Profiling of ISE

Hello

I would like to know if it is possible to disable the COST when a device to respond to a profile, for example, I have the policy next profiling:

Workstation

-Windows XP

-Windows Vista

-Windows 7

-Windows 8

Sometimes the device profile as "Workstation", sometimes is like Windows XP, vista, 7, etc.

When the device is emerging as Windows XP, Vista, 7, etc... I want to disable COA to make the unit does not change its profile, so he will be profiled as Windows XP, Vista, 7, etc. forever.

Currently, our devices be profiled, but sometimes his profile has changed 'Workstation', sometimes unknown. I want to keep always profiled as a feature of Windows.

I really apreciate any help!

Thank you

Emerson Rodrigues

You must create an exception action. This statically assign the profile to the endpoint. Let me know if you need assistance on the establishment of emergency measures.

Also, is not recommended to enable all of the probes. Most of the time you just only DHCP, RADIUS, SNMP and HTTP request.

Tags: Cisco Security

Similar Questions

  • Authorization profile of ISE to grant limited access to wireless clients

    Hello

    I'm at the end sponsored building access as a guest for customers wireless in ISE running in software version 1.3.

    I wonder if there is a way to keep the prompt on the vlan initial after a successful authentication and to grant Internet access only. I mean, I don't want to assign different VLANs and restrict its access by an ACL applied on the Vlan Interface Layer-3.

    I could have done it of dACL, if the client connects through the wired network, but because wireless controller not accept DACL, I'm not aware of any way to do it without changing the vlan

    Appreciate your idea.

    Mike

    Of course, simply create the ACL you wan't to use for your guests directly on your WLC and then reference the name of the ACL in your authorization profile in the option named 'Airespace ACL Name '.

  • Securing network with ISE profiling HP devices

    Hello

    How can I create a profile for Hewlett Packard printers and leave them on the network without allowing any other HP device access. I want to only allow HP printers. I don't want to leave laptops HP, desktop computers, notebooks, etc..

    I prefer not to leave on the network using MAB.

    Thank you

    Bob

    It is a common use case. The profiling of ISE Design Guide (see page 76 go) presents at least a way of doing this - using a probe nmap Scan Endpoint.

  • PC profiled as a phone by ISE 1.4

    Hello

    I see that attached to the Cisco phones PC profiled by ISE 1.4 (patch 3) as Cisco phones. When first attached to the n (Cisco 6880 - last worm 15.2) the phone is emerging as a "Cisco-IP-Phone-7911" correctly and the PC is 802. 1 x authenticated ok and profiled as "Microsoft-workstation.

    In the minute the PC varies "Microsoft-Desktop" to "Cisco-IP-Phone-7911"in the list of endpoint ISE."

    When I opened the PC in the endpoint list, I see that he "inherited" details cdp of the phone. When I disconnect and reconnect the phone/PC, they all have two get profiled by ISE that phones - the n is configured to access Multi field (a device authorized in both voice and data) then the switchport is off because of a security breach.

    To work around this problem, I have disabled cdp on the n and active lldp. The phone is now emerging as "Cisco-IP-Phone" (Cisco-IP-Phone-7911 profile requires cdp) and the PC is profiled as "Microsoft-workstation.

    Is this a bug ISE or IOS? I had this problem with all available versions of the track 15.2 for the 6880. I am aware of the bugs CSCuu97659 and CSCuu94127 but these thought related to ISE 1.3 and earlier versions

    Thank you
    Andy

    Hi Andre, I think you're hit these bugs... and add to the mixture CSCuu76087 :)

  • HP Thin Client running Windows Embedded don't profile with attributes DHCP

    My company has a large population of HP Thin Clients that are not attached to our AD domain and therefore cannot do dot1x because they have no certificates.

    We decided to do the profiling for these devices. We present a few attributes, two of these DHCP attributes.

    About 90% of our profile of thin clients, as expected, but the other 10% will refuse to work. We need to statically assign them to a group of identity to authenticate properly.

    A lot of troubleshooting reduced us to query DHCP the thin client sent was not received by the strategy node. A TAC engineer looked over the config switch, IP helper address configuration and said that everything seems to be configured correctly.

    The only explanation is that it seems that these specific thin clients were not finishing the DHCP process before reassigned switch the VLAN of the port. So when the dhcp request has been sent, the thin client was already in our vlan "invited" who does not dhcp to the ISE.

    It's very strange, because we have so many thin clients that works properly. It's only a handful that do not. We have not been able to further refine to something specific. They are running Windows Embedded Standard 7 and a majority of them are HP t5740. I don't see Windows or HP updates available for these units and not sure if there are any registry hacks available to expedite the DHCP process.

    Has anyone ever come across something similar to this?

    It's pretty obvious to me, the end point isn't you get profiled before there was authenticted, which means that you do not correspond to the profiling conditions defined in rules 6 and 7, which means it will match the rule 11 (I think, having not seen your real rules). What I expected this, is that endpoint gets profiled, if ISE receives the attributes of this endpoint via dhcp e.g. forwarding help. Then, what should happen is, that it should issue a certificate of authenticity to the switch, which will lead to the passage to be re - authenticate this ending point, which now must have customization attributes you are trying to match. However if the DHCP packet never reaches ise, it won't work. That's why I think you should do a trace of package on the ise server, to see if the packets actually reach ise. If they don't you will probably need to find another way to profile, or activate dhcp for assistance on your guest virtual local network. Have you looked at the attributes of endpoint maybe after 30 seconds? They change?

  • revalidate previously profiled endpoints of ISE

    Hello

    I had a peek at MAC spoofing with ISE 2.1.0.474

    I use RADIUS/SNMP trap and queries and probes DHCP. A Cisco 7911 phone correctly is profiled as "Cisco-IP-Phone-7911. Endpoint in ISE shows all the correct details of cdp/lldp/dhcp

    When I connect my windows laptop (MAC spoofing phones), the laptop computer is authenticated as the phone. Endpoint is always profiled as "Cisco-IP-Phone-7911" - endpoint shows details of correct dhcp for the laptop but retains the cdp/lldp profile phone details previously. I checked the n and cache device sensor has no cdp/lldp details for the laptop connected and accounting device sensor sends only mobile dhcp from tlv to ISE.

    If I delete the end point of the ISE and connect my laptop (even once, spoofing phones MAC), ISE profiles properly the laptop as "Microsoft-workstation.

    When I disconnect the laptop and reconnect the phone, ISE re-profiles the end as a "Cisco-IP-Phone-7911" based on newly learned information from cdp/lldp point.

    ISE can learn new details of endpoint by the probes and reporter endpoint as shown above. I reason to say that ISE postpone endpoint based on the fact that some attributes (for example cdp/lldp) kept from appearing - when new attributes are learned?

    Thank you
    Andy

    Hello Andy,

    What you are experiencing is correct and should the behavior with the current mechanisms of ISE. There is an enhancement request that was put in place some time, but he has not seen much traction:

    https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCur48184

    The only time wherever a device would move one profile to another group is when a profiling rule with certainty factor higher is reached. For example, if you create a custom CF rule of 100 and this rule is struck then a device profile will never move to another rule which has CF which is<= to="">

    As you can tell, profiling is not the test. This is why it is recommended to restrict access to the network for targeted devices. For example, IP phones should just join the subnets of the voice and the PBX, printers should only need to access the print servers on specific ports, etc.

    I hope this helps!

    Thank you for evaluating useful messages!

  • ISE v1.4: "WARNING: Profiler Queue size limit is reached.

    Hi all

    We have improved our nodes 10 v1.2.1 Patch v1.4 ISE 6 weekends. Since then, we have been doing the above alarm message very frequently (often every five minutes) and it's really annoying.

    Six of the ten nodes have the character of PSN and they seem not to be under any large load (less than 10,000 active endpoint points shared between them) and the readings of CPU and memory and latency are all very low.

    I wonder if I ran into the following Cisco Bug:

    https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuw93839

    Unfortunately, Cisco provide little information on the bug above, I can't be sure.

    Has anyone encountered this?

    Thank you.

    rgrds,

    Inayat

    I think that maybe it's actually the following problem

    CSCuy20317 Error "profile tail limit reached" in the patch 1.3/4 5 +.

    If that is the question, the good news is that 1.4 patch 7 has been posted and includes a fix for this problem

    Curious to know how you go

  • New profile NAM AnyConnect of ISE to the customer

    Hello

    I'm in the middle of implementing Cisco ISE in a network. After some users connected via Dot1x and had installed AnyConnect, which I configured for Client Provisioning, they came to me the question whether wireless networks could automatically be pushed with the AnyConnect profile. One thing is certain, I said, and I changed the profile of NAM.

    Then all is well with the new connection of users, but users who have already logged do not get the profile up to date. Is it possible to push an AnyConnect profile or new configuration of Cisco ISE?

    Greetings,

    Carlo

    That is a good question.

    I don't know if it's the most effective way or only; but couldn't force you users to go back in the commissioning Client by adding a policy Posture in order to evaluate the profile of NAM?

  • ISE is profiling not properly devices

    Hi friends,

    can someone else help me? I use ISE 2.0, but this is really not peripheral profiles, printers are explained as cisco routers and switches.

    Thank you.

    Two questions:

    1. what should I sensors profiling, you have activated

    2 - is for wired or wireless

    Thank you for evaluating useful messages!

  • ISE licenses and profiling service

    Hello

    I tried to find the explanation of the use of the licenses of the ISE, but I'm still not sure about one thing.

    With the license, when the profiling service is enabled; is the number of endpoints consumed by the more license for each endpoint that has been profiled and authenticated or the number will be consumed basic license first?

    A properly authenticated device builds on the basic license.

    A device profile doing the license more.

    A properly authenticated device profile attracts both.

    That's why you need at least as much as more basic or licenses of the Apex.

    Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

    Charles Moreton

  • ISE on the download profile of embarkation process

    Dear all,

    I have a small question about ISE on boarding and the delivery process.

    When the client connect of the SSID, EHT will download the configuration for the client, and will change the configuration of the adapter.

    My question is, verification of the configuration of the client profile happens every time the customer connect? If Yes, the ISE will download the profile whenever the customer connect or not?

    In case the ISE download configuration once and check the configuration each time the customer connect (which makes sense), do we have a cache on the ISE for any customer that is to say that this customer has a correct profile or not? If so, after how long the cache entry should be deleted?

    Kind regards

    Mohammad incredibly

    Hi Mohammad.

    Once that a device is put in service/onboarded this device should not go through the process 'customer provisioning '. Instead, he has to hit a different rule that is placed over your 'customer provisioning' rule at ISE. For example, if your integration is to configure the client to perform EAP - TLS with certificate then once the supplicant device is configured to complete the EAP - TLS and got a certificate then you should have a rule over the rule of integration which checks the EAP - TLS.

    I hope this makes sense. Let me know if you need further clarification.

    Thank you for evaluating useful messages!

  • Profiles of logics in ISE 1.2.1

    I m having difficulties to understand the logic of the profiles.

    What I understand from the User Guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use...

    for those lazy to read:

    You can use the profile of logic in a condition of authorization policy to help create a comprehensive policy of access network for a class of profiles. You can create a simple condition of authorization, which may be included in the authorization rule. The pair attribute / value that you can use in the condition of approval is the profile of logic (attribute) and the name of the logical profile (value), which is in the dictionary of systems of endpoints.

    so I thought that meant that I can combine different profiles (Apple Iphone, Ipad, Ipod) into a logical group for example "BYOD_Idevice" and use this logical profile in the authorization.

    But I can´t choose this newly created logical group in the Condition of approval. As, I have can´t choose this logical group ANYWHERE.

    Leaning back and think about it - it is logical sort. In the authorization, Don t you choose profiles, you choose the identity settings. So what is the point on the profiles of logic? I expect lean/clean up to my rules for leave with them. But for what I would use them on the other?

    Or is this a bug in 1.2.1 ise? Don't know if I should call tac to this topic, or if I m just don't get it :D

    Thanks a lot for your help!

    Nice username! :)

    Then Yes, you are right, profiles of logic would allow you to group different types of devices dynamically profiled and then reference the profile in your authorization rules. However, you will not see these logical profiles under the heading "Details of group identity." You should leave this field blank. Instead, you should look in the 'second' status area: expression > Endpoint > LogicalProfile

    I hope this helps!

    Thank you for evaluating useful messages!

  • [ISE or ACS] EAP - TLS or profiling as the same SSID

    Hello

    I can only configure one SSID to connect 2 types of devices:

    • Devices with certificates connect on this SSID using EAP - TLS
    • Devices without the ISE profiles certificates (or ACS verifies their MAC addresses)

    Could this work?

    How can I configure this type of SSID on WLC?

    • 802. 1 X works
    • 802.1 X + MacFiltering works.
    • I failed to configure 802.1 X or MAC filtering...

    Thanks for your help,

    Patrick

    Hello Patrick.

    Unfortunately, I don't think that's currently possible in the world of wireless Cisco with a unique SSID. For your example, you will need two separate SSID. Something similar has been asked before:

    https://supportforums.Cisco.com/discussion/11941331/isewireless-nacone-SSID-MAB-and-dot1x

    I hope this helps!

    Thank you for evaluating useful messages!

  • Cisco ISE profiling - Split-Corporate/guest access

    Hi all

    I currently deploying a Cisco ISE for my wireless network and I would like to divide my WLAN in two different "authorisation profile": comments and Corporate.

    For now, I use my active Directory to authenticate users and profiling to authorize the device with the host name. I would like to sort by domain name with DHCP probe but I can't because there is always an answer of DHCP message with the domain given by the DHCP server, you have a solution to separate unit with domain name or other attributes?

    Thanks in advance for your answer!

    You can create different authorization profile based on the identity group they belong to, therefore, make two profiles based on two membership group (guests / corporate AD users) and assign them different access. consult the ISE 1.2 config guide.

  • ISE profiling should answer

    Salvation of the Forumers

    I am looking for some answer about ISE profiling.

    I could use ISE to test 802.1 x wireless connection to Active Directory external identity store.

    Sort of ISE, after enable profiling on deployment nodes configuration, as long as the device with appropriate authentication and enter the network will then showed all MAC addresses found on the identity management > identity > endpoints

    My question is:

    01 can authentication 802. 1 x i made without using the identity outside stores? So far I have only test on the use of Active Directory, but not with the ISE identities > users.

    02 if, in an environment that doesn't use not external identity stores for authentication, how I got to know the MAC address belongs to WHO?

    Thank you

    WPA - PSK ends on the drive, there is no RADIUS because the key must match on the client and the controller. It is not a Yes or a no to this question because the design of WPA - PSK is not utiilize a back-end service.

Maybe you are looking for