Introduction
ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network.
Based on the classification and profile of an endpoint we can authorize and permit the level of access permited on the network.
For example a device profiled as an IP-Phone may be placed in a voice VLAN , or even provide access based if the device is a corporate asset or personal device (ip phone).
ISE out of the box comes with 550+ pre built in profiles including 250+ Medical profiles , and also provides an online or offline feed service to keep profile definitions up to date , but what happens when you have an endpoint on your network that does not match any profile or is to generic?
ISE profiling enables you to create your own custom profiles .You might have an endpoint with an existing profile that ISE has classified but for what ever reason you would like modify it.
For a more depth and deep dive understanding for Profiling and how it works see the following:
How To: ISE Profiling Design Guide
Endpoint Profile Needed
Under Context Visibility notice the endpoint device with mac address A0:1E:0B:02:06:71 which is profiled as Android
Android comes in many flavors and might be to generic , In this use case we want a more specific profile that will identify the endpoint device type and not by its OS.
Lets take a look at the various attributes ISE has collected for this endpoint.
For the purpose of this example the rest of the list of attributes were omitted , ISE however can store up to 50 attributes for each endpoint it discovers and up to 1.5 million endpoints.
Create an Endpoint Profile
Take note of the following 3 attributes in the list
OUI - MINIX Technology Limited
Total Certainty Factor - 30
User-Agent - AndroidDownloadManager/4.4.2 (Linux; U; Android 4.4.2; NEO-X8H-PLUS Build/KOT49H)
We will check how this device was profiled as Android
Navigate to Work Centers > Profiler > Profiling Policies
Click on Android
Notice at the top
The list of attributes gathered by ISE are matched to conditions defined in the profile with a number at the end called a Certainty Factor. This is generic weighting scale , each condition may have its own weighting value and if it reaches the Minimum Certainty Factor value (in this case 30) the Profile will be chosen. In this example it would suffice to meet only one condition as each one has a CF of 30 and the minimum CF to reach is 30.
In the list of endpoint attributes above you will notice the CF value is 30 meaning one condition in Android profile was met.
In this example the 3rd rule in the list of conditions was met.
IP:User-Agent Contains Android (Notice the attribute in the list above)
ISE compared the list of attributes to the profile conditions (Rules) and matched the 3rd rule under profile Android which met the minimum CF of 30.
In this next section we will learn how to modify a device profile , with the same procedure we can create new profiles if no predefined profiles exist for a particular endpoint or IoT device.
For this example we would like the Endpoint Profile to show as MINIX.
- Navigate to Work Centers > Profiler > Profiling Policies and click on Add
- Fill in the values as below
Notice that the *Minimum Certainty Factor above is 40 , which is higher than the Android profile meaning if met the MINIX profile will be the preferred profile.
Click the Submit button .
The change takes place instantly and is now seen in Context Visibility>Endpoints MINIX
