Device Profiling

Overview

ISE Profiling provides visibility into endpoints connecting to the network and enables policy decisions based on device type.

Key Capabilities

  • Device Discovery - Identify devices via DHCP, RADIUS, SNMP, NetFlow

  • Classification - Categorize devices by type, vendor, OS

  • Policy Enforcement - Apply authorization based on profile

  • Anomaly Detection - Detect profile changes

Use Cases

BMS Controller Segmentation

Isolate Building Management Systems from IT networks:

  • HVAC controllers

  • Lighting systems

  • Access control panels

  • Energy management

See BMS Segmentation Guide.

IoT Device Management

Classify and control IoT devices:

  • Cameras and sensors

  • Printers and peripherals

  • Medical devices

  • Industrial controllers

See IoT Device Guide.

Custom Profiles

Create organization-specific device profiles:

  • Vendor-specific equipment

  • Custom applications

  • Legacy systems

See Custom Profiles Guide.

Architecture

                    ┌─────────────────┐
                    │   ISE Profiler  │
                    └────────┬────────┘
                             │
       ┌─────────────────────┼─────────────────────┐
       │                     │                     │
       ▼                     ▼                     ▼
┌──────────────┐      ┌──────────────┐      ┌──────────────┐
│    DHCP      │      │   RADIUS     │      │    SNMP      │
│   Probes     │      │   Probes     │      │   Probes     │
└──────────────┘      └──────────────┘      └──────────────┘
       │                     │                     │
       └─────────────────────┴─────────────────────┘
                             │
                             ▼
                    ┌─────────────────┐
                    │   Endpoint DB   │
                    │   + Profile     │
                    └─────────────────┘

Quick Reference

# List profiled endpoints via ERS
netapi ise ers endpoints

# Query endpoint by MAC
netapi ise ers endpoint --mac AA:BB:CC:DD:EE:FF

# DataConnect query for profiles
netapi ise dc query "SELECT MAC_ADDRESS, ENDPOINT_PROFILE
  FROM ENDPOINTS
  FETCH FIRST 20 ROWS ONLY"