Day 78 – Cisco ISE Mastery Training: Profiling Policies & Conditions

[Day 78] Cisco ISE Mastery Training: Profiling Policies & Conditions


Introduction

Cisco ISE profiling is like giving the NAC engine eyes and intelligence.
Without profiling, ISE knows a device only by its MAC or credentials. With profiling, ISE can identify:

  • This MAC belongs to a Windows 10 Laptop (DHCP + RADIUS attributes).
  • This MAC is an HP Printer (OUI + SNMP + DHCP fingerprint).
  • This is an Apple iPhone (HTTP User-Agent + OUI + DHCP options).

Profiling Policies and Conditions are the foundation of this process.

  • Conditions = building blocks (what patterns should match).
  • Policies = rules that decide the profile based on one or more conditions.

For network access control to be effective, device identification must be accurate, dynamic, and scalable. Profiling policies and conditions make this happen.


Problem Statement

Enterprises face 4 big problems:

  1. Device Sprawl – BYOD, IoT, printers, phones → thousands of devices without uniform login methods.
  2. Inaccurate Access – If an IoT sensor is misclassified as a laptop, it might be given full corporate access instead of restricted VLAN.
  3. Weak Attributes – MAC OUI alone is insufficient; Apple OUI could be an iPad, iPhone, or MacBook.
  4. Dynamic Environment – Devices update OS, change DHCP signatures, and present new fingerprints. Without adaptive profiling policies, profiles break.

So: How do we accurately profile devices using multi-attribute, prioritized rules, and ensure ISE dynamically adapts to changes?


Solution Overview

Cisco ISE solves this using:

  1. Profiling Conditions – Logic statements that match attributes like DHCP Option 55, HTTP User-Agent, RADIUS Called-Station-ID.
  2. Profiling Policies – Rules that link conditions with profiles (e.g., if DHCP = iOS + OUI = Apple → Profile = Apple-iPhone).
  3. Dynamic Feed Service (PFS) – Regular updates from Cisco with new device fingerprints.
  4. Context Visibility – Real-time endpoint classification dashboard.
  5. CLI & GUI Validation Tools – For engineers to debug profiles, logs, and attributes.

Sample Lab Topology

We’ll simulate profiling in a VMware/EVE-NG lab.

Topology

  • Switch: RADIUS AuthC/AuthZ + DHCP relay → ISE.
  • WLC: Wireless endpoints send RADIUS attributes.
  • Endpoints: Windows 10 laptop, Apple iPhone, HP Printer, Cisco IP Phone.

Step-by-Step GUI + CLI Guide


Step 1: Enable Profiling Probes

  1. GUI: Administration → System → Deployment → [PSN Node] → Profiling Configuration
    • Enable RADIUS, DHCP, HTTP, SNMP Query, SNMP Trap.
    • [Screenshot: Deployment Probes Screen]
  1. CLI Verification: ise/admin# show profiling configuration Probes enabled: RADIUS, DHCP, HTTP, SNMP

Step 2: Create Profiling Conditions

  1. GUI: Policy → Policy Elements → Conditions → Profiling → Add
    • Name: Apple_DHCP_Signature
    • Condition: DHCP-Option55 contains 1,3,6,15,119
    • Save.
    • [Screenshot: Profiling Condition Builder]
  1. CLI Validation: ise/admin# show profiling condition name Apple_DHCP_Signature Condition: DHCP-Option55 contains 1,3,6,15,119 Status: Enabled

Step 3: Build Profiling Policies

  1. GUI: Policy → Profiling → Policies → Add
    • Name: Apple-iPhone-Policy
    • Conditions:
      • OUI = Apple
      • AND DHCP = Apple_DHCP_Signature
      • AND HTTP User-Agent contains iPhone
    • Result: Assign Profile = Apple-iPhone
    • Priority: 100 (above “Apple-Device” generic rule).
    • [Screenshot: Profiling Policy Screen]
  1. CLI Verification: ise/admin# show profiling policy name Apple-iPhone-Policy Policy: Apple-iPhone-Policy Conditions: OUI=Apple, DHCP=Apple_DHCP_Signature, HTTP UA contains iPhone Result: Profile=Apple-iPhone Priority: 100

Step 4: Endpoint Testing

  1. Connect iPhone → joins wireless SSID via WLC.
  2. GUI: Context Visibility → Endpoints → Search MAC
    • Profile = Apple-iPhone
    • Source: DHCP + HTTP + RADIUS probes
    • [Screenshot: Endpoint Profile Screen]
  3. CLI Validation: ise/admin# show profiling endpoint mac a4:5e:60:1a:2b:3c Profiled: Apple-iPhone Attributes: - DHCP Option55 = 1,3,6,15,119 - HTTP UA = "Mozilla/5.0 (iPhone; CPU iPhone OS 16)" - OUI = Apple

Step 5: Tie Profiling to Authorization Policy

  1. GUI: Policy → Policy Sets → Authorization Policy → Add Rule
    • Name: iPhone-Internet
    • IF Profile = Apple-iPhone → Assign VLAN 20, SGT Internet-Only
    • [Screenshot: AuthZ Policy Rule]
  2. CLI Validation: ise/admin# show logging application profiler.log Endpoint a4:5e:60:1a:2b:3c matched Apple-iPhone → VLAN 20

FAQs

Q1. How does ISE decide which profiling policy wins?

  • By priority number (top-down). Higher = takes precedence.

Q2. My endpoint is always “Unknown,” why?

  • Likely causes:
    • Probes disabled.
    • NAD not forwarding DHCP/RADIUS attributes.
    • Wrong condition logic.
  • CLI: debug application profiler all

Q3. Can a device match multiple profiles?

  • No, only one active profile at a time, based on the highest policy match.

Q4. Can I make custom profiles for IoT sensors?

  • Yes. Collect attributes → build profiling conditions → assign to custom profile.

Q5. How do I know which probe gave the attribute?

  • GUI: Endpoint details → “Collected Attributes” tab.
  • CLI: show profiling endpoint mac <mac> details

Q6. How often do profiler feeds update?

  • Weekly, if PFS subscription active. Keeps dictionary updated with new IoT, printers, mobile devices.

Q7. Can profiling work without RADIUS?

  • Yes, via DHCP/HTTP probes.
  • But accuracy is lower; RADIUS adds richer attributes.

Q8. Does profiling affect ISE performance?

  • Yes, if poorly tuned. Too many rules = CPU hit.
  • Best practice: use compound conditions, prioritize critical devices.

Q9. How do I validate profiling in CLI quickly?

show profiling endpoint mac <mac>
show profiling policy all
show logging application profiler.log

Q10. How do I debug mismatched profiles?

  • Enable profiler debug: debug application profiler all
  • Review profiler.log and check which attribute mismatched.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

Profiling Policies & Conditions are mission-critical for accurate device identification. The more precise your conditions (multi-attribute), the more secure and consistent your NAC enforcement will be. Always validate with GUI + CLI and fine-tune based on endpoint behavior.


Upgrade Your Skills – Start Today

For deeper labs and enterprise scenarios:

Fast-Track CCIE Security Training

Seats are limited → secure your learning path today.

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088