collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Device profiling  (Read 19564 times)

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Device profiling
« on: November 03, 2013, 11:53:29 PM »
Guys I need your thought on this at what time does device profiling occur? I will explain further with this scenario:

Authorization is configure to catch all IBM laptop devices while the default authorization is deny. If IBM laptop is plug into the network when will profiling occur before authorization match IBM?

Regards,
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline chris-a

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 3
  • Certification: CCNP
Re: Device profiling
« Reply #1 on: November 04, 2013, 01:24:51 AM »
Based on my own observations, some profiling occurs immediately. However, I've seen occurrences where ISE can take as long as 15 minutes to correctly identify a Cisco 1142 LAP. Until it was correctly identified, ISE had it down as a "Cisco-Router", which isn't particularly helpful if you have a MAB policy to permit access for LAPs to communicate with a WLC.

The speed of the profiling also depends on whether the device obtains it's IP using DHCP.

I've worked through a few labs, such as spoofing a MAC address of a Cisco LAP. ISE is very clever at spotting this sort of thing, but it does take a little time for all the probes to calculate.

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: Device profiling
« Reply #2 on: November 04, 2013, 02:17:52 AM »
Thanks for the response.

Really understanding the order of operation can help alot in your flow of configuration that is the reason for this question.. Now to refrain the question:

When does device profiled:
a. Before Authentication policy
b. After Authentication policy
c. Between Authentication and Authorization policy
d. Before Authorization policy
e. After authorization policy.

Useful help will be appreciated..

Thanks.
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline chris-a

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 3
  • Certification: CCNP
Re: Device profiling
« Reply #3 on: November 04, 2013, 03:41:59 AM »
The following maybe helpful

You are not allowed to view links. Register or Login

The way I understand profiling in ISE - is that it begins immediately, but is an iterative process, which the flow chart suggests in the article, and which I've observed in my own labs. An example is MAB, which may require one or two CoAs from ISE in order for it to collect/analyse sufficient data.

If you think about it, ISE has a challenge to profile any given device. For example the HTTP probe is a bit hopeless since HTTP traffic might not be permitted until the port becomes active.

If an auth/authz session hits the final deny and ISE hasn't fully profiled the device, ISE will issue a CoA to inform the NAD to re-authenticate the session. On the next session, ISE may gather additional information, such as a DHCP probe, that will enable ISE to correctly profile the device.

Any future authentications will return the correct identity.

Since ISE continues to monitor for any changes, if the device re-attaches and starts behaving differently, e.g. no CDP messages and/or a different DHCP class identifier, then ISE will quickly re-profile the device and issue a CoA.

In truth this probably hasn't really answered your question fully, but I think this is mainly because the profiling component in ISE is an on-going process, before, during and after auth/authz.

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: Device profiling
« Reply #4 on: November 04, 2013, 05:12:19 AM »
Thanks appreciate your contribution.

You know sometime you just need to throw a discussion open for you to have another dimensional view of a solution this is the reason for this discussion. Interesting enough the pdf you sent I have it and just going through it again and it quite interesting how much one miss when doing general reading.

regards
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: Device profiling
« Reply #5 on: November 04, 2013, 11:19:18 PM »
Dear all,

All went well that started well. Chris thanks for your contribution it is quite nice sharing knowledge in this community.

My finding is this:

Profiling start once an endpoint connect to the network. This mean even before authentication. The process is an ongoing thing it does not end at any time as long as profiling probes are enable. This probes keeps check the network and keeps polling devices attributes both new and old endpoint connecting to networks.

At any time you can use a endpoint group to setup a authorization policy profiling will do it works even if for the first time the policy did not catch the rules as it cycle through the process it will catch it. All that is necessary is just to fine tune the process in such a way that it users does not have to wait for an unnecessary long time while profiling does it's work.

Regards,
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Device profiling
« Reply #6 on: November 06, 2013, 12:25:42 AM »
Just like you guys said, profiling is an ongoing process. What information ISE has on an endpoint depends on what probes have already been collected. Some probes like HTTP provides a lot of info about the endpoint but it is only collected when ISE sees the http request through URL redirect. From what I have seen, an endpoint is only accurately identified when it has been connected to the network for a period of time and not necessary immediately, which is why I usually do not use the profiling info (eg. iPhone,iPad) as part of the authorization policy.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
32450 Views
Last post November 20, 2013, 10:23:55 AM
by MC
1 Replies
56534 Views
Last post November 19, 2014, 07:18:45 PM
by dong
1 Replies
18541 Views
Last post June 05, 2015, 08:56:46 PM
by MC
0 Replies
21880 Views
Last post May 29, 2016, 07:30:47 PM
by micruzz82
1 Replies
46109 Views
Last post March 31, 2021, 11:04:00 PM
by Administrator

SimplePortal 2.3.7 © 2008-2024, SimplePortal