[Day 26] Cisco ISE Mastery Training: Using Profiling for Wired Endpoints

[Day #26 of 150] Cisco ISE Mastery Training: Using Profiling for Wired Endpoints
Post Views: 37

Introduction

Profiling is the process by which Cisco ISE automatically identifies the type of device (Windows PC, IP phone, printer, IoT camera, game console, etc.) that connects to your network by observing network behaviour and attributes (DHCP, RADIUS, HTTP, SNMP, NetFlow, ARP, MAC OUI, etc.). Profiling is critical because:

  • It lets you apply the right network policy (VLAN, ACL, QoS) for each device category without manual enrollment.
  • It powers policy automation: e.g., unknown device → quarantine, phone → voice VLAN, laptop → employee VLAN.
  • It reduces helpdesk load and speeds onboarding for BYOD & IoT.
  • It’s a building block for posture, BYOD onboarding, and Zero-Trust enforcement.

From a learner perspective, profiling is one of the first “intelligent” features you configure in ISE: once correctly set up and tuned, profiling will continuously classify devices and feed those identities into your authentication/authorization decisions.

Problem Statement

Real environments have thousands of heterogeneous endpoints. Manual classification is impossible. Common pain points:

  • Guests, contractors, printers and cameras all look identical at Layer 2 (MAC + IP) until you probe them.
  • Unauthorized IoT devices can appear and lateral-move if they’re placed in the corporate VLAN.
  • Static rules (based on port or MAC lists) don’t scale and create configuration drift.
  • Troubleshooting is hard when an endpoint’s type is unknown — you can’t apply correct ACLs, QoS, or posture checks.

You need automated, accurate identification that feeds directly into ISE policy decisions — and that’s what profiling does.

Solution Overview

Cisco ISE Profiler service collects telemetry from multiple “probes” and correlates attributes to produce an endpoint identity. Key probes and data sources commonly used for wired profiling:

  • RADIUS (authentication/accounting) attributes — Calling-Station-Id (MAC), Called-Station-Id (port), NAS-IP.
  • DHCP probe — vendor class, option 60, option 77, fingerprinting.
  • HTTP probe — User-Agent strings captured via web redirection or network taps.
  • SNMP queries — run against switches to map MAC → interface, sysDescr strings.
  • NetFlow / sFlow — observed traffic patterns.
  • DNS queries / NXDOMAIN and other passive signals.
  • MAC OUI — vendor derived from MAC prefix.

ISE evaluates these inputs against Profiling Policies (rules and signature matches) and assigns the endpoint to an Endpoint Identity Group (e.g., Windows, Printer, IPPhone, Camera). You then use those groups in Authorization policies to dynamically enforce VLANs, dACLs, or posture actions.

Sample Lab Topology

Platform: VMware Workstation or EVE-NG

VMs / Devices

  • ISE VM (v3.x) — 10.10.10.5/24 (Profiler enabled)
  • Windows Server 2019 — Active Directory + DHCP — 10.10.10.10/24
  • Catalyst Switch (IOS XE 16.x / IOS) — mgmt 10.10.10.2/24
  • Test clients: Windows 10 laptop (802.1X), IP Phone (MAB), Printer (MAB), IoT camera (no supplicant)
  • Optional: WLC if you want wireless test parity.

Logical diagram:

Key lab services to enable:

  • SNMP read on the switch so ISE can poll (for MAC → port mapping).
  • DHCP server reachable (DHCP option strings used in profiling).
  • Switch configured with DHCP snooping, IP device tracking (optional), and RADIUS accounting.

Step-by-Step GUI Configuration Guide (numbered)

High level flow you’ll perform: enable profiler service on node → configure probes & credentials → configure switch SNMP/DHCP features → create profiling policy rules (or tune defaults) → check live logs & endpoints → use endpoint groups in authorization policy.

PRE-REQS / LAB PREP (do first)

  1. NTP & DNS: Ensure ISE and AD/DHCP and switches have correct time and DNS resolution. (Profiler uses timestamps & AD lookups.)
  2. Network reachability: ISE must be able to SNMP poll switches and receive RADIUS accounting/DHCP telemetry. Open UDP 161 (SNMP), UDP 67/68 (DHCP if ISE receives), UDP 1812/1813 (RADIUS).
  3. Add NAD(s) to ISE:Administration → Network Resources → Network Devices — add switch IP + RADIUS shared secret + SNMP credentials (v2c or v3) so ISE can poll.
    • On the Network Device add SNMP settings (community string or v3 user).
    • [Screenshot placeholder: ISE > Network Devices > Add Device]

STEP 1 — Enable Profiler Service on the ISE Node

  1. Login to ISE Admin GUI.
  2. Go to Administration → System → Deployment.
  3. Click the ISE node (PSN or All-in-One node) and ensure the Profiler service is checked/activated on that node. If it isn’t, enable it and Save.
    • After enabling, profiler service starts (give it a few minutes to initialize).
    • [Screenshot placeholder: ISE Deployment – enable Profiler service]

Note: Profiler can run on PSN nodes or dedicated profiler appliances in large environments.

STEP 2 — Configure Probe Sources & Settings

  1. Work Centers → Profiler (or Work Centers > Profiler in the ISE menu).
  2. Open Profiler Settings / Probe Configuration. You’ll see available probe sources: RADIUS, DHCP, HTTP, SNMP, NetFlow, DNS etc.
  3. Enable the probes you will use for wired profiling (RADIUS and DHCP are mandatory/basic; SNMP is highly recommended for port mapping).
  4. Configure probe-specific settings: e.g., DHCP timeout, DHCP probe port, HTTP probe redirect settings (if used).
    • [Screenshot placeholder: Profiler Settings – enable DHCP, RADIUS, SNMP probes]

Important: If you enable the DHCP probe, make sure DHCP messages are visible to ISE. In many labs you’ll use DHCP snooping + ISE listening on the management network, or forward DHCP packets via DHCP relay—plan accordingly.

STEP 3 — Configure Switch for SNMP, DHCP Snooping & IP Device Tracking

On the access switch (example IOS CLI):

! enable SNMP (so ISE can poll)
conf t
snmp-server community profCommunity RO
snmp-server host 10.10.10.5 version 2c profCommunity

! DHCP snooping (helps ISE see DHCP bindings)
ip dhcp snooping
ip dhcp snooping vlan 10 20 30
! trust DHCP on uplink
interface GigabitEthernet1/0/1
 ip dhcp snooping trust
exit

! Enable IP device tracking (optional, improves mapping)
ip device tracking

! Enable RADIUS accounting to provide session info to ISE
radius server ISE
 address ipv4 10.10.10.5 auth-port 1812 acct-port 1813
 key cisco123
aaa group server radius ISE-GROUP
 server name ISE
aaa accounting dot1x default start-stop group ISE-GROUP
  • show ip dhcp snooping binding on switch will show MAC→IP→VLAN→Intf; ISE uses this for correlation.
  • [Screenshot placeholder: Switch CLI snippet and SNMP config]

STEP 4 — Create/Review Profiling Policy in ISE

  1. In ISE: Work Centers → Profiler → Profiling Policy.
    • ISE ships with a default profiling policy — use it as a baseline.
  2. Add or tune rules that match the attributes you will see in your lab. Typical rule examples:
    • IF DHCP Option 60 contains MSFT or HTTP User-Agent contains Windows → classify as Windows.
    • IF DHCP Vendor Class or DHCP Option 60 contains IPP or SNMP sysDescr contains HP LaserJet → classify as Printer.
    • IF HTTP User-Agent contains Dalvik or Android → classify as Android.
    • IF netflow or RADIUS attributes indicate SIP traffic or MAC OUI maps to Cisco phone → classify as IP Phone.
  3. For each rule, set the Endpoint Identity Group outcome (e.g., Printers, Windows, IPPhones, Cameras).
  4. Place more specific rules above generic rules. Use the Test or Simulate function if available to evaluate rule matches.
    • [Screenshot placeholder: Profiler Policy – add rule mapping DHCP vendor string → Printer]

Rule building tips

  • Start conservative: use high-confidence matches (HTTP User-Agent, DHCP vendor class, SNMP sysDescr, OUI) first.
  • Use OUI as a last resort (low confidence).
  • Add Minimum observations if you want multiple hits before assignment.

STEP 5 — Configure Endpoint Identity Groups & Policy Usage

  1. Create Endpoint Identity Groups in Work Centers → Profiler → Endpoint Identity Groups if they don’t already exist (e.g., Printers, IPPhones, Cameras).
  2. Use these Endpoint Identity Groups in Authorization Policies (Policy → Policy Sets → Authorization) to apply correct VLANs/dACLs.
    • Example: If Endpoint Identity Group = Printers → Authorization Profile: VLAN_50_Printer.
    • [Screenshot placeholder: Authorization Policy using Endpoint Identity Group]

STEP 6 — Generate Traffic & Observe Profiling

  1. Connect your Windows client, get DHCP lease, perform normal web traffic.
  2. Connect the printer and power on so it requests DHCP and responds to SNMP queries.
  3. On ISE: Work Centers → Profiler → Endpoint Table (or Operations → Endpoints) search for MAC or IP.
    • You should see the endpoint listed with a Profiling Confidence, Matched Attributes (DHCP/HTTP/SNMP), and Assigned Identity Group.
    • [Screenshot placeholder: Profiler Endpoint details showing matched DHCP option and assigned group]

STEP 7 — Validate in Live Logs & Switch

In ISE (GUI):

  • Operations → RADIUS → Live Logs — for a wired 802.1X session, open the session details; look for Profiling or Endpoint section showing the assigned identity group used in policy evaluation.

On Switch (CLI):

  • show ip dhcp snooping binding — shows DHCP binding ISE used for correlation.
  • show mac address-table dynamic interface Gi1/0/10 — confirm MAC on correct port.
  • show authentication sessions interface Gi1/0/10 details — see device status and username/MAC, used by ISE.

STEP 8 — Tune & Reduce False Positives

  1. Review profiling hits and false matches in profiler logs.
  2. Adjust profiling rule order, add more attributes (combine HTTP + DHCP + OUI) for stronger confidence.
  3. Use the Profiler Hit Count and Smoothing options (if available) to require multiple observations before a final identity is set.

Validation & Diagnostics (quick checklist)

  • Profiler service status: Administration → System → Deployment — Profiler running on node.
  • Probe status: Work Centers → Profiler → Probe Configuration — RADIUS, DHCP, SNMP enabled.
  • Network Device SNMP: switch listed with correct SNMP community in ISE.
  • Endpoint appears in Work Centers → Endpoints with identity group & attributes.
  • ISE LiveLogs show Profiling Match and which attributes matched.
  • Switch show ip dhcp snooping binding and show authentication sessions show consistent MAC/IP/port mapping.

FAQs

1) Q — Which probes should I enable for wired profiling in a campus network?
A: At minimum enable RADIUS and DHCP probes. Add SNMP (for port mapping), HTTP (for UA strings), and NetFlow where available to increase accuracy. RADIUS provides immediate session context; DHCP and SNMP provide corroborating evidence.

2) Q — How does DHCP snooping help profiling?
A: DHCP snooping creates bindings (MAC → IP → VLAN → Interface) on the switch. ISE uses those bindings to correlate a MAC to an access port and to observe DHCP option strings that help identify the device.

3) Q — ISE shows low profiling confidence — what should I do?
A: Combine multiple attributes in your profiling rule (e.g., DHCP option 60 + HTTP User-Agent + OUI). Increase the required observations threshold, or add SNMP sysDescr matches for vendors that expose strong signatures.

4) Q — Can profiling accidentally misclassify a device and cause wrong policy?
A: Yes — that’s why start with conservative policies and test. Use fallback rules (e.g., unknown → quarantine) and require high confidence for critical policy actions (like full network access).

5) Q — Does profiling identify virtual machines or containers?
A: Profiling can identify OS/application user agent strings if visible (e.g., VM user agent, DHCP client strings). VMs often appear as regular Windows/Linux devices; tie profiling with MAB/AD checks where possible.

6) Q — Do I need SNMP v3 for production?
A: SNMPv3 is recommended for security (encrypted auth). SNMPv2c works but sends community strings in cleartext—fine for labs but not for production.

7) Q — How fast does profiling classify a device?
A: It depends on probes and traffic: RADIUS + DHCP can yield classification at first session (seconds); other probes (HTTP, NetFlow) may take longer as more traffic is observed. You can tune the observation count.

8) Q — How does profiling work with MAC-spoofing?
A: Profiling uses multiple attributes beyond MAC OUI; but MAC spoofing still weakens identification. Combine profiling with posture, certificate checks, and 802.1X machine authentication for stronger assurance.

9) Q — Where can I view the raw attributes that drove a profiling decision?
A: In ISE: Work Centers → Profiler → Endpoint Details (or endpoint view), and in Operations → RADIUS Live Logs — open the session and check matching attributes and the profiler decision. These UIs show which probe matched and attribute values.

10) Q — How do I use profiling results in authorization policies?
A: Profiling assigns an Endpoint Identity Group. In Authorization Policy, create rules such as: If Endpoint Identity Group == Printers → Apply Authz Profile VLAN_Printer or If Endpoint Identity Group == Unknown → Quarantine. Use profiling together with AD/user identity checks for layered decisions.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes (key takeaways)

  • Profiling is the “senses” of ISE — it observes network signals and decides what a device is.
  • For wired endpoints, RADIUS + DHCP + SNMP are the most powerful and quick probes.
  • Always enable SNMP on switches, configure DHCP snooping, and ensure NTP/DNS are correct.
  • Tune profiling policies: be conservative at first, validate with real devices, and raise confidence thresholds for critical authorizations.
  • Use profiling outputs in Authorization Policy to automate VLANs, dACLs, and quarantine logic.
  • Track and log decisions — review misclassifications and iterate.

Fast-Track to Cisco ISE Mastery Pro

If you want to turn these lab steps into repeatable production deployments, join 4-month Instructor-Led CCIE Security / ISE Mastery Program. This course walks you from basic ISE installs to advanced topics like profiling, posture, TrustSec, DACLs, CoA, and real enterprise rollouts — with hands-on labs (EVE-NG/VMware), graded exercises and 1:1 mentorship.

Why join: live labs, blueprinted enterprise scenarios, interview prep, lifetime lab access.
Reserve your seat / view outline: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Trainer Sagar Dhawan

Hi all,
Good to see you here.
I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up!
Stay tuned for latest updates!
Keep me posted over Whatsapp/Email about your experience learning from us.
Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

Related Posts

[Day #27 of 150] Cisco ISE Mastery Training: Advanced Wired Authentication Troubleshooting

[Day 27] Cisco ISE Mastery Training: Advanced Wired Authentication Troubleshooting

Posted on
[Day 29] Cisco ISE Mastery Training: Using Reports for Wired Authentication Analysis

[Day 29] Cisco ISE Mastery Training: Using Reports for Wired Authentication Analysis

Posted on
[Day 18] Configuring Wired 802.1X on a Cisco Switch

[Day 18] Configuring Wired 802.1X on a Cisco Switch

Posted on