Endpoint Profile Configuration: Part 1
Topics in this chapter include:
•Understanding Endpoint Profile Certainty
•Configuration of Endpoint Profiles and Endpoint Profile Groups
•Adding Profile Rules to an Endpoint Profile
•Configuration of MAC Address/Vendor Profile Rules
•Configuration of IP Address Profile Rules
•Configuration of Traffic Profile Rules
•Configuration of Static MAC/IP Host Address Rules
The Cisco NAC Profiler system uses the endpoint information gathered by the Collectors to classify endpoints into Profiles. By matching the endpoint attributes collected by the Collectors for endpoints on the network to rules specified in the enabled endpoint profiles, Cisco NAC Profiler makes a determination on the identity of each endpoint it has discovered and collected endpoint data (for example, attributes) for.
The endpoint attributes used for Endpoint Profiling and Identity Monitoring were introduced earlier in the guide. For each of the attributes, there is a corresponding profile rule type that can be added to one or more profiles that enables the Modeler running on the NAC Profiler Server to make a profiling decision. The profile rules and their relative certainty are used to make a ''best match'' decision. Essentially, the collected data for each endpoint is evaluated against the profile rules in each enabled profile, to determine which profile results in the highest certainty rule match. The following section outlines the Certainty concept in great detail. The chapter then moves onto describing several of the available rule types, and how profiles are enabled/disabled, created and edited. This provides the basis for all endpoint profile administrative processes for the NAC Profiler system.
The remaining profile rule types along with the configuration and use of Advanced XML rules are covered in detail in the following chapters.
Understanding Endpoint Profile Certainty
The Certainty Factor (CF) plays a dual-role in the NAC Profiler system. First it is used to reflect the relative Certainty that the identity of an endpoint has been determined accurately given that an endpoint is observed displaying the matching attribute specified one more rules defined for an Endpoint Profile.
That is, the higher the certainty, the greater the probability that the endpoint identity attributes observed by the system and considered in the profiling decision are a certain indicator of its identity. Secondly, the total certainty value of each Profile, referred to henceforth as the "Profile Certainty" is used by the system to make decisions about whether a transition from one Profile to another Profile is warranted when new information about an endpoint is observed by the system, potentially indicating a change in endpoint identity.
The NAC Profiler system will place each endpoint discovered in exactly one Profile at any point in time. When an endpoint is first discovered, it is likely to be placed in the ''Not Profiled'' container, which is a special-purpose Profile indicative of the fact that the endpoint has not displayed any attributes collected by the system matching any of the rules in the currently enabled Profiles. As more information is gained about an endpoint via the Collectors, or new Profiles are enabled that contain rules that match collected identity attributes for a given endpoint, it will transition to the Profile containing the rule(s) it matches at a level of certainty specified for each rule.
When a given endpoint matches the rule (or rules) specified for more than one Profile at a given time, the system will always place the endpoint in the Profile with the higher Profile Certainty. Endpoints will always graduate from lower certainty Profiles (Not Profiled having the lowest possible certainty, conceptually a certainty of zero) to the Profile with the highest certainty rule match or matches.
Once in a Profile, the endpoints will transition to another Profile only if the attributes collected for the endpoint satisfies the rules in another Profile at a higher certainty, or if the data used to make the current Profiling decision ages out through one of the aging timers or is cleared by the system in response to changes in the endpoint's attributes. Just as endpoints new to the network that have not yet had profiling attributes gathered about them by Profiler are in the Not Profiled state, endpoints that have all their profiling attributes aged-out of the database (likely due to inactivity or the inability of Profiler to observe identity attributes for endpoints due to a network change for instance) will transition back to the Not Profiled state.
Each endpoint profile has a Profile Certainty assigned to it, which is a value from 1-100%. The Profile Certainty value is calculated one of two ways, depending upon the rule(s) bound to the Profile. For Profiles with a single rule, the Profile Certainty is equal to the Certainty of the single rule defined in the Profile. Endpoints discovered by Profiler and observed matching a single-rule Profile are assigned to the Profile with a Certainty equal to that specified for the rule.
For example, if a Profile was created to containerize APC UPSs and the Profile utilized a single MAC Vendor rule that matched endpoints that had a MAC address with an OUI registered to American Power Conversion, and the Certainty value assigned to that rule was 15%, all endpoints discovered by Profiler that matched this rule would be assigned to the APC UPS Profile with a 15% Certainty.
When multiple rules are specified in a Profile, each rule in the Profile is evaluated independently by the Profiler modeler. For any endpoint, it is possible that it could match 1 to n rules specified in a given Profile. In this case, the Profile Certainty will be a range, the minimum Profile certainty being that of the lowest certainty rule in the Profile, and the maximum is a calculated value that will be between the minimum and a combined profile certainty less than 100%1 .
In the case endpoints that are determined by Profiler to match multiple rules within the same Profile, a combined certainty value is calculated which is reflective of the fact that these endpoints have been observed by the Collectors displaying multiple attributes of identity consistent with the endpoint type contained by the Profile.
Carrying the above example one step further, consider adding a DHCP Vendor Class rule to the APC UPS profile that matched endpoints that sent DHCP requests containing the string 'APC.' The Profile now would contain the MAC Address/Vendor rule with a certainty of 15% and the DHCP Vendor Class rule with a somewhat
greater certainty value of 25%. The modeling engine uses the following algorithm to calculate combined Certainty values for endpoints matching the multiple rules (MAC Vendor and DHCP Vendor Class in the example) within the same Profile:
currentCF += (newCF * (1 - currentCF))
Where currentCF starts at 0, and accumulates with every newCF calculated upon determination of additional rule matches.
In our example above, when an endpoint is discovered by Profiler and its MAC address has an OUI that resolves to American Power Conversion, a newCF is calculated for the endpoint based on that match as follows:
CurrentCF + (.15 * (1-0)) = NewCF
0 + (.15 * 1) = NewCF
.15 = NewCF
The example endpoint would be placed in the APC UPS Profile with a Certainty of 15% upon discovery of the endpoint as its primary identifier (its MAC address) provides the data that matches the rule.
Some time later, the endpoint requests a renewal of its DHCP address, and the DHCP request containing the 'APC' string is observed by a NetWatch module in the system. Upon this attribute being added to the Profiler database a dynamic re-model of the endpoint occurs, the endpoint is determined to match the DHCP Vendor Class rule in the Profile, and a new Certainty value is calculated as follows:
CurrentCF + (.25 * (1-.15)) = NewCF
.15 + (.25 * (1 -.15)) = NewCF
.15 + (.25 *.85) = NewCF
.3625 = NewCF
Endpoints matching both rules of the APC UPS Profile would have a Profile Certainty of 36.25%.
In the above example it should be clear that in practice, it is possible for endpoints to be in the same multi-rule Profile, but at varying levels of profile certainty indicative of the rule or rules bound to the Profile each particular endpoint has satisfied. In our example, it would be possible for endpoints in the APC UPS Profile to have a Profile Certainty of either 15% or 36.25%. (Note that 25% is not a possible value as the MAC must be known for the endpoint-it is not possible for Profiler to have observed a DHCP request from an endpoint it has not discovered the MAC for as Profiler discovers endpoints via DHCP requests.)
An essential Profiling concept is that every endpoint MAC discovered by the system is in exactly one Profile at any given time, although it may in fact satisfy rules in multiple profiles. It is entirely possible for endpoints to match rule(s) in more than one Profile simultaneously, but the system will always determine a ''best match" using the Profile Certainty value. Endpoints will always be placed in the Profile with the higher Certainty value when matches to two or more Profiles occur.
In the case of a tie in Profile Certainty values (which is considered to be an invalid configuration), a race condition will result which will lead to inconsistent Profiling results for endpoints in such a condition. An endpoint in the condition of matching the rules in two or more profiles with the same profile certainty value may be placed in any of the Profiles with identical certainty values non-deterministically.
Beginning in Cisco NAC Profiler version 3.1, a ''Certainty Calculator'' was added to the UI, to the Save Profile form. This tool, described in detail later in this chapter, allows the administrator to quickly and easily determine the Profile Certainty values for endpoint profiles containing more than one rule. More discussion of the Certainty Calculator and its use is provided in the following discussions on Profile creation/editing.
Two rules emerge that must be considered when defining Certainty values for a Cisco NAC Profiler implementation: First, avoid Profile Certainty collisions: try to ensure that every enabled Endpoint Profile whether it contains a single or multiples rules has a discrete profile certainty value; that no two Profiles could potentially have the same certainty value when considering the likely rule matches.
This is particularly important in deployments where there may be cases of endpoints matching rules in more than one profile simultaneously. When Profiles in the system configuration have multiple rules specified, it is important to understand the calculation outlined above (with visualization provided in the UI) to ensure that the combined profile certainty value for endpoints matching two or more rules doesn't result in a potential overlap between Profiles leading to the aforementioned race condition. The Certainty Calculator is an essential tool for this process.
Secondly, as a rule the Profile Certainty values for Profiles of the non-user endpoints (in most cases, endpoints such as printers, IP phones, wireless access points, etc.) must be set to values lower than those chosen for user devices such as Windows PCs, workstations, etc. The underlying mechanism providing the Identity Monitoring functionality requires that the endpoint types that are enabled for MAC authentication have lower profile certainty than the endpoint types that may attempt to access the network masquerading as MAC-authenticating device.
This ensures that endpoints observed exhibiting PC identity attributes transition profiles immediately upon collection/consideration of the attribute(s) triggering the removal of MAC-authentication privileges for the endpoint.
A rule of thumb is to ensure that the Profiles containing MAC-authenticating endpoints have a certainty value below 60%. Whether the Profiles for these endpoints use a single rule or multiple rules, the possible Profile Certainty for these Profiles should be set to be below 60% maximum. Profiles for devices such as PCs that should be able to interact with the NAC or authentication system should have Profile certainty values greater than 60% so that endpoints observed displaying attributes matching these profiles will transition to the higher certainty Profile as they satisfy the rules in the higher certainty profile. Figure 9-1 illustrates this concept of relative Profile certainty values.
Figure 9-1 Cisco NAC Profiler Profile Hierarchy Concepts
It is important not to view the endpoint profiles for a given system in isolation; they need to be viewed as a system or hierarchy of profiles. This enables the implications of the discovery of additional attributes of an endpoint by the NAC Profiler system to be understood and predictable, and most importantly, it is clear what happens in terms of the Profiling decision for endpoints displaying inconsistent identity-related attributes at different points in time.
Are the profiles for special purpose devices such as printers and IP Phones, and those for general purpose devices (PCs) set up such that devices originally profiled as a printer, transition to the PC profile so that the identity monitoring functionality of Cisco NAC Profiler is enabled? This question can only be answered when viewing the enabled endpoint profiles and their certainty values relative to one another.
Several key points discussed in this section are highlighted in the previous and following figure. When using relative Profile Certainty hierarchies as described earlier in this section and illustrated here, Endpoint Identity Monitoring for the system is fully enabled. If a MAC address of a non-user endpoint such as a printer is used by a user endpoint, this "MAC spoofing" event is detected near real-time by Cisco NAC Profiler through the transition of the endpoint from the printer to Windows profile as one example.
Assuming that the Windows profile is not enabled for MAC authentication through the integration of Cisco NAC Profiler with NAC or RADIUS authentication, as the endpoint transitions in profile from printer to Windows, it results in the revocation of the ability of the endpoint to authenticate by MAC resulting from the observation by Cisco NAC Profiler of inconsistent identity attributes exhibited by the endpoint.
When the Endpoint Profiles that will be used for a given Cisco NAC Profiler implementation are determined, it is good practice to create a chart like the one in the next figure to visualize the profile hierarchy that will be implemented specific to the deployment. Simply plot the Profiles that will be used on the horizontal axis along with their planned Profile Certainty values based on the rules that will be used to define the profile, and calculated using the Certainty Calculator.
This guides the installer in the next phases as the Profiles and rules within them are defined and tuned over time. This diagram will serves as a system-level conceptualization of the profile hierarchy when choosing the rule and Profile Certainty values, ensuring that the desired hierarchy is maintained when implemented via the enablement of Profiling in the next phases of Profiler system implementation.
Figure 9-2 is an example of a simple profile hierarchy diagram for a hypothetical simplified network that supports the following endpoint types: UPS, Printers, IP Phones and Windows PCs. The UPS, Printers and IP Phones are expected to be authenticated via their MAC addresses and the Windows PCs are expected to authenticate via interaction with the NAC or port-based authentication system. At this juncture it is sufficient to understand that Profiles for each of these endpoint types are required, and that their respective Profile certainty values are in the ranges shown in the following figure.
The rules that will be used in these Profiles have not necessarily been determined as yet. However, as they are constructed to have the relative profile certainty values shown in the diagram, it is the case that if an endpoint originally profiled into the MAC authentication-enabled Profiles (e.g. UPS, Printer, IP Phone) began exhibiting attributes captured in the rule set for the Windows PC profile, the endpoint would transition accordingly due to the higher profile certainty value. The transition in Profile would result in the inability of the endpoint to MAC authenticate subsequent to the change in profile.
Figure 9-2 Example Simplified Profile Hierarchy
Configuration of Endpoint Profiles and Endpoint Profile Groups
The Cisco NAC Profiler Endpoint Profiler ships with a number of pre-configured and enabled (''factory'') Endpoint Profiles that have been created and tested in field deployments. These Profiles can be re-used as-is if desired, or may be modified as the situation dictates.
In addition, they serve as templates for creating new profiles outlined later in this chapter and the one that follows, illustrating how different rule types and varying levels of certainty can be used to accurately Profile endpoints and create a system of profiles enabling Identity Monitoring as outlined in the previous section.
To view and manage the Endpoint Profile configuration of the system, navigate to the Configuration tab, and select the Profiles link from the secondary menu of the Configuration tab.The Endpoint Profiles option page is presented, allowing selection amongst the following Endpoint Profile configuration tasks:
•Select View/Edit Profiles List to display the Endpoint Profiles currently saved in the system configuration.
•View/Edit Profile Groups
•Create Profile Groups
View/Edit Profile Group
Endpoint Profile Groups provides a way to group Endpoint Profiles configured to profile endpoints of a common type to facilitate their management in the UI. For example, if there were IP phones or printers from different vendors and it was desirable to profile these endpoints into a profile based on vendor, the individual vendor-specific Profiles could be grouped into IP Phone and Printer Profile groups.
Similarly, all endpoint profiles for user devices such as PCs, laptops and workstations might be grouped into a Profile Group or category named ''Users.'' As will be outlined in the next section, grouping enables viewing/editing of related endpoint profiles.
By default, the factory Endpoint Profiles and user-created profiles are placed in a group named ''Uncategorized.'' On a newly-installed system, or system running on an earlier version, selecting View/Edit Profile Groups would display the page illustrated in Figure 9-3 showing only the Default Group, which is not editable.
Tip Systems upgraded to version 3.1 will have all existing Endpoint Profiles placed automatically into the Uncategorized Profile Group upon upgrading. The administrator can then create Profile Groups and assign existing profiles to the groups as desired.
Figure 9-3 View/Edit Profile Groups: New Install or Upgrade to version 3.1
Note that in addition to the description of each Profile Group, the total number of Profiles assigned to the group, and those that are assigned and enabled is also displayed.
For administrator-created Profile Groups, the Group Name is a link. Clicking the Group Name allows the group to be edited.
Add a Profile Group
Creation of new Profile Groups can be initiated by selecting the Create Group link in the upper right hand corner when viewing the Profile Groups configured on the system, or from the main Endpoint Profiles page. Creation of Profile Groups is accomplished via the Add Profile Category (Group) form illustrated in Figure 9-4
Figure 9-4 Add Profile Category (Group)
Complete the following steps to add a new Profile Group:
Step 1 Enter a name for the new Profile Group which describes the endpoints in the Endpoint Profiles in the group.
Tip Profile Group names must be unique. Entering an existing group name and attempting to add the group will result in a warning.
Step 2 Enter a description for the Profile Group.
Step 3 Select Add Group
The newly added Profile Group is now active on the system, existing Endpoint Profiles and new Endpoint Profiles can be assigned to the Profile Group as described in the following sections.
Edit/Delete Profile Group
Profile Group names and descriptions can be edited by selecting View/Edit Profile Groups, and selecting the Group name to edited. This displays the Save Profile Category (Group) form illustrated in Figure 9-5. Complete desired edits and then select the Save Group button to save the changes.
To view all the Endpoint Profiles currently in a Group, select the View Profiles button. This displays the View/Edit Profile view with the filters set to ''enabled'' and in the Profile Group name field of the Save Profile Category form.
Figure 9-5 Save Profile Category (Group)
To delete a Profile Group, select the Delete Group button on the Save Profile Category form (Figure 9-5). Endpoint Profiles assigned to a group that is subsequently deleted are set back to Uncategorized.
Tip If Profile Groups are to be used on a system, they should be configured before adding Endpoint Profiles so that added profiles can be associated to a group when they are created.
The View/Edit Profiles page provides the primary interface for the configuration/management of the Endpoint Profiles on a system, as well as providing a visualization of the Profile Hierarchy as it is currently configured.
When View/Edit Profiles is selected on a system, the default view, the Table of Profiles, that is presented is illustrated in Figure 9-6.
Note This screen shot is from a newly-installed system showing only the factory profiles that are enabled by default on new systems.
Figure 9-6 Default Table of Profiles View
The controls immediately above the Table of Profiles are used to filter/control this view. The two controls are labeled Display by Status, and Display by Group.
Display by Status controls which profiles are displayed in the Table of Profiles. This control can be set to the following values:
•Enabled (default) - which results in only the Endpoint Profiles that are currently enabled being displayed.
•Disabled - selecting this option results in only the Endpoint Profiles that are currently disabled being displayed.
•Automatic - selecting this option results in the display of the system-generated (inference based) Endpoint Profiles resulting from the addition of Print Servers and Voice Gateways to the MyNetwork Configuration
•All - displays all Endpoint Profiles on the system.
Display by Group is used to filter the Endpoint Profiles by Group. By default, All is selected and the Profiles in all Profile Groups with a status matching that of the Display by Status control are shown. The Columns of the Table of Profiles are consistent, and are described in the following paragraphs.
The Profile name in the table of Profiles is a link that if selected, will bring up the Save/Edit Profile form for the selected profile, that is described in detail later in this chapter and in the following one. This is the form that is used for editing/disabling/deleting a profile in the Cisco NAC Profiler configuration.
The same procedures are used to change the current settings of an existing profile, to add, change or delete an individual profile rule for example. These procedures are outlined in detail in this and the following chapter, which provide reference for Profile configuration and tuning.
The Category (Group) column shows the Profile Group that each Endpoint Profile is a member of. Uncategorized (ungrouped) in this column indicates an Endpoint Profile that has not been assigned to a group.
The Description column reflects the text description provided by the creator of the profiler when it was added to the system. For the factory profiles, it is indicative of the rule types contained in the profile.
The Active Rule column is used to quickly ascertain which Endpoint Profiles on a system (if any) contain an Active Rule that will result in the Profiler system doing active collection if one or more NetInquiry Collector component modules are enabled. Active profiling rules and active profiling is described in detail in the "Configuration of Active Directory Data Rules" section on page 10-27.
If LDAP integration is enabled for the system, a column entitled LDAP is added to the table of profiles. This indicates for each profile in the view whether or not LDAP has been enabled for the profile. See Chapter 17, "Enabling LDAP Integration," for complete instructions for enabling LDAP integration.
The Max CF column displays the maximum Profile Certainty Factor for the Endpoint Profile as currently configured. As described earlier in this chapter, Endpoint Profiles with a single Profile Rule will have a Max CF equal to the certainty specified for that rule. Multiple rule profiles will show a Max CF equal to that calculated for endpoints for which all rules in the profile test true.
Tip Sorting on this column in ascending order provides a visualization of the current Profile Hierarchy on a Cisco NAC Profiler system as described earlier in the chapter. This provides a quick check on the Identity Monitoring configuration. Ensure that the Profiles designed to contain the special purpose devices such as printers, badge readers, etc. have profiles with Max CF that allow endpoints exhibiting attributes of general purpose, user-centric devices (for example, PCs) to graduate into the higher Max CF profiles designed to contain user devices.
Automatic or ''inference-based profiles'' are created by the system automatically when Print Servers and or Voice Gateway IP addresses are present in one or more Organization Names saved to the My Network configuration as described in Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment". These system-generated endpoint profiles can be viewed on system by changing the Display by Status control to ''Automatic''.
The default certainty for the Generic Printer and Generic IP Phone profiles is 65% and cannot be changed via the UI. The example Table of Automatic Profiles shown in Figure 9-7 was taken from a system that had two Print Server and two Voice Gateway IP addresses specified in the MyNetwork configuration.
Figure 9-7 Table of Automatic (inference-based) Profiles
Note Automatic profiles cannot be edited or grouped. To delete Automatic Profiles, remove the Print Server and or Voice Gateway addresses specified in the MyNetwork configuration.
Creating New Endpoint Profiles
Creating new Endpoint Profiles is a two step process:
1. Create and save the Profile, defining its basic attributes as described in this section.
2. Add one or more Profile Rules to the Profile which define the endpoint attributes collected by the system that constitute a profile match for an endpoint of the type to be contained by the Endpoint Profile.
New Profiles are created/added to the system configuration by navigating to the Configuration tab, selecting the Profiles link from the secondary menu, and then selecting Create Profiles from the table. This will display the Add Profile form shown in Figure 9-8 and described in the following paragraphs.
Alternatively, selecting the Create Profiles link that appears on the upper right hand corner of the View/Edit Profile List page, immediately above the Table of Profiles will also bring up the Add Profile form
Figure 9-8 Add Profile Form
To add a new Profile to the configuration, complete the following steps to begin creation of a new Endpoint Profile by setting and saving the basic parameters of the Profile.
Step 1 Enter the Profile Name for the new endpoint profile.
Enter a unique name for the Profile to be added to help identify what endpoints this Profile will contain, such as Windows Web Users or HP Printers, etc.
Tip The Profile Name is used as the unique key for each Profile in the database. If a new Profile with the same name as an existing Profile, an error will be shown in the UI above the Add Profile form. Edit the name to make it unique, then re-add it.
Step 2 Enter a Description of the Profile
Enter a brief description of the profile and its design. A common use of this field is to document the rules that the profile contains. This information will be displayed in the Table of Profiles and Table of Disabled Profiles in the column labeled Description.
Step 3 Optional: specify the desired Profile Group for the profile being added. By default, the group for a new profile will be set to uncategorized (ungrouped).
Step 4 Enable/Disable the new Profile as desired.
Select the appropriate radio button to specify whether this profile is to be enabled or disabled as it is added to the configuration. The default is enabled which will activate the Profile immediately upon the next Apply Changes -> Update Modules or Re-model.
Tip Enabled Profiles are added to the Cisco NAC Profiler modeling engine, resulting in evaluation of collected endpoints against the rules in all enabled profiles during each Update Modules or Re-model subsequent to setting the profile to enabled.
Step 5 Set Allow Timeout setting for this Profile
This Profile attribute determines whether the Profile being created will be subject to the timeouts specified in the Server configuration as described in Chapter 6, "Configuring the Cisco NAC Profiler Server". Specifically, this is used to enable the following timeouts on a profile-by-profile basis:
The default setting of this parameter when a new profile is added is ''no'' meaning that endpoints in this profile will not be subjected to any timeouts. Timeouts are enabled on a profile-by-profile basis through setting this parameter to 'yes'.
Tip Endpoints in the ''Not Profiled'' state will always be subjected to timeouts enabled in the Server configuration. This is not configurable.
Tip If an Aging Interval and Penalty are specified in the Server configuration as described in Chapter 6, "Configuring the Cisco NAC Profiler Server", the interval and penalty are applied to all Profiles globally. This cannot be specified on a profile-by-profile basis.
Step 6 Enable Profile for LDAP as required
This radio button enables/disables the Profile for LDAP authentication. If 'yes' is selected, the Cisco NAC Profiler system will successfully authenticate the endpoints in the Profile if queried by an authentication server by endpoint MAC. Endpoints currently in Profiles not enabled for LDAP via this parameter will not be successfully authenticated by the NAC Profiler system when queried by the authentication server.
Refer to Chapter 17, "Enabling LDAP Integration" of this document for full documentation of the LDAP integration capabilities of the system.
Step 7 Select the Add Profile button to save the new Endpoint Profile to the NAC Profiler system configuration.
At this point the new Profile is added to the configuration but there are no Profile rules specifying the attribute match(es) used by the Cisco NAC Profiler modeler to profile endpoints into the newly added endpoint profile. One or more profile rules must be added to the Profile to make it operational.
The remainder of this chapter and the following chapters detail instructions for the configuration of the available rule types, as well as instructions for editing the rule configuration of existing profiles.
Review of the Cisco NAC Profiler Endpoint Profile Rule Types
The Cisco NAC Profiler Profile rules provide the underlying mechanism by which endpoints that are known to exhibit one or more specified attributes of identity are placed in a Profile at a given level of certainty. Selecting the proper rule or rules configured for each Profile and the Certainty Level for each match is the overarching goal of Profile creation and tuning.
The table of endpoint attributes used by Cisco NAC Profiler in the current version is presented once again in Table 9-1 below. For each of the attributes listed in the table, there is a corresponding endpoint profile rule type. Most of the rule types can be accessed from the Save Profile form according to the UI profile rule addition process as outlined below, some of the rule types are accessible only from the Advanced Rule editor and are annotated accordingly in the table.
Advanced XML rules are not a rule type in and of themselves, but an alternative (advanced) way to create/edit endpoint profile rules. Using the Advanced Rule editor, complex rules can be created by combining all available rule types using the logical operators OR, AND and NOT.
Table 9-1 Endpoint Profile Rule Types
MAC Address/MAC Vendor
The entire MAC address of an endpoint, or the manufacturer that registered the OUI.
Full host address (or subnet) being used by the endpoint.
Open TCP port
Indication that an endpoint is accepting TCP connections on a specified TCP port via analysis traffic
Communicated with other host(s) on specified UDP/TCP port number
Web User Agent
Displayed a specific web user agent
Visited a specified URL via HTTP
Displayed a specified Web or SMTP server banner
*Advanced rule option only.
Displayed specified network stack parameters: TTL, window size, TCP options list
DHCP Vendor Class
Displayed a specific DHCP Vendor Class Identifier in DHCP request
DHCP Host Name
Displayed a specific host name in DHCP request
DHCP Requested Options
*Advanced rule option only.
Requested specified options in DHCP request (option 55)
*Advanced rule option only.
Full list of DHCP options supported by the DHCP client as specified in the DHCP request
RADIUS Accounting Information
The RADIUS username of an endpoint that has successfully completed RADIUS authentication.
Active Directory Attributes
Information about the endpoint maintained in Active Directory:
•Active Directory Computer (Common) Name
•Active Directory Computer Information
–OS Service Pack
•Active Directory Domain (Distinguished) name
Information in the CDP message (Platform type) that identifies the device to its upstream neighbor.
SNMP System Description
Text string contained within SNMP system description for devices added to the Cisco NAC Profiler system configuration polled by NetMap.
The following sections of this chapter outline the process for creation of rules within Profiles. Rule creation is an extremely important aspect of Cisco NAC Profiler configuration for Endpoint Profiling and Identity Monitoring. To conceptualize the relationship between Profiles and Rules, the reader should think of Cisco NAC Profiler Profiles as logical containers which endpoints with similar characteristics and capabilities are sorted into via the Endpoint Profiling process.
Rules are specified for each Profile and they are utilized by the NAC Profiler system to determine the criteria or logic by which the endpoints on a network should be classified (assigned) into a Profile that best reflects its identity based upon collected attributes.
The rule(s) contained or bound to each endpoint profile provide the logic that the NAC Profiler system will use in making the Endpoint Profiling decision that is the decision to place an endpoint in a Profile, or in some cases moving an endpoint from one Profile to another based on the latest available endpoint identity attribute data gathered by the system.
Tip The Cisco NAC Profiler system provides the administrator with information that guides the selection of rules that can or should be used in the Profiles on the system. Cisco NAC Profiler makes available through the UI views of the endpoint data that the collector modules have gathered in the environment for the endpoint attributes not requiring specific collection, (for example, Traffic Rule and Web URL data specifically).
For example, all of the MAC Vendor Names observed by the Collectors of a NAC Profiler system are recorded in the system and can be viewed in the course of construction of new MAC Vendor rules based on the observation that devices using that MAC Vendor string are active on the network.
Accessing the endpoint data Collected by the NAC Profiler system and viewing that data by category, (for example, MAC Vendors, DHCP Vendor Class Identifiers, TCP open ports, etc.) is done via the Profile Data reports available from the Utilities Tab (see Chapter 16, "Profile Data" section on page 16-14), or the Show Data button that appears on the new profile creation forms as described later in this chapter and the following chapter.
Adding Profile Rules to an Endpoint Profile
Upon selecting the Add Profile button, a new page displays the Save Profile form, illustrated in Figure 9-9. This form which is very similar to the Add Profile form shows the data captured in the first step of the Profile creation process outlined above.
This variant of the form allows rules to be added to the Profile via the Add Rule control that is specific to the 'Save' variant of the Profile form. Rules added to a profile may be edited or removed using the Save Profile form, and it also provides the mechanism for completely deleting a Profile. Editing/removing profile rules from the configuration, and deleting profiles from the configuration is described in detail later in this chapter.
Adding rules to the Profile enables the system to begin classifying endpoints to the Profile assuming it is enabled, and an Apply Changes -> Update Modules is performed after saving the Profile with the rules. A button is provided for each available rule type that is used in the construction of endpoint Profiles, including Advanced XML rules which are documented in Chapter 10, "Endpoint Profile Configuration: Part 2".
Figure 9-9 Save Profile Form showing Add Rule Control
To add a rule or rules to a Profile, select the Rule Type from the drop down for the desired rule type, then select Add Rule button to display the UI rule creation page(s) for the selected rule type. Each of the Profile Rule types available through the UI profile rule addition process is described in the remaining sections of this chapter, or in the following two chapters.
Configuration of MAC Address/Vendor Profile Rules
A MAC Vendor rule enables Endpoint Profiling decisions to be made by the Modeler based on the MAC address of the endpoint's network interface. Cisco NAC Profiler discovers the MAC addresses of endpoints on the network via a number of mechanisms.
The most commonly used mechanism for gathering MAC information is the regular and trap-triggered SNMP poll of edge network devices performed by the NetMap module. Endpoint MAC information is also gathered through the analysis of endpoint DHCP packets if they are being analyzed by NetWatch.
MAC Address/Vendor rules can be used to match endpoints based on the actual hexadecimal address (or portion of it), or a string matching the registrant of the OUI in the IEEE database. The system includes a data dictionary that matches the OUI (first three bytes of the MAC address) to the registrant name, for example, Linksys, Intel, etc.
Cisco NAC Profiler examines the first three bytes (24 bits) of the MAC address (which is known as the Organizational Unique Identifier, or OUI) of each MAC discovered by the system to determine the registrant of that OUI--the registered manufacturer of the network interface hardware. If it finds a match, the MAC Vendor of the endpoint will be OUIs that do not have a match to a MAC Vendor in the Cisco NAC Profiler data dictionary will be displayed as ''Unregistered MAC'' in the Profile Data tables.
When the Cisco NAC Profiler system is configured with a Profile containing a MAC Address/Vendor Rule, endpoints observed with a network interface MAC Address with the specified MAC Vendor String will be placed in the Profile based on the MAC Vendor Rule, at the level of Certainty specified by the rule.
Tip When writing MAC rules, be aware that many vendors manufacture network interfaces used in a variety of endpoints; therefore, it may not be possible to identify the exact type of device using the MAC address alone.
From the Save Profile form, ensure MAC Address is shown in the Add Rule drop-down then click the Add Rule button on the form. The Add MAC Address rule form shown inFigure 9-10 will display on the page for entry of the rule parameters.
Figure 9-10 Add MAC Address Rule Form
Enter the following information in the form to create a MAC Address/Vendor rule for an Endpoint Profile:
Step 1 Enter the matching MAC Address String.
The name you enter for the vendor of this Rule should match the classification into which the Profile the Rule is being added.
Tip To determine the different OUIs MAC Vendor Strings Cisco NAC Profiler has observed on the network, click the Show Data button. A pop-up which shows the MAC Vendor strings of all endpoints discovered by the system is displayed on the interface as show in Figure 9-11. Selecting the Show MAC/IP link following each MAC Vendor string in the table will display a list of the endpoints with a MAC address resolving to that string by full MAC address (hexadecimal format) and IP address.
Figure 9-11 Show Data: Table of MAC Vendors
Tip The MAC Vendor string field will accept a regular expression to allow matches multiple forms of a MAC Vendor string. For example, Linksys devices have multiple OUIs registered with the IEEE that resolve to several different MAC Vendor strings including:
-> The Linksys Group, Inc.
-> Cisco-Linksys, LLC
-> Cisco-Linksys LLC
A regular expression of /linksys/i could be entered in the MAC address String field which would match all MAC Vendor strings including the string 'linksys' regardless of case. See the section later in this chapter on application rules for more information about the use of Regular Expressions when specifying matching data in Profile rules.
Step 2 Enter a 'Certainty' value to apply to this rule. This is the relative measure of Certainty that an Endpoint profiled by this rule has been profiled accurately as outlined earlier in this chapter.
Step 3 select the Add MAC Vendor Rule button at the bottom of the Add MAC Vendor Rule form to save the changes, adding the newly created MAC Vendor Rule to the selected endpoint Profile.
Upon successfully saving a new Rule to a Profile, the rule creation form will close and the Save Profile page for the Profile being configured will display again in the browser. The rule just added to the profile will show in the Save Profile form immediately below the LDAP selector.
Note The rule added in the previous steps will now be displayed in the Save Profile form along with all other Profile attributes including controls for individual rule edit, removal and 'Calculate' as illustrated in Figure 9-12.
Figure 9-12 Save Profile Form After Addition of a MAC Address Rule
The Endpoint Profile Certainty Calculator
The Certainty Calculator is used to facilitate the determination of the possible certainty values endpoints may be in the multi-rule endpoint profile to assist in the configuration of the system such that the Profile Hierarchy concept may be implemented.
Figure 9-12 corresponds to the APC UPS Profile example introduced earlier in the chapter at the time the single MAC address/Vendor rule was added to the profile.
Note the ''Maximum profile value 15%'' shown on the form immediately below the Rules section. This is part of the Certainty Calculator. It maintains a running total of the maximum profile certainty when all rules in the profile test true for an endpoint. As is expected, for single rule profiles, the maximum profile certainty value is equal to the certainty of the single rule. If additional rules are added to the profile, this value will change to combined certainty value, automating that calculation for the Cisco NAC Profiler administrator.
As expected, when the DHCP Vendor Class rule was added to the Profile with a certainty value of 25%, the maximum profile certainty increases to 36.25%. See the next figure.
Figure 9-13 Profile Certainty Calculator: Multiple-rule Profiles
The calculator can also be used to calculate the certainty when a specified rule or rules are satisfied, not all rules. To include a rule match in the certainty calculation, select the check box in the Calculate column of the Rules section for the rules to include, then select the Calculate button on the form. The certainty factor for endpoints in the Profile that satisfy the selected rules will be presented immediately underneath the Calculate button on the form.
Configuration of IP Address Profile Rules
An IP Address rule enables Endpoint Profiling decisions based on the IP host address of discovered endpoints. Cisco NAC Profiler utilizes several techniques for maintaining a mapping of IP host address to each endpoint MAC in the database as outlined earlier in the guide. Endpoints known to be using a host address specified within an IP Address Rule will be placed in the Profile containing the IP Address Rule, at the level of Certainty specified for the rule.
Tip This rule type is useful when all endpoints of a device-type of interest on a given network are assigned host addresses on a specific IP subnet. For example, if all 10.10.10.x/24 addresses are assigned to printers, an IP Address Rule can be a very effective Rule to add to a Profile that is created to contain all the printers on the network.
To add an IP Address Rule to a selected Profile, from the Save Profile page for the selected Profile, follow the procedure below:
Step 1 Select IP Address from the Add Rule drop-down menu and click on Add Rule button on the Save Profile form for the selected Endpoint Profile. The Add Address Rule page containing the form illustrated in Figure 9-14 will display in the browser.
Figure 9-14 Add Address Rule Form (IP Address Rule)
Enter the following information in the form to create an IP Address rule for inclusion in a Profile:
Step 2 Specify the matching IP Address information
Enter the IP address hosts should be using in order to match the rule and be moved into the Profile containing the IP Address rule. From the earlier example if the devices desired to be placed in this Profile were all assigned a host address on the 10.10 subnet of the 10.0.0.0 Class A network, 10.10.0.0 would be entered in this field.
Step 3 Enter the Mask to be applied to the specified IP
Enter the subnet mask in dotted decimal format that should be applied to the specified IP Address provided in the field above. For example, to match all hosts on the 10.10 subnet of the 10.0.0.0 Class A network, a mask of 255.255.0.0 would be entered so that all hosts discovered by Cisco NAC Profiler and known to be using a host address on this subnet would match the rule.
Step 4 Enter a 'Certainty' value to apply to this rule.
This is the relative measure of Certainty that an Endpoint profiled by this rule has been profiled accurately as outlined earlier in this chapter.
Step 5 Select the Add (IP) Address Rule button at the bottom of the Add IP Address Rule form to save the changes, adding the IP Address Rule to the endpoint Profile.
Upon successfully saving the IP Address Rule to the Profile, the Save Profile page for the Profile being configured will be displayed showing the IP Address rule added to the profile as shown in Figure 9-15.
Figure 9-15 IP Address Rule Added to Profile
Note that the IP Address Rule added is displayed in the Save Profile form with all other Profile attributes. At this point further edits/adds may be made to the Endpoint Profile, or the Profile changes may be saved.
Configuration of Traffic Profile Rules
A Traffic rule enables Endpoint Profiling decisions based on the observation by Cisco NAC Profiler of traffic flows having the characteristics specified in the rule:
•On a specific source or destination TCP or UDP port number
•From a specific source or to a specific destination IP, or to/from any IP.
Endpoint data that is used to match Traffic Rules is collected by either NetWatch module(s) observing live network traffic, or through the NetRelay analysis of NetFlow XDRs.
Note In the current version, the Traffic Rule type is the only rule type that can be used with NetFlow data. If one or more Traffic Rules are not present in enabled endpoint profiles on the system, NetRelay will not collect/analyze data contained in NetFlow XDRs forwarded by NetFlow-enabled systems.
Traffic rules contained within Profiles can greatly increase the certainty with which Endpoints are classified into that Profile, as this data is an easily distinguishable indicator of the services an endpoint is providing or consuming on the network. Accordingly, they are often a highly reliable indicator of device type.
For example, to construct a Traffic Rule for Profiling printers proceed as follows: The Rule is constructed such that it examines network traffic for communication from the Print Server (IP Address of the rule is that of the Print Sever, with Source IP selected) to endpoints using the well-known destination port number of 9100. Traffic observed that matches this rule is indicative of the print server communicating directly with a device for the purpose of printing. The device that the traffic is destined for is very likely to be a printer.
To add a Traffic Rule to a selected Profile, from the Save Profile form for the selected Endpoint Profile, follow the procedures outlined below:
Step 1 Select Traffic from the Add Rule drop-down, then select the Add Rule button. The Add Traffic Rule form illustrated in Figure 9-16will display in the browser.
Figure 9-16 Add Traffic Rule Form
Enter the following information in the form to create a Traffic rule for inclusion in a Profile:
Step 2 Enter the host IP Address of either source or destination endpoint in matching flows.
Enter the IP Address to match and select Source IP or Destination IP to specify the direction of the communication. Note, other than 0.0.0.0, which is used to specify ''any'' host address, this value must be a host address and not a subnet.
Tip Use of the 0.0.0.0 IP in Traffic Rules should only be used in traffic rules that match relatively low volume flows. Top-talker protocols such as HTTP (for example, a rule designed to match any endpoint communicating with the web proxy) can put a high-load on the NetWatch (or NetRelay) collector, and the Server as the system will collect analyze flow-data for all hosts communicating to the Internet via the proxy.
Step 3 Specify the Source UDP/TCP Port Number for the traffic rule
Enter the Source Port that is expected in the communication. If this rule is looking at the Destination port, then enter 0 here to designate any source port.
Step 4 Specify the Destination UDP/TCP Port Number for the traffic rule
Enter the Destination Port that is expected in the communication. If this rule is looking at the Source port, then enter 0 here to designate any destination port.
Step 5 Enter a 'Certainty' value to apply to this rule.
This is the relative measure of Certainty that an Endpoint profiled by this rule has been profiled accurately as outlined earlier in this chapter.
Step 6 Select Add Traffic Rule button to save the Traffic Rule to the endpoint profile
When constructing Traffic Rules, the direction of the rule logic is important to consider. Use the following rule of thumb for determining the direction of traffic rules:
•If the Source IP address is specified in the Traffic Rule (as in the printer example above), information about the destination IP address in the network traffic specified is gathered.
•If a Destination IP address is specified in the traffic rule (example to follow), information about the source IP address in the network traffic specified is gathered.
For example, print servers are known to communicate with a network printer on port 9100. A traffic rule could be utilized in the profile for printers, specifying the Source IP in the rule to be the print server's IP, with a destination port of 9100. This rule would be used for making a characterization about endpoints observed receiving packets meeting this criterion—that endpoints observed receiving packets satisfying this rule are highly likely to be network printers.
The following example (Figure 9-17) shows an endpoint profile with a traffic rule added. In this case, a profile designed to profile printers using a traffic rule that matches when NetWatch or NetRelay determines through the analysis of traffic (NetWatch) or NetFlow XDRs (NetRelay) that an endpoint has been receiving traffic from a known print server (10.1.1.1) on port 9100.
Figure 9-17 Endpoint Profile with Traffic Rule
The definition of the Traffic Rule is summarized in the Rules section of the Save Profile form. The ''plain english'' interpretation of the rule in the example would be: ''match endpoints that are known to accept traffic from 10.1.1.1 with any (dynamic) source port to the destination port of 9100.'' This rule was created to match printers receiving print jobs on port 9100 from host 10.1.1.1 known to be a print server. The source port of this traffic is dynamic and assigned for each session, but the destination port will be 9100 consistently.
Tip Whenever changes to a Profile containing a Traffic Rule (enabled/disabled/deleted), or changes are made to a Traffic Rule with a profile (added/edited/removed), an Apply Changes -> Update Modules must be executed to reconfigure the NetWatch and NetRelay modules across the system as required. Traffic Rules require these modules to perform ''specific collection'' as described previously. Adding or changing traffic rules may require modifications to the module configurations which is only performed during execution of an Update Modules, and not during a Re-model.
Configuration of Static MAC/IP Host Address Rules
One additional means of classifying endpoints into an Endpoint Profile through the UI profile creation process is the Static Rule type. The Set Static button at the bottom of the Save Profile form provides a way of designating specific endpoints by MAC or IP Address into an Endpoint Profile, at a specified level of certainty.
Tip Static Rules do not result in matches for endpoints that have not been discovered by the Cisco NAC Profiler system. It is not a means for "manual" endpoint discovery. Static rules function only for endpoints that are discovered by the Cisco NAC Profiler system using the automatic processes outlined earlier.
Selecting the Set Static button for a Profile brings up the form in Figure 9-18 which allows for listing IP host addresses and or MAC addresses of endpoints to be placed in the Profile statically.
Use the following procedure to configure static rules for an endpoint profile.
Figure 9-18 Set Static Profile Rule
Step 1 Enter one or matching MAC and or IP host addresses
To enter MAC addresses in the form, use the standard format 01:02:03:04:05:06, one MAC address per line. Enter IP host addresses in dotted decimal notation (for example, 192.168.1.1), one per line.
Step 2 Specify a Certainty value for devices added to the Profile via the Static Rule.
Note The Certainty mechanism continues to operate as previously described. If Cisco NAC Profiler collects attributes of identity from an endpoint currently in a Profile via a static assignment that matches a rule or rules in another enabled Profile, if the Certainty value of the new Profile is higher, the endpoint will transition Profiles. To ensure that endpoints assigned statically to a Profile never transition out of the Profile, be sure to assign a high certainty value to the static rule such as 100%.
Step 3 Select the Save Static button to save the static rule to the Profile
The interface will return to the Save Profile form for that Profile, showing the addition of the Static Rule to the Profile as shown in Figure 9-19.
Figure 9-19 Static Rule Added to a Profile
Note the absence of the Edit/Remove controls for the Static Rule. These controls are not applicable to this rule type, the edit/removal of a static rule is done through the Set Static button as described later in the chapter.
Editing Rules and Other Attributes of Saved Endpoint Profiles
Whenever the Save Profile form is displayed for an endpoint profile, the parameters of the profile can be edited. Selecting the Edit radio button to the immediate right of a profile rule of any type other than Static, and then clicking on the Edit button beneath the radio button(s) will bring up the Save <rule_type> Rule form for the selected rule. Only one rule can be selected for editing at a given time. Use the directions outlined earlier in this chapter for changing the parameters of the selected rule. Select the Save button at the bottom of the Save form to save the changes to the rule.
The profile certainty calculator is always available when the Save Profile form for an endpoint profile is displayed. To determine the certainty value for different rule combination, select the rules to include in the calculation by selecting the check boxes above the 'Calculate' button. Then select the Calculate button to determine the certainty value that will result for endpoints that satisfy the selected rules.
To remove a rule from a selected endpoint profile, display the Save Profile form for the profile then select the check box (or boxes, as multiple rule removal is allowed) above the Remove button on the Save Profile form for the rule(s) selected for removal, then select the Remove button. The rule(s) will be removed from the Profile permanently.
Static rules require the use of the Set Static button for editing/removing Static Rules in profiles. Selecting the Set Static button when a static rule has been saved to a profile will open the Static Addresses Form, showing any MAC/IP addresses saved to the static rule set previously. Add to/Edit the addresses as required, or delete all MAC/IP addresses on the form to remove the static rule from the Profile.
Saving Changes to Endpoint Profiles and Applying Changes
When all desired rules have been added to the configuration of a newly created endpoint profile, or when necessary edits have been made to an endpoint profile saved to the configuration previously, selecting the Save Profile button at the bottom of the form will save all changes to the Profiles and its associated rules to the Cisco NAC Profiler system configuration. In order for the new Profile to become part of the running configuration however the Profile must indicate 'enabled' in the Table of Profiles and an Apply Changes -> Re-model performed to evaluate all existing endpoint data against the most recent version of the Modeler reflecting any changes to enabled profiles.
Tip Note that in the case of the addition, deletion or editing of any Traffic Rules or URL rules, an Apply Changes -> Update Modules must be performed. These rules require ''specific collection'' which may require configuration changes to the NetWatch and NetRelay (Traffic Rules) or NetWatch (URL rules) module(s) across the system to initiate/stop/change collection.
Upon the system restart the Profile will become active, and any endpoints in the Cisco NAC Profiler Endpoint database that match the rules specified in the new Profile will move from the Not Profiled stat into the new Profile, or from other enabled Profiles subject to the Certainty rules outlined earlier in the chapter. In order for endpoints to transition from an existing Profile other than Not Profile into the new Profile, the Certainty value of the matching rule or rules in the new Profile must be higher than the current Profile.