Thos document gives insight of a feature of Cisco ISE which is "Profiling".
I’ve been quite interested in how the magical ISE profiling works and its implications towards security. Apart from the profiling, ISE basically works as a Radius server, checking authentication and passing back attributes to switches or wireless LAN controllers. As a note, the profiling service requires an advanced license package on top of the base license.
Accuracy about device types increases as more probes are enabled. Cisco ISE probe options are NetFlow, DHCP, DHCP SPAN, HTTP, Radius, DNS and a few SNMP TRAP/Query options. Probes view network traffic seen by designated sensors (IE a ISE enabled switch). If you quickly plug and unplug a laptop into a switch, most likely ISE Profiling will only see the SNMP link up trap and know very little about the device. If the device is plugged in and attempts to access the Web, ISE Profiling will see more data and be able to make a more accurate determination of the device’s identity.
Cisco ISE profiling has categories for devices obtained from the cloud or through customization. Each category has specific “weights” assigned that are measured against the device data. As Cisco ISE profiling captures data, different specifications trigger categories as assign weight values are met. For example, a iPad will move from UNKNOWN to APPLE DEVICE based on MAC, network card manufacture type and other info. As more data is collected about the iPad, Cisco ISE profiling will use other attributes to match it from APPLE DEVICE to iPad. Custom categories can be created from UNKNOWN or existing profiles however the majority of device profiles are obtained through the cloud. Profiling is continuous meaning if a device is spoofed, its behavior will give away it’s true identity to provide continuous monitoring of device types on your network.
So basically, if either the host name or the user agent contains “iphone” then ISE is certain it’s an Apple device. Here are a few other examples.
Macbook – if MAC prefix is assigned to Apple and the useragent contains Macintosh and MAC OS.
VMWare device – if MAC prefix is assigned to VMWare.
Playstation3 – if MAC prefix is assigned to Sony.
Blackberry – if two of the following match: MAC prefix assigned to RIM, dhcp-class-identifier is blackberry or hostname contains blackberry.
Some common issues seen:
1) Profiling is not working:
Check to see ISE Profiling Services is enabled under General Settings
Verify which probes are enabled under the Probe Config Tab
Verify the switch you are testing is supporting the probe. For example, if you use SNMP RO, you need to have the switch use the SNMP-SERVER commands to send data to Cisco ISE Profiling. The switch also needs to be managed by ISE via network devices tab.
You may need an ip helper address of the ISE device when using the DHCP probe so ISE sees the data.
2) Devices remain as UNKNOWN
Verify which catalog/profile you are attempting to hit. Click the UNKNOWN device and review the characteristics. Make sure the probes that are enabled are used by the category you are looking to achieve. See AVAYA PHONE example above. You may need to adjust category weights if specific data is not used or not seen by ISE.
Click the UNKNOWN device and verify which probes are actually working. ISE Profiling will show what it knows. Go to the monitoring section and click the device details. ISE shows the communication in detail.
Make sure you have updated your ISE system. If you haven’t updated ISE, it won’t have any categories. There are Air-gap steps for customers who don’t want ISE to touch the internet.
3) Devices remain in a generic category.
This problem is similar to remaining UNKNOWN. Verify the desired category weight attributes and match it to what ISE is seeing for the device under monitoring. You may either have to tune weights or not have enough data due to lack of probe information. Options are enable more probes or use MAC address based (MAB) authentication to recognize devices.