How ISE Profiling Works?

• ISE Profiling is the service used to identify the type of endpoints connected to the network
• ISE Profiling service should be enabled to probe for endpoint attributes
• The attributes requested are depending on the type of probes enabled (for example dhcp probe will request for dhcp-class-identifier, http probe will request for user-agent, etc)
• Attributes gathered from probes are matched against profiling policies
• Profiling policy is made of set of rules
• Each rule matches a condition and assign certainty factor (CF)
• Certainty Factor (CF) is a weight defines how relevant this condition to decide the final endpoint profile
• The SUM of matched CFs should be greater than or equal to minimum CF configured in the Profiling Policy to profile the endpoint
• In case the endpoint matches more than one profiling policy, the highest CF_SUM decides the final endpoint profile
• Once Profiling Policy is matched , it can trigger exception or execute NMAP scan
• This kicks in ONLY after matching the profiling policy
• Profiling policies can be nested using Parent/Child structure
• Child Profiling Policy won't be matched unless Parent Policy is matched
• Nested Policies are used to granular profiling
• Endpoint will be profiled based on the deepest profile matched in the structure
• Common practice to trigger NMAP scan on Parent Policy to get more attributes for Child policy matching
• Each Profiling Policy can be configured to create Endpoint Identity Group and assign matched endpoints to it.
• You can group Profiles in Logical profiles
• Logical Profiles are containers where you add different profiled devices to provide them one treatment (for example same authorization policies)
• Authorization policies can call Logical Profiles or Endpoint Identity Groups to grant access
• Profiling isn't supported for VPN endpoints due to lack of endpoint MAC address information from VPN Gateway