Profiling in Cisco ISE

 We can discuss Profiling Probes in Cisco ISE --

ISE has several methods of detecting what type of device is connecting to the network, mostly we are using a common method to identify device.

• Network Scan (NMAP)  --

Will run an intrusive scan on the endpoint. Typically used in conjunction with other probes and only when necessary. 

• DNS 

Checks DNS records for additional information.

• SNMPQUERY/SNMPTRAP 

Gathers information from SNMP. This is typically used to help identify networking equipment. 

• Active Directory 

Queries AD for additional endpoint information for AD joined devices.

• pxGrid 

 Used with the Cisco Industrial Network Director (not covered in this course

ISE comes with a database of endpoint attributes which gets updated 
frequently.

• Each profile rule is assigned a numerical value, if matched.
• The matched rules are added together to determine a Certainty 
Factor.
• If the added rules exceed the “Minimum Certainty Factor”, the 
overall profile is matched.

We can use one example to understand profiling -

we can create one profile in ISE profile named “Switch”

• When a device first attaches to the network, ISE does not know what it is yet. Seconds later, ISE receives the profiling data and we must configure which action we want ISE to take. This can be set globally or under each profile:

•Take No Action

The device will remain “unknown” until it does a re-authentication naturally.

• Port Bounce

   ISE will instruct the network access device to bounce the connection. The device will re-authenticate, but now we have the profiling data and it will match whichever profile.

• Reauth

        ISE will force the endpoint to re-authenticate (faster than port bounce)