CISCO ISE Profiling

CISCO ISE Profiling  

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network endpoint to build an internal endpoint database. In this case instead of adding endpoints manually on the identity groups with help of profiling service devices can be detected dynamically and based on policy sets which have been configured access can be given accordingly.

Enable Profiling on Cisco ISE--

The ISE Profiling feature set requires the installation of a Plus license on the Policy Administration Node (PAN). One Plus feature license is required for each endpoint that is actively authenticated to the network and where profiling data is used to make an Authorization Policy decision.

Profiling has to be enabled from the Administration .>Deployment > Enable Profiling Service on whichever PSN which you wish to handle the Profiling traffic.

Profiling in the production deployment--

A typical network deployment would start by putting ISE into monitor mode. In monitor mode no enforcement takes place but the ISE administrator can start to see what devices are connecting to the network and what identity it has been given. During this phase, a lot of devices are normally discovered that the network administrator did not even know were connected to the network.

Based on the devices which are connecting in the network and the profiles which are being assigned network administrator can tweak in case if he/she needs the precise profiling groups or create new profiling policies. With this approach of Profiling deployment Network Administrator will have a complete picture of all devices that are connected to your network and will be in complete control of their access.

 Device Sensor--

Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP. The endpoint data is made available to registered clients in the context of an access session.

Multiple Probes used in CISCO ISE

A probe is a method used to collect an attribute or a set of attributes from an endpoint on your network. The probe allows you to create or update endpoints with their matched profile in the Cisco ISE database. ISE Profiling Services uses various collectors, or probes, to collect attributes about connected endpoints.

Probes help you to gain more network visibility. Below mentioned are the commonly used probes in Cisco ISE.

RADIUS Probe

DHCP Probe

NAMP Probe

SNMP Probe

HTTP Probe

HTTP SPAN Probe

NetFlow Probe

Active Directory Probe

Probes can be enabled from Administration > Deployment > Profiling Configuration and enable the required probes as per your network.