I’ve received a handful of support cases from engineers and customers around Cisco Identity Services Engine ISE Profiling. Questions range from “why are my devices showing up as UNKNOWN” to “How does ISE Profiling work?” Here is a breakdown of how ISE Profiling works for version 1.0.
NOTE: There are some VERY cool things coming from Cisco in the near future on this topic so stay tuned.
Cisco ISE Profiling is an advance subscription license feature used to identify what endpoints are based on network data obtained from a number of enabled probes. Use cases range from managing access rights for devices that don’t authenticate (IE Printers, Card Readers, etc.) to developing policies around device types (IE handling iPads differently from Laptops). Accuracy about device types increases as more probes are enabled. Cisco ISE probe options are NetFlow, DHCP, DHCP SPAN, HTTP, Radius, DNS and a few SNMP TRAP/Query options. Probes view network traffic seen by designated sensors (IE a ISE enabled switch). If you quickly plug and unplug a laptop into a switch, most likely ISE Profiling will only see the SNMP link up trap and know very little about the device. If the device is plugged in and attempts to access the Web, ISE Profiling will see more data and be able to make a more accurate determination of the device’s identity.
Cisco ISE profiling has categories for devices obtained from the cloud or through customization. Each category has specific “weights” assigned that are measured against the device data. As Cisco ISE profiling captures data, different specifications trigger categories as assign weight values are met. For example, a iPad will move from UNKNOWN to APPLE DEVICE based on MAC, network card manufacture type and other info. As more data is collected about the iPad, Cisco ISE profiling will use other attributes to match it from APPLE DEVICE to iPad. Custom categories can be created from UNKNOWN or existing profiles however the majority of device profiles are obtained through the cloud. Profiling is continuous meaning if a device is spoofed, its behavior will give away it’s true identity to provide continuous monitoring of device types on your network.
NOTE: If certain probes or data is not available, you may need to tune a category’s weight. I had a customer who did not use DHCP on their network, which is weighted very high for the AVAYA PHONE category. I had to adjust DHCP to a lower weight in the default AVAYA category before all phones were profiled properly.
Some common issues I have seen in the field are:
1) Profiling is not working:
- Check to see ISE Profiling Services is enabled under General Settings
- Verify which probes are enabled under the Probe Config Tab
- Verify the switch you are testing is supporting the probe. For example, if you use SNMP RO, you need to have the switch use the SNMP-SERVER commands to send data to Cisco ISE Profiling. The switch also needs to be managed by ISE via network devices tab.
- You may need an ip helper address of the ISE device when using the DHCP probe so ISE sees the data.
2) Devices remain as UNKNOWN
- Verify which catalog/profile you are attempting to hit. Click the UNKNOWN device and review the characteristics. Make sure the probes that are enabled are used by the category you are looking to achieve. See AVAYA PHONE example above. You may need to adjust category weights if specific data is not used or not seen by ISE.
- Click the UNKNOWN device and verify which probes are actually working. ISE Profiling will show what it knows. Go to the monitoring section and click the device details. ISE shows the communication in detail.
- Make sure you have updated your ISE system. If you haven’t updated ISE, it won’t have any categories. There are Air-gap steps for customers who don’t want ISE to touch the internet.
3) Devices remain in a generic category.
- This problem is similar to remaining UNKNOWN. Verify the desired category weight attributes and match it to what ISE is seeing for the device under monitoring. You may either have to tune weights or not have enough data due to lack of probe information. Options are enable more probes or use MAC address based (MAB) authentication to recognize devices.
Hope this helps with your Cisco ISE Profiling adventures.