ISE profiling policy

Similar Messages

• Cisco ISE Profiling Policy

  If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

  No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.
  I hope this makes sense
  Thank you for rating helpful posts!

• ISE Authorization Policy

  Hey guys,
  I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."
  Under the Policy > Authorization, I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing.
  I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.
  It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.
  I attached the failed and authenticated logs that I got from ISE.
  Has anyone have encoutered this issue?
  The version that I have is 1.1.1
  Thanks
  P.S.
  I went back to check my autorization condition, and it is blank (See the 1st screenshot)

  Hi,
  it is obvious that you are not matching any condition.
  rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco ISE feeding policy

  Hi all,
  I changed something in the profile for windows 8 on Cisco ISE.
  then i configured Cisco ISE to dynamically update the feeding policies. but when the update is done. I receive the below message
  Feed Version 1 policies downloaded.
  Total number of feed polices to apply are 1.
  Feed policies total 1 skipped.
  Feed policies warning message : Workstation:Microsoft-Workstation:Windows8-Workstation has been changed by admin.
  *** This message was generated by Cisco Identity Services Engine (ISE) ***
   how can I reset the change I did to get all feed policies updated?
  Regards,
  Maher

  I have the same problem.
  Apparently if you inadvertantly save a "Cisco Provided" profiler policy without making any changes it is changed from "Cisco Provided" to "Administrator Modified". If the profiler feed service then tries to update that policy it fails with the warning that the policy has been modified by the admin.
  There does not appear to be any way to restore "Cisco Provided" profiler policies to their default state.
  Does anyone have a solution for this?

• Can we download ISE Pofile Policy from Cisco?

  The ISE comes with certain  profile policies. Can we download the profile policy from Cisco as new devices come into the market?

  Yes, you can.  jan.nielson is correct that the Profile Feed Service will allow for this.  Be advised that the Feed Service does require a Plus license for activation.  Here is a snippet from the ISE 1.3 Admin Guide:
  To activate the Feed Service, go to Administration > Feed Service > Profiler.  Enable the checkbox for Enable Profiler Feed Service, fill out the rest of the options (optional) and click Save.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Profiler Feed Service Update

  Hey,
  I have tried couple of times so far to update the ISE profiler feed service and it always says " it has been successfully update" after 2 seconds; however, last update feed show 2013-05. (see attached) I'm running ISE 1.2 with all patches installed (1,2,3,4,5,6,7) .Does anyone have some idea about this issue? I'd really like to update the OUI database for the new devices and seems to be this is the only automatic way!
  Thanks,
  Ali

  Cisco update the the OUI as they become available but if you are facing issue regarding specific OUI do mention or you can custom define that device for profiling (for short term solution)
  Also confirm this information.

• ISE profiling on Apple-Device, Apple-iPhone and Apple-iPad

  hi,
  I have a question on ISE profiling, espcially on Apple-device.
  My testing environment: when i use iphone to connect, by default the result profiled me as apple-device.
  But when i try to get it more specific, i mark the identity store as apple-iphone on the authorization rule, it fail somehow. It seem it cannot go deeper to analyze it's iphone, instead of Apple-Device.
  The default of the apple-iphone porfiler condition for apple-iphone is checking the hostname and user-agent. So when i try to use the safari browser to get online, it won't bounce me as apple-iphone profile somehow..
  Question:
  01. what should i do in order the profiler can analyze directly it was the apple-iPhone, or any thing need to configure ? say like authorization rule?
  Thanks
  Noel

  Are you getting redirected to the web portal in ISE? That is the most common way the ISE can get the user agent of the browser in order to profile the device as the apple-iphone. Give that a try and then see if the user agent is learned, you should get a message to refresh your browser momentarily. Then coa should trigger and the wireless controller should get the new authorization profile that you configured for your apple-iphone endpoints.
  Thanks
  tarik Admani

• ISE Profiling Deployment

  We are starting a ISE deployment to segregate mobile devices (Iphones and IPads, initially) from corporate notebooks. We have a single SSID and two separate vlans, one for mobile devices and another for corporate notebooks, assigned by ISE. We successfully setup profiling in lab environment, with a few devices, but when we put in production  we had problems with devices not being profiled correctly. Since devices are not profiled their access are denied. Since devices are denied the cannot be profiled because ISE doesn´t see any traffic (DHCP, HTTP) from clients.
  What strategy are you using to deploy ISE profiling? Must I put ISE to listen our network for some time before segregating access?

  Hi
  I've had the same problem with first time users being denied, that's due to ise not being able to profile before it denies.
  I think they should come up with something that will profile devices then continue the authentication process.
  Someone mentioned doing a re-auth for couple of seconds. (see attached pic how the authorization rule looks like), that could save you from people being denied for the first time, but if your device is never being profiled then it will just spin there all the time re-authenticating.
  What you could do is also setup an unrouted VLAN and all the unknown devices stay there until profiled.
  I've talked to cisco and they recommened the same thing so I guess that's it for now
  What we have done before deploying ISE and it worked pretty good is I have forwarded all DHCP traffic to ISE before deploying ISE at that particular site, so DHCP forwarding ran for few days and I've already had their devices in my database and when I deployed it, it worked pretty neat
  By forwarding all dhcp requests I mean:
  We have Active Directory and DHCP servers centrally located, so in the router config I've added helper address to ISE ip address and that's it
  Now WLC 7.3 has DHCP PROFILING and HTTP PROFILING options.
  Http profiling sends first https packets to ISE and capturing USER-Agent string, that helps if you browse with safari, but if you use any other application that uses http traffic it will end up totally wrong.
  example you connect with your iphone to wifi and open up VIBER, ISE will capture viber_blabla_smth as user agent and will not profile accurately.
  Hope it helps

• ISE won't match configured profiling policy

  I'm trying to match Cisco LAPs (any kind of) using profiling in my AuthZ policies, yet the specific AP (a 1252 model) always gets profiled as 'Cisco-Aironet-AP-1250' instead of the desired, more generic 'Cisco-AIR-LAP' policy. To change this behaviour, I've tried to work with a simple match ('LLDP:lldpSystemDescription CONTAINS K9W8') and give this policy a high certainty factor of 150, yet it doesn't work.
  How can I force any kind of LAP (that must not contain any autonomous AP) to get profiled in a generic LAP policy which I can use in an AuthZ policy?
  I'm using ISE 1.2, patch 6.
  Thanks, Toni

  Hi, thanks for your reply. That's almost a winner...meanwhile, I escalated this to TAC. Basically, attribute value "cisco AIR-LAP" would do, but there's a bug that needs to be considered with ISE 1.2, patch 6:
  https://tools.cisco.com/bugsearch/bug/CSCuo78457

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• IOS Device-Sensor and ISE profiling not working

  Hello,
  I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
  Switchconfig:
  device-sensor filter-list dhcp list dhcp-list
   option name host-name
  device-sensor filter-spec dhcp include list dhcp-list
  device-sensor accounting
  device-sensor notify all-changes
  Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
  Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
  Proto Type:Name                       Len Value
  DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                            38
  RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
  I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
  Is this supposed to work?

  That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
  Couple of more things:
  1. What profiling probes do you have enabled?
  2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
  3. Do you have the following commands entered on your switch:
  access-session template monitor
  no macro auto monitor
  device-sensor accounting
  device-sensor notify all-changes

• ISE Auth policy based on MAC OUI and SSID

  I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
  Anyone know how to do this on ISE?  Two questions -
  1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?
  2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

  1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
  2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

• Using Framed IP Address in ISE AuthZ policy

  Hi,
  i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
  I cannot see the data type of IPv4 available when creating user attributes.
  Is there a way around this?
  Thanks
  Mario

  Which version of ISE / patch are you using
  The following was fixed in ISE 1.2 patch 3
  CSCuj14382 Cannot statically assign IP address as FramedAddress

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• ISE profile / posture IOS device

  is there a way to profile or posture an IOS device as to wheather or not it has been rooted?
  our Corporate policy would like to say that if rooted, you get zero access.
  Thanks
  Scott

  No - future MDM integration that Cisco is working on should be able to bring is type of information to ISE. Cisco have indicated MDM integration is coming in Q4 2012.
  Sent from Cisco Technical Support iPad App