication.We're wondering if...
I understand the max number of sensors\devices a virtual FMC (FMCv) can license\manage today is 25. However I hear there is currently beta testing going on that would allow up to 300 devices in the FMCv. Does anyone know if this is true, and if true ...