Cisco ISE Profiling Service
The profiling service in Cisco Identity Services Engine (ISE) identifies the devices that connect to your network and their location. The endpoints are profiled based on the endpoint profiling policies configured in Cisco ISE. Cisco ISE then grants permission to the endpoints to access the resources in your network based on the result of the policy evaluation.
The profiling service:
-
Facilitates an efficient and effective deployment and ongoing management of authentication by using IEEE standard 802.1X port-based authentication access control, MAC Authentication Bypass (MAB) authentication, and Network Admission Control (NAC) for any enterprise network of varying scale and complexity.
-
Identifies, locates, and determines the capabilities of all of the attached network endpoints regardless of endpoint types.
-
Protects against inadvertently denying access to some endpoints.
Profiler Work Center
The Profiler Work Center menu (Work Centers > Profiler) contains all the profiler pages, which acts as a single start point for ISE administrators. The Profiler Work Center menu contains the following options: Overview, Ext ID Stores, Network Devices, Endpoint Classification, Node Config, Feeds, Manual Scans, Policy Elements, Profiling Policies, Authorization Policy, Troubleshoot, Reports, Settings, and Dictionaries.
Profiler Dashboard
The Profiler dashboard (Work Centers > Profiler > Endpoint Classification) is a centralized monitoring tool for the profiles, endpoints, and assets in your network. The dashboard represents data in both graphical and table formats. The Profiles dashlet displays the logical and endpoint profiles that are currently active in the network. The Endpoints dashlet displays the identity group, PSNs, OS types of the endpoints that connect to your network. The Assets dashlet displays flows such as Guest, BYOD, and Corporate. The table displays the various endpoints that are connected and you can also add new endpoints.
Endpoint Inventory Using Profiling Service
You can use the profiling service to discover, locate, and determine the capabilities of all the endpoints connected to your network. You can ensure and maintain appropriate access of endpoints to the enterprise network, regardless of their device types.
The profiling service collects attributes of endpoints from the network devices and the network, classifies endpoints into a specific group according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database. All the attributes that are handled by the profiling service need to be defined in the profiler dictionaries.
The profiling service identifies each endpoint on your network, and groups those endpoints according to their profiles to an existing endpoint identity group in the system, or to a new group that you can create in the system. By grouping endpoints, and applying endpoint profiling policies to the endpoint identity group, you can determine the mapping of endpoints to the corresponding endpoint profiling policies.
Cisco ISE Profiler Queue Limit Configuration
Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
-
Endpoint Cache: Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
-
Forwarder: The main ingress queue of endpoint information collected by the profiler.
-
Event Handler: An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
Endpoint Cache
-
maxEndPointsInLocalDb = 100000 (endpoint objects in cache)
-
endPointsPurgeIntervalSec = 300 (endpoint cache purge thread interval in seconds)
-
numberOfProfilingThreads = 8 (number of threads)
The limit is applicable to all profiler internal event handlers. A monitoring alarm is triggered when queue size limit is reached.
Cisco ISE Profiler Queue Size Limits
-
forwarderQueueSize = 5000 (endpoint collection events)
-
eventHandlerQueueSize = 10000 (events)
Event Handlers
-
NetworkDeviceEventHandler: For network device events, in addition to filtering duplicate Network Access Device (NAD) IP addresses, which are already cached.
-
ARPCacheEventHandler: For ARP Cache events.
Martian IP Addresses
Martian IP addresses are not displayed in https://www.cisco.com/assets/sol/sb/Switches_Emulators_v2_3_5_xx/help/250/index.html#page/tesla_250_olh/martian_addresses.html
and windows as the RADIUS parser removes such addresses before they reach the profiling service. Martian IP addresses are a security concern as they are vulnerable to attacks. However, martian IP addresses are displayed in MnT logs for auditing purposes. This behaviour stands true in the case of multicast IP addresses as well. For more information on Martian IP addresses, see