How to Configure Profiling and Posturing in Cisco ISE.
What is Profiling in Cisco ISE?
Profiling is functionality in Cisco ISE which discover, locate and determine the capabilities of the attached endpoints, whether it is connected via wired or wireless. ISE will detect the device type then only ISE will authorize it according to the policy which you configured. In order to gathers, these information ISE uses various sources such as DHCP, MAC, SNMP, IP, RADIUS or NetFlow these are called Probes.
Profiling uses CoA (Change of Authorization), for example, an IP phone is connected in your network and it already authorized by ISE but suddenly same MAC (IP Phone) uses a Skype port for video conferencing then ISE get to know that this is not IP Phone someone spoofing with MAC so it will reauth the device and accordingly assign a different profile policy.
Profiling can be done via two methods:
- Manual/Static (Defined by Administrator)
Manual method is not scalable and it will not transit to another identity group automatically. In the manual method, you have to add MAC of every endpoint in ISE endpoint store which is an overhead to the administrator.
- Dynamic/Automatically (Through ISE Profiling Rules)
Whereas in dynamic method ones a device is connected to the network. ISE will profiling automatically also the MAC of the client or endpoint store in ISE endpoint store so you don’t need to add MAC for every endpoint devices.
NOTE: Before configuring Profiling and Posturing on ISE make sure you updated the Profiling and Posturing database.
How to Configure Profiling on ISE?
Now look this below topology and I will use IP phone so I will profile IP phone.
Configuration on Switch:
Usually, the DHCP probe is used So in this case I am also using DHCP Probe. So I need to configure Switch as well for DHCP Probe I have to tell the switch if any DHCP packet comes to you forward it to ISE so ISE can Gather Information of Endpoint from that DHCP packet.
Sw1(config)# interface vlan47
Sw1(config-if)# ip helper-address <ip of ISE>
That’s all for DHCP probe. Similarly, there are many probes in ISE exist by default for that you need to configure switch or IOS device accordingly. But before configure the probe on switch or IOS device make sure you configure Radius server on the switch or IOS devices.
Make sure you configure SNMP trap as destine to ISE so any changes on port switch will send a trap to ISE
On all interfaces of switch:
Sw(config-if)# snmp trap mac-notification change added
Configuration on ISE:
Go to Administration > Deployment > Select ISE, Then go to Profiling Configuration Tab and enable DHCP and click on save.
Now enable CoA because by default it is disabled for this.
Go to Administration > Setting > Choose Profiling then change CoA Type to Reauth.
Now enable SNMP for Network Device
Click Administration > Network Resources > Network Devices and edit you switch by scrolling down and check/edit SNMP setting.
Create a new Profiler Policy:
Go to Policy > Select Profiling
By default, many Profiling Policies are already there for Samsung Devices, Apple Devices, Cisco Devices and many more. If you want to add one then click on Add symbol.
What is Posturing in Cisco ISE?
Posturing is used in Cisco ISE for look or checks inside a host for available antivirus, firewall, registry key, running program, etc. For that, a NAC agent is needed.
NAC client or agent is using SWISS protocol UDP port 8905 to communicate with ISE node, So make sure this port number is allowed in your network.
NOTE: Make sure your ISE is up to date with the latest posture files.
How to Configure Posturing on ISE?
To Configure Posturing on ISE these are the policy that has to defined
- Client Provisioning Policy (To Push an agent)
- Posture Policy
- Authorization Profiles
Configuring Client Provisioning Policy:
In order to configure Client Provisioning Policy add Resources first for Result.
Go to Policy > Result > Client Provisioning > Resources
Now click on Add and add the agent which you need.
Configure Posture Policy:
In Posture Policy you define that what services/application/registry will check by agent.
Go to Policy > Posture > add new Row/Policy.
Now Configure the Requirement but before configure a Requirement configure the Condition first. To configure a condition go to Policy and select Condition.
These are the by default condition types on ISE.
As a result, in order to configure posture policy then the flow would be like this
Configure Conditions > Configure Requirements > Configure Posture Policy
Configure Authorization Profile:
Go to Policy > Results > Authorization and select Authorization Profile.
Author: