EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

US

Profiling Overview

Profiling Concepts

Profiling is ISE feature, which detects and classify endpoints, by using the probing method. By using this method, it collects the endpoint attributes and then compare collected attributes to predefine device profile.

Profiling collects the device or endpoint attributes from various sources like DHCP, Netflow, Http User-Agent String, NMAP Scans etc.

Once the attributes are collected, they are matched to a set of signatures. These signatures are commonly referred as profiles. ISE uses Conditions that are defines in Authorizing policy by these classified data from profiler.

Below Example shows differentiated Authorization policy based on Profiling.

Employee using corporate Laptop to again full access

In above figure, Same Employee using its credential on a mobile device and gets limited access.

ISE Profiler Work Center

ISE Profiler work Center is the Center Location, where Profiling related task can be performed.

To get ISE Work Center follow this GUI Steps.

ISE | Work Center | Profiler

ISE Profiling Probes

ISE using various Probes to collect data from endpoint which is further used for profiling conditions. Example HTTP probe, collects data by capturing HTTP traffic and then Profiler examine the captured traffic like HTTP user-agent String. From ISE Version 1.3 + some default ISE probing methods are enabled by default.

Probe Configuration:

To configure Probe in ISE, Use following path:

Work Center | Profiler | Node Config and then select the PSN that needs to configured for Probe task. Here the Node is seeing as Standalone, which means Single Node running all personas like Administration, Monitoring, and Policy Services.

In General Setting | enable Profiling Service checkbox.

Select Profiling Configuration tab to see below ten probes are available on each PSN.

DHCP & DHCPSPAN Probes:

DHCP probe is used to capture Endpoint MAC address, to identify Endpoint OS, also it capture DHCP user-agent String to identify device as corporate asset.

In DHCP Probe, DHCP request are sent directly to ISE, which can be done by using ip helper-address configuration command and in this IP of ISE PSN management Interface is configured. This Command will convert all DHCP Broadcast to unicast and sent to ISE PSN and also to DHCP. 

In DHCPSPAN Probe, SPAN session is used in Promiscuous mode , which copies all traffic to/from a source interface and send it to destination port where ISE interface is connected  for DHCPSPAN Probe role.

In WLC, it has default configuration due to which it acts as RADIUS proxy and acts as middleman for all DHCP conversation. Due to this configuration, it affects the DHCP probe working and it must be disabled on WLC. Once it is disabled, all DHCP request from wireless endpoints will be seen as broadcast packet, on VLAN and because of IP helper-address configured on L3 Interface of VLAN, these will be sent to DHCP as well as ISE.

 

GENERAL FAQ

Profiling is a feature in ISE that lets the system detect what kind of devices are connecting to your network. It gleans information about each device (such as MAC address, OS type, or user-agent details) and maps that data against known device profiles to identify what kind of endpoint it is.

Implementing the Profiling service in Cisco Identity Services Engine (ISE) helps you solve one of the main security issues that network administrators face today: lack of endpoint visibility. Lack of endpoint visibility puts your entire network at risk. Endpoints are prime attack targets because they often contain sensitive information and are unpatched and vulnerable. As more endpoints and types of endpoints access your network resources, your network attack surface exponentially expands. The ISE Profiler service provides dynamic detection and classification of endpoints connected to the network. Classification makes it easier to grant and maintain the appropriate access to your network, which, in turn, greatly improves overall network security.

ISE is capable of collecting device information from a variety of places, using DHCP, HTTP traffic, NetFlow, NMAP scans, probes, and more. Those are “probes,” and each one scrutinizes a different aspect of the device’s network activity to piece together a clear picture of what it is.

An ISE Policy Service Node with the profiler service enabled collects probes from the network. The probes contain endpoint attributes that can be mapped back to the endpoint MAC address and can be analyzed by ISE to determine the endpoint profile.

The Profiler service runs only on Cisco ISE nodes that provide the policy service. In a distributed deployment, the profiler service does not run on Cisco ISE nodes that only provide other services, such as administration and monitoring.

The profiler service is composed of the following components:

The Sensor: The sensor collects data from several probes and obtains information on the endpoints. The sensor then forwards the attributes and their attribute values to the analyzer. The probe manager within the sensor supports the profiler service, initializing and controlling various probes that run on the sensor. The probe manager allows you to configure probes and to start and stop collecting the attributes and their values from the endpoints. An event manager within the sensor can communicate events between the probes and the probe manager. A forwarder stores endpoints in the Cisco ISE database along with their attribute data. Cisco ISE then notifies the analyzer of newly detected endpoints.

The Analyzer: The analyzer evaluates endpoints by using the configured policies. It then classifies the endpoints with the matched endpoint profile in the Cisco ISE database.

All profiling activities are controlled in the Profiler Work Center. It provides a place where administrators can examine endpoint information as well as set up probes and profiling policies all in one, centralized position within the ISE interface.

It captures DHCP packets from a mirrored port, such as from Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and Encapsulated Remote Switched Port Analyzer (ERSPAN). A dedicated Cisco ISE interface is strongly recommended for this probe type. Be sure to enable the Cisco ISE interface from the CLI and make any necessary physical connections to the SPAN port.

Profiling allows network managers to see every device that connects to their enterprise, whether a laptop, printer, or phone. Knowing what’s connected lets you apply the right security policies, identify unauthorized devices, and keep it secure and compliant.

Profiling is useful in situations where certain corporate assets must be differentiated from non-corporate assets. It may be used to help regulate network access and assign additional network authorization permissions. This usage is based on the policy group of the device.

Enterprises deploy the profiler service for two main reasons:

Create a learned inventory: The profiler service provides a contextual inventory of all endpoints that are using network resources. It discovers connected endpoints and where they exist on the network.

Determine the applicable Endpoint Identity Group: The profiler service matches endpoints to a profiler policy. These profiler policies can be used to determine which identity group the endpoint should be assigned to. The identity group specified by the device profile can then be used as a condition in the authorization policy. In this way, you can affect the endpoint network permissions.

Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.

TABLE OF CONTENTS

RECENT POSTS

Membership Plan

Monthly

$100/Monthly
Half Yearly

$200/6 Months
Half Yearly

$350/Year