Cisco ISE: Profiling. Part 4

The time has come for the fourth publication of a series of articles dedicated to Cisco ISE. In this article, we will discuss the topic of ISE profiling, data sources, and how to configure it. Links to all articles in the cycle are given below:

  1. Cisco ISE: Introduction, Requirements, Installation. Part 1

  2. Cisco ISE: Create users, add LDAP servers, integrate with AD. Part 2

  3. Cisco ISE: Configuring Guest Access on FortiAP. Part 3

  4. Cisco ISE: Profiling. Part 4

1. Is profiling?

Profiling (profiling) is an option that allows you to determine the models of terminal devices, their operating system, manufacturer, location, thereby applying a specific profile to the device.

Profiling allows you to:

  • purchase monitoring of terminal devices;

  • acquire visibility of BYOD devices;

  • facilitate the formation of network access policies based on device profiles.

Cisco ISE has a large number of default profiles. Using Profiling Policies, you can group devices by physical (manufacturer, MAC address) or logical (eg, printers, IP phones) and use these profiles in the authentication policy.

2. Sources of data

The following probes can act as sources of data about endpoints:

  • RADIUS

  • SNMP Trap

  • SNMP Query

  • DHCP (a copy of traffic is sent to ISE to collect DHCP packets)

  • HTTP (parsing HTTP headers)

  • DNS

  • Netflow (network telemetry)

  • NMAP Scan (subnet scan)

  • Active Directory (AD integration)

  • PxGrid

Let’s dwell on each of the sources in a little more detail.

2.1 RADIUS Probe

One of the most popular profiling methods is RADIUS. Cisco ISE collects RADIUS attributes from EAP messages between the RADIUS server and clients. Additionally, this probe can collect attributes by listening to traffic from CDP, LLDP, and even DHCP protocols. Some of the RADIUS attributes used for profiling are:

  • User-Name – the name of the authenticated user;

  • Calling-Station-Id – host MAC address;

  • NAS-IP-Address – IP address of the device sending the authentication request;

  • NAS-Port – Name of the physical interface;

  • Framed-IP-Address – host IP address;

  • Acct-Session-ID – Unique accounting number (Accounting ID);

  • Acct-Session-Time – Activity time in seconds;

  • Acct-Terminate-Cause – The reason for terminating the connection.

You can get a lot of valuable information from the RADIUS Probe, and it can be very useful for troubleshooting.

2.2 SNMP Trap Probe

In this case, you need to configure SNMP Traps on network devices, this will allow you to get information about connected and disconnected hosts. For example, documentation on configuring SNMP on Cisco 4500 switches is available at link… In general, this probe does not have to be turned on, since all transmitted data and even more can be received through the RADIUS Probe.

2.3 SNMP Query Probe

This probe sends SNMP requests (SNMP Queries) to network access devices to receive data from the SNMP MIB (Management Information Base). With the help of such requests, ISE obtains information about the physical interface, CDP, LLDP and ARP. First, you need to configure SNMP Community on the devices that we want to poll. There are 2 main types of queries: System Queries and Interface Queries.

System Queries include:

  • Bridge, IP (ARP) – a request to populate the IP-MAC address table (ARP cache).

  • cdpCacheEntry – information received via CDP

  • lldpRemoteSystemsData- information received via LLDP

  • cldcClientEntry – information about clients received from access points (MAC addresses and others).

Interface Queries include:

  • ifIndex, ifDesc and other interface data

  • VLAN information

  • session data for Ethernet interfaces

  • interface data from CDP

  • interface data from LLDP

2.4 DHCP Probe

In this case, we send a copy of DHCP requests to ISE using DHCP relay or SPAN / RSPAN. As an example, DHCP Probe provides the following information:

  • dhcp-class-identifier – platform or operating system

  • dhcp-client-identifier – MAC address

  • dhcp-message-type – type of DHCP message (DHCP Request, DHCP Discover, etc.)

  • dhcp-parameter-request-list – device type identifier (DHCP client)

  • dhcp-requested-address – DHCP client IP address

  • host-name – hostname

  • domain-name – domain name

  • client-fqdn – FQDN of the DHCP client

2.5 HTTP Probe

HTTP Probe analyzes headers of web traffic of clients and can give data about the type of application, operating system, device manufacturer, and more. This information is transmitted in the HTTP-Request header in the User-Agent field.

There are 2 ways to send HTTP traffic to ISE: URL redirection or SPAN. Both methods are configured on the switch side. For URL redirection on Cisco access switches, use the commands ip http server and ip https secure-server

Of course, if you choose to send SPAN, then not only HTTP Probe, but also DHCP Probe will receive information from the traffic copy.

Important: for the HTTP Probe to work, you must already have configured IP-MAC mapping on the ISE, for example, via RADIUS, SNMP or DHCP Probe.

2.6 DNS Probe

Here ISE uses reverse DNS lookup from the PSN node (Policy Service Node) to get the FQDN of the end host, knowing its IP address. With the option enabled on ISE, enter the command ip name-server on Cisco access switches.

2.7 Netflow Probe

For Netflow Probe to work, we have to send Netflow traffic (telemetry) to ISE. In practice, this method is not particularly used, since Cisco has a separate working solution for monitoring network traffic not only for network and network device performance, but also for detecting anomalies, advanced targeted attacks, 0-day files, and much more. The solution is called Cisco StealthWatch, about this I wrote a whole cycle of articles

However, the Netflow Probe provides the ISE with the following information:

  • Source IP address

  • Destination IP address

  • Source port number

  • Destination port number

  • Protocol

  • ToS (type of service)

  • Physical interfaces and their indexes

2.8 NMAP Scan Probe

The good old nmap scanner is built into ISE with a graphical shell and in the tab Work Centers> Profiler> Manual Scans you can scan a subnet to classify end hosts and find out their operating system, OS version, and running services. Use the appropriate scan options on this tab in ISE.

It can also be configured in the profiling policy to start the scan automatically. Additionally, scan parameters, as well as their results, can be saved for convenience.

2.9 Active Directory Probe

A whole lot has been written about creating users, LDAP, and including integration with AD. article… In this case, ISE will pull up AD attributes, such as:

  • AD-Join-Point – which domain controller is giving information about the host

  • AD-Operating-System – host operating system

  • AD-OS-Version – Host OS version

  • AD-Service-Pack – OS service package

2.10 PxGrid Probe

In case of use PxGrid Node in Cisco ISE, it is possible to configure it, including for profiling. PxGrid is a protocol for integrating various IT and information security solutions, that is, network devices must support it in order to send various data. PxGrid Probe will be able to get many attributes of end devices, such as: IP, MAC addresses, ID, type, serial number, device manufacturer, connected network interfaces and some other custom attributes.

3. Setting

1) First of all in the tab Administration> System> Deployment> Profiling Configuration you should choose which Probes will be used on ISE for profiling. After selecting the checkboxes, press Save.

2) Then go to the tab Work Centers> Profiler> Network Devices and according to the old technology, as in the past article add access layer network devices (switches, WLCs, routers) that will send data for profiling.

3) For the RADIUS Probe and SNMP Probe to work, you must have these protocols configured both in the Network Device object and on the device side.

4) In order to use AD, integrate Cisco ISE according to this article

5) Next, go to the tab Work Centers> Profiler> Settings> Profiler Settings and enable profiling options.

6) In the tab Logical Profiles you can create your own logical device profiles, add new profiles and devices to these profiles. In general, a lot is pre-installed, this step is a fine-tuning.

7) Additionally in the tab Profiling Policies it is possible to edit the profile of each device, create exceptions for scanning devices, CoA (Change of Authorization) reactions (port bounce, port shutdown, etc.). So, for example, when detecting a device, you can automatically start scanning or “extinguish” a port on the switch.

8) Make sure that the authorization policy settings in the tab Profiler> Policy Sets> Default Policy> Authorization Policy match your device authentication methodsIf you are just implementing the solution, then you can set Default – Permit Access, then perform more fine tuning by analogy with the default policy.

9) From the side of network access devices (switches, routers, access point controllers), you should configure Device Sensor – a family of protocols according to Cisco terminology – CDP, LLDP, DHCP, RADIUS + 802.1X, which send profiling data.

For SNMP Trap, SNMP Query Probes to work, SNMP must be configured on access level devices.

10) As a result, in the tab Profiler> Endpoint Classification devices on the network can be monitored.

By clicking on the MAC address, we get the log in expanded form. HTTP Probe returned information about Debian virtual machine.

4. Conclusion

Profiling in ISE can tell a lot about devices on the network, identify them by parameters:

  • MAC address and OUI

  • Equipment manufacturer

  • Operating system version

  • Browser and its version on the device

  • Host FQDN

  • Hostname

  • Source, destination ports

  • Protocol

  • AD attributes

  • RADIUS attributes

  • CDP / LLDP data

All in all, ISE is a powerful access-level network monitoring tool. Device profiles can be used to form access policies, configure CoA responses, and ISE scans.

To test Cisco ISE, refer to link, and also stay tuned to our channels (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen).

Similar Posts

Leave a Reply