Based on my own observations, some profiling occurs immediately. However, I've seen occurrences where ISE can take as long as 15 minutes to correctly identify a Cisco 1142 LAP. Until it was correctly identified, ISE had it down as a "Cisco-Router", which isn't particularly helpful if you have a MAB policy to permit access for LAPs to communicate with a WLC.

The speed of the profiling also depends on whether the device obtains it's IP using DHCP.

I've worked through a few labs, such as spoofing a MAC address of a Cisco LAP. ISE is very clever at spotting this sort of thing, but it does take a little time for all the probes to calculate.

The following maybe helpful

You are not allowed to view links. Register or Login

The way I understand profiling in ISE - is that it begins immediately, but is an iterative process, which the flow chart suggests in the article, and which I've observed in my own labs. An example is MAB, which may require one or two CoAs from ISE in order for it to collect/analyse sufficient data.

If you think about it, ISE has a challenge to profile any given device. For example the HTTP probe is a bit hopeless since HTTP traffic might not be permitted until the port becomes active.

If an auth/authz session hits the final deny and ISE hasn't fully profiled the device, ISE will issue a CoA to inform the NAD to re-authenticate the session. On the next session, ISE may gather additional information, such as a DHCP probe, that will enable ISE to correctly profile the device.

Any future authentications will return the correct identity.

Since ISE continues to monitor for any changes, if the device re-attaches and starts behaving differently, e.g. no CDP messages and/or a different DHCP class identifier, then ISE will quickly re-profile the device and issue a CoA.

In truth this probably hasn't really answered your question fully, but I think this is mainly because the profiling component in ISE is an on-going process, before, during and after auth/authz.

Dear all,

All went well that started well. Chris thanks for your contribution it is quite nice sharing knowledge in this community.

My finding is this:

Profiling start once an endpoint connect to the network. This mean even before authentication. The process is an ongoing thing it does not end at any time as long as profiling probes are enable. This probes keeps check the network and keeps polling devices attributes both new and old endpoint connecting to networks.

At any time you can use a endpoint group to setup a authorization policy profiling will do it works even if for the first time the policy did not catch the rules as it cycle through the process it will catch it. All that is necessary is just to fine tune the process in such a way that it users does not have to wait for an unnecessary long time while profiling does it's work.

Regards,