[Day 78] Cisco ISE Mastery Training: Profiling Policies & Conditions
Table of Contents
Introduction
Cisco ISE profiling is like giving the NAC engine eyes and intelligence.
Without profiling, ISE knows a device only by its MAC or credentials. With profiling, ISE can identify:
- This MAC belongs to a Windows 10 Laptop (DHCP + RADIUS attributes).
- This MAC is an HP Printer (OUI + SNMP + DHCP fingerprint).
- This is an Apple iPhone (HTTP User-Agent + OUI + DHCP options).
Profiling Policies and Conditions are the foundation of this process.
- Conditions = building blocks (what patterns should match).
- Policies = rules that decide the profile based on one or more conditions.
For network access control to be effective, device identification must be accurate, dynamic, and scalable. Profiling policies and conditions make this happen.
Problem Statement
Enterprises face 4 big problems:
- Device Sprawl – BYOD, IoT, printers, phones → thousands of devices without uniform login methods.
- Inaccurate Access – If an IoT sensor is misclassified as a laptop, it might be given full corporate access instead of restricted VLAN.
- Weak Attributes – MAC OUI alone is insufficient; Apple OUI could be an iPad, iPhone, or MacBook.
- Dynamic Environment – Devices update OS, change DHCP signatures, and present new fingerprints. Without adaptive profiling policies, profiles break.
So: How do we accurately profile devices using multi-attribute, prioritized rules, and ensure ISE dynamically adapts to changes?
Solution Overview
Cisco ISE solves this using:
- Profiling Conditions – Logic statements that match attributes like
DHCP Option 55
,HTTP User-Agent
,RADIUS Called-Station-ID
. - Profiling Policies – Rules that link conditions with profiles (e.g., if DHCP = iOS + OUI = Apple → Profile = Apple-iPhone).
- Dynamic Feed Service (PFS) – Regular updates from Cisco with new device fingerprints.
- Context Visibility – Real-time endpoint classification dashboard.
- CLI & GUI Validation Tools – For engineers to debug profiles, logs, and attributes.
Sample Lab Topology
We’ll simulate profiling in a VMware/EVE-NG lab.
Topology

- Switch: RADIUS AuthC/AuthZ + DHCP relay → ISE.
- WLC: Wireless endpoints send RADIUS attributes.
- Endpoints: Windows 10 laptop, Apple iPhone, HP Printer, Cisco IP Phone.
Step-by-Step GUI + CLI Guide
Step 1: Enable Profiling Probes
- GUI: Administration → System → Deployment → [PSN Node] → Profiling Configuration
- Enable RADIUS, DHCP, HTTP, SNMP Query, SNMP Trap.
- [Screenshot: Deployment Probes Screen]

- CLI Verification:
ise/admin# show profiling configuration Probes enabled: RADIUS, DHCP, HTTP, SNMP
Step 2: Create Profiling Conditions
- GUI: Policy → Policy Elements → Conditions → Profiling → Add
- Name: Apple_DHCP_Signature
- Condition:
DHCP-Option55 contains 1,3,6,15,119
- Save.
- [Screenshot: Profiling Condition Builder]

- CLI Validation:
ise/admin# show profiling condition name Apple_DHCP_Signature Condition: DHCP-Option55 contains 1,3,6,15,119 Status: Enabled
Step 3: Build Profiling Policies
- GUI: Policy → Profiling → Policies → Add
- Name: Apple-iPhone-Policy
- Conditions:
- OUI = Apple
- AND DHCP = Apple_DHCP_Signature
- AND HTTP User-Agent contains iPhone
- Result: Assign Profile = Apple-iPhone
- Priority: 100 (above “Apple-Device” generic rule).
- [Screenshot: Profiling Policy Screen]

- CLI Verification:
ise/admin# show profiling policy name Apple-iPhone-Policy Policy: Apple-iPhone-Policy Conditions: OUI=Apple, DHCP=Apple_DHCP_Signature, HTTP UA contains iPhone Result: Profile=Apple-iPhone Priority: 100
Step 4: Endpoint Testing
- Connect iPhone → joins wireless SSID via WLC.
- GUI: Context Visibility → Endpoints → Search MAC
- Profile = Apple-iPhone
- Source: DHCP + HTTP + RADIUS probes
- [Screenshot: Endpoint Profile Screen]
- CLI Validation:
ise/admin# show profiling endpoint mac a4:5e:60:1a:2b:3c Profiled: Apple-iPhone Attributes: - DHCP Option55 = 1,3,6,15,119 - HTTP UA = "Mozilla/5.0 (iPhone; CPU iPhone OS 16)" - OUI = Apple
Step 5: Tie Profiling to Authorization Policy
- GUI: Policy → Policy Sets → Authorization Policy → Add Rule
- Name: iPhone-Internet
- IF Profile = Apple-iPhone → Assign VLAN 20, SGT Internet-Only
- [Screenshot: AuthZ Policy Rule]
- CLI Validation:
ise/admin# show logging application profiler.log Endpoint a4:5e:60:1a:2b:3c matched Apple-iPhone → VLAN 20
FAQs
Q1. How does ISE decide which profiling policy wins?
- By priority number (top-down). Higher = takes precedence.
Q2. My endpoint is always “Unknown,” why?
- Likely causes:
- Probes disabled.
- NAD not forwarding DHCP/RADIUS attributes.
- Wrong condition logic.
- CLI:
debug application profiler all
Q3. Can a device match multiple profiles?
- No, only one active profile at a time, based on the highest policy match.
Q4. Can I make custom profiles for IoT sensors?
- Yes. Collect attributes → build profiling conditions → assign to custom profile.
Q5. How do I know which probe gave the attribute?
- GUI: Endpoint details → “Collected Attributes” tab.
- CLI:
show profiling endpoint mac <mac> details
Q6. How often do profiler feeds update?
- Weekly, if PFS subscription active. Keeps dictionary updated with new IoT, printers, mobile devices.
Q7. Can profiling work without RADIUS?
- Yes, via DHCP/HTTP probes.
- But accuracy is lower; RADIUS adds richer attributes.
Q8. Does profiling affect ISE performance?
- Yes, if poorly tuned. Too many rules = CPU hit.
- Best practice: use compound conditions, prioritize critical devices.
Q9. How do I validate profiling in CLI quickly?
show profiling endpoint mac <mac> show profiling policy all show logging application profiler.log
Q10. How do I debug mismatched profiles?
- Enable profiler debug:
debug application profiler all
- Review
profiler.log
and check which attribute mismatched.
YouTube Link
For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience
Closing Notes
Profiling Policies & Conditions are mission-critical for accurate device identification. The more precise your conditions (multi-attribute), the more secure and consistent your NAC enforcement will be. Always validate with GUI + CLI and fine-tune based on endpoint behavior.
Upgrade Your Skills – Start Today
For deeper labs and enterprise scenarios:
- Subscribe: Network Journey YouTube Channel
- Join: Instructor-Led Cisco ISE Mastery Training (4-month CCIE Security Pro Training).
Fast-Track CCIE Security Training
Seats are limited → secure your learning path today.
Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088