Introduction

Profiling probes in Identity Services Engine (ISE) are tools used to collect detailed information about devices connected to the network. These probes gather data types, such as MAC addresses, operating systems, network protocols, etc, which ISE then uses to create a device profile.

There are several types of profiling probes in ISE, each designed to collect specific data:

  1. RADIUS Probe: This collects attributes such as NAS-IP-Address, NAS-Port, Calling-Station-ID, Acct-Session-ID, Framed-IP-Address, Acct-Session-Time, and Acct-Terminate-Cause. It can also collect additional attributes such as CDP, LLDP, DHCP, HTTP, and MDM from the IOS Device Sensor if supported by the NAD.
  2. DHCP Probe: Collects data from DHCP requests and responses, including the device’s MAC address, hostname, and operating system.
  3. DHCP Span Probe: This is the same as the regular DHCP probe, except instead of using a DHCP Helper, you would use a SPAN port to send DHCP packets. This is very rarely used.
  4. DNS Probe: Performs a reverse DNS lookup for the FQDN.
  5. HTTP Probe: Monitors HTTP traffic to collect data, such as user-agent strings, that typically identify the browser, application type, operating system, software vendor, and software revision by submitting a characteristic identification string to its operating peer. This adds additional context to the endpoint to profile with.
  6. NetFlow Probe: The NetFlow Probe uses network flow data to profile devices based on their traffic patterns and the services they use. In 99.99999% of cases, you would not turn this probe on.
  7. SNMP Query Probe: This allows querying your Network Access Devices (NADs) for configurations such as ARP, CDP, LLDP, and new MAC notifications.
  8. SNMP Trap Probe: This allows the PSN to receive information from specific NADs that support MAC notification, linkup, link down, and informs. For SNMP Trap to be fully functional, you must also enable SNMP Query. This is important for receiving information when ports go up and down, and endpoints are connected and disconnected in your network.
  9. Active Directory Probe: Improves fidelity of OS information for Windows endpoints since Active Directory details OS information for AD-joined computers, including version and service pack levels. If ISE possesses the FQDN from the DHCP or DNS probes,  the AD probe retrieves this information directly using the AD Runtime connector to provide a highly reliable source of client OS information. It can also help you distinguish between corporate and non-corporate assets.
  10. AnyConnect ACIDEX Probe: Collects endpoint data, such as operating system version, directly from Cisco AnyConnect/Secure Client.
  11. pxGrid Probe: Fetches attributes of an endpoint from a pxGrid subscriber
  12. NMAP Probe: The only active probe where ISE touches the endpoint. Scans endpoint for open ports, service information, banner information, and OS

The data collected by these probes is aggregated and analyzed by ISE to create a comprehensive profile for each device on the network. This profiling allows ISE to apply appropriate security policies, ensuring that devices are granted the correct level of access based on their identity and characteristics. Profiling probes are critical for maintaining security and visibility within a network, as they enable dynamic and context-aware access control.

In this post, we will be focusing only on the ISE configuration. If a probe requires configuration on the Network Access Device (NAD), I will cover that in a future blog post on NAD configuration.

Enabling Profiling Probes

To enable an interface of your ISE PSN to accept probes, navigate to Administration>System>Deployment.

Click on the name of the ISE PSN that you want to configure.

Click on the Profiling Configuration tab.

On this page, you can move the slider to enable probes on the PSN. With the extensive list of probes available, which ones should you enable?

  • Netflow: You will not receive a cookie if you enable this probe! Joking aside, ISE was never created to be a scalable Netflow collector. It could severely limit the scalability of your deployment if you tried to enable the Netflow probe at scale, so please don’t do it. There might be some corner cases where it might be done (further info: this article), I would not recommend doing it in 99.9999999% of cases.
  • DHCP: This is enabled by default and should remain enabled. Enabling this probe allows you to gather DHCP information from a DHCP helper address.
  • DHCPSPAN: Disabled by default and should remain disabled. I haven’t seen a network in the last ten years that required this probe as a DHCP helper address gets the same information.
  • HTTP: This is disabled by default and most likely does not need to be turned on. This is only if you use a SPAN port to send HTTP packets to ISE. If you are using IOS Device Sensor (RADIUS)  or have a URL redirect to ISE, it is still is gathering the user-agent regardless of whether this probe is enabled or not.
  • RADIUS: Enabled by default. Leave it enabled
  • NMAP: Enabled by default. Leave it enabled. However, there might be sensitive subnets that you need to disable, such as a subnet with sensitive medical equipment. More on this later.
  • DNS: Disabled by default. Enable it.
  • SNMPQUERY: It is enabled by default. There is no harm in leaving it enabled, but you’ll only use it for old Cisco switches or third-party switches.
  • SNMPTRAP: Disabled by default. Enable it if you have ancient Cisco switches (pre-15.0(1) or pre-IOS-XE) or third-party switches.
  • Active Directory: Enabled by default. Leave it enabled
  • pxGrid: Disabled by default. Leave it disabled unless you plan on using pxGrid to gather additional context.

After you have enabled the probes, click Save. 

Optimizing NMAP Probe

Navigate to Administration>System>Settings>Profiling

On this page is a field for Current custom SNMP community strings. You may believe this is for the SNMP probe, but it is not. It’s for the NMAP probe. On some scans, the NMAP probe will try to retrieve information via SNMP if it has strings. Many devices – such as IOT devices – have hardcoded or default read-only SNMP strings, such as public. The default string in this field to be used with NMAP is set to public. However, you can configure additional strings with a comma. So you would enter:

mycust0m$tr1ng,public

To have NMAP, use both mycust0m$tr1ng and public when attempting an NMAP scan on SNMP ports.

Configure these strings as appropriate for your environment, but I strongly recommend leaving public in the list of strings to attempt.

Navigate to Work Centers>Profiler>Settings>NMAP Scan Subnet Exclusions.

Remember how I mentioned that you could include subnets for NMAP scan exclusions for potentially sensitive equipment?

This is where you would configure such exclusions.

Configuring SNMP Probe in ISE

After enabling the SNMP probe in ISE, you would still need to configure it on the Network Access Device (NAD).

Navigate to Administration>Network Resources>Network Devices.

Click on the name of a NAD using the SNMP probe.

Scroll down and check the box next to SNMP Settings.

Under these settings, you would configure the following:

  • SNMP Version – 1, 2c, 3
  • SNMP RO Community
  • SNMP Username (Version 3 only)
  • Security Level (Version 3 only)
  • Auth Protocol (Version 3 only)
  • Auth Password (Version 3 only)
  • Privacy Protocol (Version 3 only)
  • Privacy Password (Version 3 only)
  • Polling Interval – Default is 28,800 seconds
  • Link Trap Query and MAC Trap Query – Default is enabled
  • Originating Policy Services Node – Set to Auto

Additional Profiling Configurations

Navigate back to Administration>System>Settings>Profiling

There are some additional settings on this page we should walk through:

  • CoA Type: This refers to the default RADIUS Change of Authorization type for newly profiled devices. Options include:
    • No CoA (default): This disables the global configuration of CoA for profiling. This option should only be used if the goal is only visibility.
    • Port Bounce: This option will bounce the port. This ensures that any endpoint is reauthorized and the IP address is refreshed. However, if multiple active sessions are on a single port, you will be disconnecting all of them at once. Personally, I would not set this is as the global setting and only change this on a per-profile basis. We’ll cover this in later posts.
    • Reauth: This is my preferred option. This enforces authentication of already authenticated endpoints when they are profiled.
  • Endpoint Attribute Filter: Cisco ISE implements filters for Dynamic Host Configuration Protocol (both DHCP Helper and DHCP SPAN), HTTP, RADIUS, and Simple Network Management Protocol probes, except for the NetFlow probe to address performance degradation. Each probe filter contains a list of temporal and irrelevant attributes for endpoint profiling and removes those attributes from the attributes collected by the probes. Enabling this ensures that ISE only keeps allowed attributes and discards the rest. This is disabled by default, but when deploying a large-scale ISE deployment, it is recommended to enable it for optimal performance.
  • Anomalous Behaviour Detection and Anomalous Behaviour Enforcement: These options enable detection and action on potential MAC spoofing. They aren’t the greatest, and there are better detection methods for MAC spoofing with other integrated tools like Catalyst Center or Secure Network Analytics. In my honest opinion, I would enable detection, not enforcement.
  • Custom Attribute for Profiling Enforcement: Enable this if you know ISE will be receiving attributes through pxGrid
  • Profiling for MUD: Enable this if you want ISE to profile IoT devices using Manufacturer Usage Description (MUD). The MUD URL is unique to different device types or device classes. As device manufacturers leverage these options, ISE can dynamically classify the endpoints based on the string values contained in the URL.
  • Profiler Forwarder Persistence Queue: This is enabled by default and I would not recommend changing it. The Profiler Forwarder Persistence queue stores events before they are sent to the profiler module for further processing. This helps prevent events being lost if there is suddenly an increase in profiling events at one time.
  • XSS Security Scan Enforcement for EndPoint Probe Data: Enabling this will enable ISE to scan the endpoint for XSS vulnerabilities.
  • MFC Profiling and AI Rules: This is enabled by default. Multifactor Classification (MFC) allows ISE to introduce four new attributes for profiling endpoints: MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, MFC Operating System. This needs to be enabled to use AI Endpoint Analytics
  • Publish Endpoint Attributes to AI Endpoint Analytics: Disabled by default. This enables the endpoint attribute forwarding from ISE to the AI Endpoint Analytics cloud.
  • Consume Endpoint Profiles from AI Endpoint Analytics: Disabled by default. This allows the AI Endpoint Analytics cloud to publish profile data to ISE for profile recommendations.

After changing the options you wish to make changes to, click Save.

Navigate to Administration>Feed Service>Profiler

Ensure that the box is checked for Enable Online Subscription Update.

This should be enabled by default. This will download profile and MAC OUI updates from Cisco.