Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
6
Helpful
4
Replies

Profiling Policy based on MACOUI Name or MAC Address Hex Prefix ?

Go to solution
Arne Bier
VIP
VIP

‎03-14-2023 12:14 AM

I had an unfortunate experience today after a few hundred wired MAB devices stopped working - the reason was that the vendor's MAC OUI Identifier changed (due to an ISE Profiler Feed update).  The reason for the MAC OUI update in ISE, was that the vendor decided to rebrand themselves some time back in Sept 2022.  The old vendor name was Exterity, and was renamed to Vitec. The MAC OUI hex prefix remained the same: 00:18:1C

Surely in  cases where ISE comes with built-in MAC OUI Database, or is later updated by the Profiler feed , the ISE Profiler Feed should not overwrite an existing entry?  Because that causes an upheaval when the Profiling Policy Elements look for "Exterity" - which has been working for years.  I can imagine if someone writes their Policy Rules based on what is in the ISE database today, could not work tomorrow if Cisco changes that definition.

How does a customer/partner even know what changes are coming in the ISE Profiler Feed? We get no warning.

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
davidgfriedman
Level 1
Level 1

‎04-13-2023 05:51 AM - edited ‎04-13-2023 05:52 AM

The automatic profiler feed sounds great in theory but it's hit us badly a few times already, so we had to turn it off and come up with a quarterly testing procedure in our lab on a temp VM to test it against a working backup.  We've had a few different types of equipment (thousands of units each) drop off the network because we profiled using MAC:OUT contains/matches/etc. yet the vendor went to the IEEE org and changed their official organization name, blowing up a few MAB profiles / fingerprints.  

 

Wishlist item: Have a feature to download and test the file against every endpoint who's profiling policy contains a reference to any type of MAC:OUI comparison, then report any mismatches. Then, maybe you can add some conditions to your profiling policies to make the profiler feed update zero impact.

View solution in original post

4 Replies 4

Go to solution
srigovi2
Cisco Employee
Cisco Employee

‎04-13-2023 01:17 AM - edited ‎04-13-2023 01:18 AM

Hi Arner ,

Customers and partners can stay up to date on changes coming to the Cisco Identity Services Engine (ISE) Profiler Feed by reviewing the release notes and product documentation provided by Cisco.

 

Cisco typically publishes release notes for each ISE software release, which outline the new features, enhancements, and bug fixes included in the release. These release notes often include information about changes to the Profiler Feed, such as new device types that are now supported or changes to existing device types.

Additionally, Cisco provides product documentation that covers how to configure and use ISE, including the Profiler Feed. This documentation is typically updated with each new software release and may include information on changes to the Profiler Feed.

Customers and partners can also subscribe to the Cisco Security Advisories and Alerts email notification service, which provides updates on security vulnerabilities, software releases, and other important information related to Cisco products, including ISE. This service can help customers and partners stay informed about any critical changes or updates to the Profiler Feed.

Finally, customers and partners can engage with Cisco's technical support team or their account representative to stay up to date on changes to the Profiler Feed and other ISE features. Cisco's support team can provide guidance on configuring and using ISE, as well as provide information on any upcoming changes or updates to the product.                                                                                              

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------

 

 

Thanks,
G.Srinivasan 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to srigovi2

‎04-13-2023 05:39 AM - edited ‎04-13-2023 05:41 AM

But there are no specific release notes released for profiling feed updates right?  Profiler feed updates are updated independently of any patch/major releases..... 

For example, searching the 3.1 and 3.2 release notes, I see nothing regarding Profiler Feed updates:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html
https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/release_notes/b_ise_32_RN.html

Go to solution
davidgfriedman
Level 1
Level 1

‎04-13-2023 05:51 AM - edited ‎04-13-2023 05:52 AM

The automatic profiler feed sounds great in theory but it's hit us badly a few times already, so we had to turn it off and come up with a quarterly testing procedure in our lab on a temp VM to test it against a working backup.  We've had a few different types of equipment (thousands of units each) drop off the network because we profiled using MAC:OUT contains/matches/etc. yet the vendor went to the IEEE org and changed their official organization name, blowing up a few MAB profiles / fingerprints.  

 

Wishlist item: Have a feature to download and test the file against every endpoint who's profiling policy contains a reference to any type of MAC:OUI comparison, then report any mismatches. Then, maybe you can add some conditions to your profiling policies to make the profiler feed update zero impact.

Go to solution
Arne Bier
VIP
VIP

‎04-13-2023 03:36 PM

thanks @davidgfriedman - I am on the same page as you. Once bitten, twice shy

I will disable the automatic feed update until this is sorted out. I see some options:

  • Cisco publish a list of which OUIs and which Policies are planned to be updated well in advance (e.g. 1 week prior to go live) - this doesn't have to be in the release notes - it can be on the ise.cisco.com/partner site (not sure if that site still works - it seems pretty dead to me) - or anywhere on the Cisco website will do.
  • Wishlist item (dummy run in ISE to see what the effect would be of taking the feed update (e.g. a report of all the CoA's that might result))
  • Don't use MAC OUI text strings in the policy element logic - use MAC hex address prefixes instead, and use the MAC OUI text as informational references only.

 

Customers Also Viewed These Support Documents