11/20/2017 Introducing Cisco Identity Services Engine (ISE) Profiling - Packet Pushers -

MEMBER LOG

HOME SHOWS » NEWS HOSTS TOOLBOX SPONSOR CONTACT Search this website …

You are here: Home / Blogs / Introducing Cisco Identity Services Engine (ISE) Pro ling

Introducing Cisco Identity Services Engine

(ISE) Pro ling
m00nie December 22, 2011

Cisco Identity Services Engine (ISE) is relatively new to the market, and I think it

attempts to cater to Bring Your Own Device (BYOD) scenarios where
IT doesn’t “own” or manage some devices. People like their iPads. I’ve been quite
interested in how the magical ISE pro ling works and its implications towards
security. Apart from the pro ling, ISE basically works as a Radius server, checking
authentication and passing back attributes to switches or wireless LAN
controllers. As a note, the pro ling service requires an advanced license package on
top of the base license. The following is from version 1.0.4.573 of ISE.

ISE pro ling will check conditions in a pro le policy. Each time a device matches
a condition, the “Certainty” of its being that type of device is increased. ISE gathers
its information from various sources; these can be DHCP, MAC, SNMP, IP, Radius or
Net ow. From each of these sources, it can check various attributes – for example,
the OUI assigned to a MAC.

So let’s look at a sample pre-con gured pro le policy to see how ISE determines the
device type. The screenshot below is the default Android pro le policy. Obviously,
you can de ne your own policies, but this post is just to demonstrate the basic Latest Podcasts
functionality of ISE out of the box.

The Weekly Show

Show 366: Inside Cisco EVPN

(Sponsored) November 17, 2017

Network Break

Network Break 161: Broadcom Bids For

Qualcomm; Level 3’s BGP Blues
November 13, 2017

Datanauts
We can see there are two if conditions that are checked, and each is weighted with a
score of 30. The minimum certainty factor is 30, so only one of these conditions need Datanauts 110: The Future Of Storage
to be met to classify the device as “Android”. Let’s have a look at what these rules November 15, 2017

check.

Priority Queue

http://packetpushers.net/introducing-cisco-identity-services-engine-ise-profiling/ 1/5
11/20/2017 Introducing Cisco Identity Services Engine (ISE) Profiling - Packet Pushers -

PQ 135: Mastering Python Networking

– The Book November 9, 2017

The Community Show

Advocating For Enterprise Interests At

The IETF – IETF 99 August 22, 2017
The rst rule checks that the browser’s user agent contains “Android” somewhere in
it.

Recent Comments

Omer Shtivi on Show 366: Inside Cisco

EVPN (Sponsored)

Greg Ferro on Show 366: Inside Cisco

EVPN (Sponsored)

Dave Bass on Show 366: Inside Cisco

EVPN (Sponsored)
This second rule checks that the host name contains “android” in it.
IA on Show 366: Inside Cisco EVPN
(Sponsored)
So basically, if either the host name or the user agent contains “android” then ISE is
certain it’s an Android device. Here are a few other examples. Stephen Hampton on A Request For
Clarity

Macbook – if MAC pre x is assigned to Apple and the useragent contains Greg Ferro on Cisco’s Viptela Challenge:
Macintosh and MAC OS. Integration without alienation
VMWare device – if MAC pre x is assigned to VMWare.
Playstation3 – if MAC pre x is assigned to Sony.
Blackberry – if two of the following match: MAC pre x assigned to RIM, dhcp-
class-identi er is blackberry or hostname contains blackberry.

Hopefully in the future, we’ll see better policies and condtions to check device types.
DACL support on the WLCs would be great to see, too.

If anyone wants to share custom rules they have found to be a little more robust than
the defaults, please share them in the comments.

“Security is an architecture, not an appliance.” – Art Wittmann

About m00nie

Comments

http://packetpushers.net/introducing-cisco-identity-services-engine-ise-profiling/ 2/5
11/20/2017 Introducing Cisco Identity Services Engine (ISE) Profiling - Packet Pushers -

Forkwieldingmonkey says

December 22, 2011 at 5:16 PM

In the short demo I saw, the defaults were “usually” able to destinguish between an IPad1
and IPad2 correctly

Reply

Gavin McBain says

December 23, 2011 at 8:39 AM

We had to make our own iPad2 pro le policy to get them picked up at all. Its more the
simple (easily spoofed) nature of the checks that worries me a bit. Hopefully in time
the policies can be made alot more reliable. 

Reply

Anonymous says

December 24, 2011 at 5:32 PM

Why does my spidey sense warn me that a plethora of security issues are about to be
unleashed upon the world?

Reply

Marvin Rhoads says

December 25, 2011 at 4:07 PM

Gavin,

You can use named ACLs on WLCs with the current versions of ISE (1.0.4) and WLC
(7.0.220). A named ACL can effectively do what a dACL does, just requiring a bit more
work to pre-position it on the WLC(s).

I haven’t seen the detailed roadmap per se but know that more integration with WLCs is
coming soon with ISE 1.1 and WLC 7.2

Reply

Guest says

March 7, 2012 at 7:53 PM

I have been wondering if once a device is pro led and stuck in an endpoint identity group, if
they continue to have the pro le check each time they get on a network.  Any ideas?  I
guess that I am much more apt to implement MAB if this pro le check happens every time. 
Say a phone is pro led as a phone using CDP, and they are in an IG that is allowed full
network access using MAB.  So a savvy user changes their mac to match the phone,
unplugs the phone, and plugs in his/her pc.  I wonder if ISE is smart enough to say, ok I see
your mac, and that your a pro led phone, but I am not seeing the cdp string I expect…
access rejected.

http://packetpushers.net/introducing-cisco-identity-services-engine-ise-profiling/ 3/5
11/20/2017 Introducing Cisco Identity Services Engine (ISE) Profiling - Packet Pushers -

Reply

allen00874 says

July 19, 2012 at 8:53 PM

Hey Gavin,

Could you please explain the following:

Say you create a Pro ler Policy called -PCBrandX and you set the Minimum Certainty
Factor to 20 and you create a condition to pro le based on a check for condition based on
host-name in DHCP and you assign the condition a Certainty Factor Increases of 10 etc.
(Assuming that I de ne an Exception Action and a Network Scan (NMAP) Action) in the
policy.

Here are the two questions:

If you create another condition that initiates a scan Network Scan (NMAP) Action to scan
say for OS – how does the scan in uence the Certainty Factor?

Also if you create a condition that initiates Exception Action – how does that in uence the
Certainty Factor?

Thanks in advance,
Allen

Reply

Russell Brenner says

September 1, 2012 at 11:46 PM

Has anyone actually used ISE in a education or similarly large environment before? I’m
looking at a solution by Bradford Networks, looks a fair bit better. The ISE pro ling looks
extremely cumbersome.

Reply

Leave a Reply
Your email address will not be published. Required elds are marked *

Comment

Name *

Email *

http://packetpushers.net/introducing-cisco-identity-services-engine-ise-profiling/ 4/5
11/20/2017 Introducing Cisco Identity Services Engine (ISE) Profiling - Packet Pushers -

Website

Post Comment

PacketPushers Podcast PacketPushers Articles Website Information Connect

Full Feed All the News & Blogs Frequently Asked Questions Contact PacketPushers
Weekly Show Only the Latest News Subscribe Ask Us Anything!
The Network Break Only The Community Blogs Sponsorship Subscribe to Podcasts
Brie ngs In Brief How To Pitch Us Become a Member
Datanauts Search Meet the Hosts Sponsorship
Full Stack Journey Terms & Conditions
Search this website … Search
Priority Queue Privacy Policy
Community Podcast

© Copyright 2017 Packet Pushers Interactive, LLC · All Rights Reserved · Designed by Teal Umbrella

http://packetpushers.net/introducing-cisco-identity-services-engine-ise-profiling/ 5/5