--> ISE Profiler is responsible for endpoint detection and classification.
--> ISE does profiling with the help of sending one or more probes to the endpoints to collect the information about them.
--> ISE profiler tries to compare profiling policies with the collected attributes of endpoints in order to classify the device.
-->Later on, we can use this classification data from the profile as conditions in authorization policy.
--> For example, User PC belongs to the organization domain can be given different permissions compared to user pc which does not belong to the domain.
DHCP Probes:
--> To get the Device MAC address
--> To get the DHCP User-Agent string to identify the Operating system.
--> Ip helper-address address needs to be configured with ISE Ip address in order to receive DHCP Probes on Cisco ISE.
--> DHCP Proxy must be disabled on WLC in order to receive DHCP Probes directly from Client to ISE.
--> Enabled By default on Gigabit Ethernet 0 Port.
DHCP SPAN Probe
--> DHCP Messages will be forwarded to ISE using SPAN Method.
--> You need to configure SPAN on Core Switch to forward the DHCP traffic received on Core Switch to ISE.
--> This is the efficient method compared to DHCP Probes.
--> Enabled By default on Gigabit Ethernet 0 Port.
Radius Probe
--> To get the MAC address and IP address of the End Point.
--> Without IP and MAC Binding, HTTP and NMAP Probes will not work properly.
--> The Calling-Station-ID field in the RADIUS probe provides the endpoint’s MAC address and the Framed-IP-Address field provides its IP address in the RADIUS accounting packet.
--> If the Network device such as Switch/Wireless LAN Controller is having device sensor capability then the network device proactively collects all the endpoint information sends in Radius Probe.
--> IP device tracking command needs to be enabled in order to track the device IP address.
--> Enabled By default on Gigabit Ethernet 0 Port.
NMAP Probe
--> NMAP is a tool that uses port scans, SNMP, and other mechanisms to identify a device’s operating system or other attributes of the device.
--> The NMAP probe may be manually run against a single IP address or subnet or automatically based upon profile action.
--> Need to enable manually under the profiling section.
DNS Probe
--> Used to get FQDN of the endpoint with the help of reverse lookup after finding the IP address.
--> A reverse DNS lookup will be completed only when an endpoint is detected by one of the DHCP, RADIUS, HTTP, or SNMP probes.
--> Need to enable manually under the profiling section.
SNMP Query and SNMP TRAP Probes
--> SNMP is used to query network access devices that do not yet support Device Sensor.
--> SNMP TRAP Probe provides information about interface which is connected to endpoint goes up/down.
--> Need to configure a network device to send SNMP Traps to ISE.
--> SNMP Query helps the ISE to find device capabilities that are connected to the Interface.
--> Need to enable manually under the profiling section.
Active Directory Probe
--> Used to Identify the machine belongs to the organization or not.
--> Once a computer hostname is found from using the DHCP or DNS probe, the AD probe will search in AD for attributes and allow the following attributes to be used in profiler policy creation:
AD-Host-Exists: If the endpoint exists in AD, then it helps identify that it could be a corporate system.
AD-Join-Point: Defines the AD domain where the host is located.
AD-Operating-System: The OS type version of the endpoint.
AD-OS-Version: The version of that endpoint’s OS.
AD-Service-Pack: The service pack version of the endpoint.
--> Need to enable manually under the profiling section.
Netflow:
--> Cisco routers and switches support NetFlow, sending a “record” of each packet that has been routed, including the ports and other very useful information.
--> Enabling Netflow will consume Most of the resources on PSN due to which it is not recommended to enable this probe.
--> Need to enable manually under the profiling section.
HTTP:
--> Need to SPAN HTTP Traffic from Core Switch to ISE.
--> Checks User-Agent in HTTP Probe to identify profile policy the endpoint belongs.
--> It is not recommended to enable HTTP Probe as a large amount of HTTP traffic will be sent to ISE.
--> When any user tries to connect to a portal such as guest portal/hotspot portal collects that User-Agent, it is automatically passed over to the profiling engine within ISE, without requiring the HTTP probe to be enabled.
--> It is a simple and efficient way to get the extremely valuable User-Agent string without having to rely on the computationally expensive SPAN methods.
Reference: Cisco.com
Md.Kareemoddin
CCIE #54759
--> ISE does profiling with the help of sending one or more probes to the endpoints to collect the information about them.
--> ISE profiler tries to compare profiling policies with the collected attributes of endpoints in order to classify the device.
-->Later on, we can use this classification data from the profile as conditions in authorization policy.
--> For example, User PC belongs to the organization domain can be given different permissions compared to user pc which does not belong to the domain.
DHCP Probes:
--> To get the Device MAC address
--> To get the DHCP User-Agent string to identify the Operating system.
--> Ip helper-address address needs to be configured with ISE Ip address in order to receive DHCP Probes on Cisco ISE.
--> DHCP Proxy must be disabled on WLC in order to receive DHCP Probes directly from Client to ISE.
--> Enabled By default on Gigabit Ethernet 0 Port.
DHCP SPAN Probe
--> DHCP Messages will be forwarded to ISE using SPAN Method.
--> You need to configure SPAN on Core Switch to forward the DHCP traffic received on Core Switch to ISE.
--> This is the efficient method compared to DHCP Probes.
--> Enabled By default on Gigabit Ethernet 0 Port.
Radius Probe
--> To get the MAC address and IP address of the End Point.
--> Without IP and MAC Binding, HTTP and NMAP Probes will not work properly.
--> The Calling-Station-ID field in the RADIUS probe provides the endpoint’s MAC address and the Framed-IP-Address field provides its IP address in the RADIUS accounting packet.
--> If the Network device such as Switch/Wireless LAN Controller is having device sensor capability then the network device proactively collects all the endpoint information sends in Radius Probe.
--> IP device tracking command needs to be enabled in order to track the device IP address.
--> Enabled By default on Gigabit Ethernet 0 Port.
NMAP Probe
--> NMAP is a tool that uses port scans, SNMP, and other mechanisms to identify a device’s operating system or other attributes of the device.
--> The NMAP probe may be manually run against a single IP address or subnet or automatically based upon profile action.
--> Need to enable manually under the profiling section.
DNS Probe
--> Used to get FQDN of the endpoint with the help of reverse lookup after finding the IP address.
--> A reverse DNS lookup will be completed only when an endpoint is detected by one of the DHCP, RADIUS, HTTP, or SNMP probes.
--> Need to enable manually under the profiling section.
SNMP Query and SNMP TRAP Probes
--> SNMP is used to query network access devices that do not yet support Device Sensor.
--> SNMP TRAP Probe provides information about interface which is connected to endpoint goes up/down.
--> Need to configure a network device to send SNMP Traps to ISE.
--> SNMP Query helps the ISE to find device capabilities that are connected to the Interface.
--> Need to enable manually under the profiling section.
Active Directory Probe
--> Used to Identify the machine belongs to the organization or not.
--> Once a computer hostname is found from using the DHCP or DNS probe, the AD probe will search in AD for attributes and allow the following attributes to be used in profiler policy creation:
AD-Host-Exists: If the endpoint exists in AD, then it helps identify that it could be a corporate system.
AD-Join-Point: Defines the AD domain where the host is located.
AD-Operating-System: The OS type version of the endpoint.
AD-OS-Version: The version of that endpoint’s OS.
AD-Service-Pack: The service pack version of the endpoint.
--> Need to enable manually under the profiling section.
Netflow:
--> Cisco routers and switches support NetFlow, sending a “record” of each packet that has been routed, including the ports and other very useful information.
--> Enabling Netflow will consume Most of the resources on PSN due to which it is not recommended to enable this probe.
--> Need to enable manually under the profiling section.
HTTP:
--> Need to SPAN HTTP Traffic from Core Switch to ISE.
--> Checks User-Agent in HTTP Probe to identify profile policy the endpoint belongs.
--> It is not recommended to enable HTTP Probe as a large amount of HTTP traffic will be sent to ISE.
--> When any user tries to connect to a portal such as guest portal/hotspot portal collects that User-Agent, it is automatically passed over to the profiling engine within ISE, without requiring the HTTP probe to be enabled.
--> It is a simple and efficient way to get the extremely valuable User-Agent string without having to rely on the computationally expensive SPAN methods.
Reference: Cisco.com
Md.Kareemoddin
CCIE #54759
0 comments:
Post a Comment