Cisco ISE Profiling

Cisco ISE (Identity Services Engine) profiling policies help classify network endpoints by analyzing various attributes like MAC address, DHCP requests, and other network behaviors. These policies allow administrators to apply security and access controls based on endpoint identity. Custom profiling policy help to define profiling conditions using attributes like MAC address, OUI (Organizationally Unique Identifier), or DHCP fingerprinting. Once configured, Cisco ISE will automatically classify endpoints that match the criteria, categorizing endpoints to its tailored endpoint groups.

Here we have a working lab running dot1x & mab to give endpoint access to network, but as we can see here we have a bunch of unknown mac address trying to connect to network

On the Cisco ISE Live Logs, we see these mac addresses are not hitting any policy rule because its not classified in any endpoint group

To automate the process of indetifing these endpoints, we’ll create a custom profiling policy on Work Center » Profiler » Profiling Policies named “helenacom-devices”, here we set this profile to match endpont that has a mac address starting with 00:50:79:66 and automatically put them in an Endpoint Identity Group

Then we can use this Endpoint Identity Group as a condition in policy set

Now if any of those devices connect to network, ISE will automatically profile it to the configured group

And it’ll also hit the policy set that we configured, thus giving that endpoint access to the network

Additionally, other than using Endpoint Identity Group, we can also set up a Logical Profile based on the Profiling Policy created earlier. This helps to put bunch of Profiling Policies into a single Logical Profile that we can use as condition in Policy Set

And here we put that Logical Profile to use as a condition