cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1681
Views
10
Helpful
5
Replies
gtuthill
Beginner

Cisco ISE Profiling Policy

If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.

I hope this makes sense

 

Thank you for rating helpful posts!

View solution in original post

5 REPLIES 5
nspasov
Cisco Employee

A profiling policy that has higher certainty factor would take precedence over any lower ones. That is why if you have custom created policies it is a good practice to have them with higher certainty factors than the default ones. I always created mine with a level of 100.

 

Thank you for rating helpful posts!

Thanks Neno for your input it sheds a little bit more light on my understanding.

I wonder what would happen if you had two rules both with a certainty factor of 100 or even the max 65535 and a single endpoint was profiled into both rules which one would win? Would it be the first in the list in ISE or alphabetical order. Once I get my hands on ISE again I will try to confirm the order.

Thanks again Neno for taking the time to answer my question.

 

Graham.

No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.

I hope this makes sense

 

Thank you for rating helpful posts!

View solution in original post

Brilliant.

Many thanks for your answer Neno, 

Really clear and useful :-)

 

You are welcome! Glad I could help! :)

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel