An engineer wants to automatically assign endpoints that have a specific OUI into a new endpoint group. Which probe must be enabled for this type of profiling to work?
An engineer wants to automatically assign endpoints that have a specific OUI into a new endpoint group. Which probe must be enabled for this type of profiling to work?
To automatically assign endpoints with a specific OUI into a new endpoint group, the DHCP probe must be enabled. The OUI is part of the MAC address, which is commonly included in DHCP requests through the dhcp-client-identifier or dhcp-class-identifier fields. This allows the DHCP probe to capture the MAC address and, consequently, the OUI, facilitating the identification and profiling of devices.
The answer is C, through DHCP Profiling. The OUI is part of the MAC address, which can be learned from the dhcp-client-identifier option 61.
I agree. NMAP scan is based on IP, any information collected during scan will be discarded if MAC-IP binding doesn't exist According to ISE profile design guide, "The dhcp-client-identifier typically provides the MAC address, which in turn provides the vendor OUI information through correlation from the MAC Address-OUI mapping table." under Procedure 25 Verify DHCP Probe Data https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-2096149162
in addition to Jeeves69, It is option 60, not 61 https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-2725.pdf Vendor / OS information can be gathered from dhcp-class-identifier (60) DHCP parameter request list and DHCP class ID can be used for platform and model.
And check Nmap probe to access mac ...it is done on manual scan
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_endpoint_profiling_2_4.html#reference_FD15BD65A25A4390B2A865450F938ADF
The answer is SNMP. It will work and can pull ARP tables from the network devices. In fact, page 28 in the ISE Profiling guide recommends it if Radius or DHCP probes can't be effective. An NMAP scan cannot get a MAC address. If it is on the same subnet, then it would pull the MAC from the ARP table which would then be effective. That's a big IF DHCP would missing static devices as mentioned. A Netflow probe with additional attributes of SRC_MAC and DST_MAC should also be able to work for this situation if placed properly within the networks but I'm going with SNMP as that is what is recommended in the guide.
A and C will work, C for dynamic only. I just like it more. NMAP looks to me as and absolute nonsense , would work only scanning on same subnet
Probe SNMP: Key profiling attributes: · MAC Address/OUI - CDP/LLDP - ARP tables Common Endpoint Profiling Use Cases See RADIUS probe for MAC info. Valuable for any vendor that uses CDP/LLDP. For example, Cisco IP phones, cameras, access points, appliances. Polling of device ARP tables populates ISE MAC-to-IP bindings. https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456 CTRL + F to the setion: "Probe Selection Best Practices"
NMAP scans for open ports and OS detection, how do you get MAC address in NMAP scans over L3? you can configure SNMP probes to start profiling and populating endpoints before enforcing MAB/802.1X IN ISE. I have done this a few times.
most correct answer is SNMP probe. DHCP probe can also pull Unique vendor IDs for hardware, but not for endpoints with static IPs. When determining which probes to enable in the network, it is helpful to understand which attributes can be collected by each probe: RADIUS - MAC Address (OUI), IP Address, NDG values RADIUS w/Device Sensor - CDP/LLDP, DHCP, User-Agent, mDNS, H323/SIP RADIUS w/ACIDex - MAC Address, UDID, Operating System, Platform/Device Type SNMP - MAC Address/OUI, CDP/LLDP, ARP tables DHCP - DHCP [also OUI] DNS - FQDN HTTP - User-Agent NetFlow - Protocol, Source/Dest IP, Source/Dest/Ports NMAP - Operating System, Common and custom ports, Service Version Info, SMB data, Endpoint SNMP data AD - Exists in AD, Operating System and Version, AD Domain pxGrid - IoT Asset, Custom Attributes https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--2031470585 --> Table 13. Probe Attributes
SNMP is A, of course
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-2725.pdf Interesting debate. I would go for DHCP based on above. DHCP can certainly gather OUI and it is dynamic a well. Nmap would have to be manually initiated or scheduled.
Answer is C
DHCP. This is the most used function for ISE to learn about endpoints. Since it can learn about them even if the endpoints are not in a 802.1x enabled port. NMAP is a manually/triggered. Its teoretic that some clients use static IP. Most devices use dhcp
More relevant about OUI stil "probe DHCP". Answer C.
SNMP https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/6096 Procedure 11
Why not D? Check profiling probe using net flow v9 ... also dhcp on security perspective uses ip to mac binding doesn't mean it is used as a probe to get mac details..
And check Nmap probe to access mac ...it is done on manual scan
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_endpoint_profiling_2_4.html#reference_FD15BD65A25A4390B2A865450F938ADF
OUI is part of MAC Address
I vote for C As well, NMAP is layer 3.
C. DHCP DHCP stands for Dynamic Host Configuration Protocol, and it's a network protocol used on IP networks to dynamically assign IP addresses and other network configuration parameters to devices on a network. The DHCP probe can capture the DHCP request packets, which contain the MAC address of the device. The first half of a MAC address is the Organizationally Unique Identifier (OUI), which is specific to a manufacturer.
http://www.network-node.com/blog/2016/1/2/ise-20-profiling#:~:text=ISE%20can%20check%20the%20vendor,troubleshooting%20if%20the%20session%20terminates.&text=SNMP%20Trap%3A,or%20disconnecting%20from%20the%20network. NMAP Scan Probe: After a scan is run, there are new attributes you can see about this host: EndPointPolicy LastNmapScanCount NmapScanCount OUI operating-system
the question asks how to automatically assign endpoints in a specific OUI into endpoint group via a profiling. NMAP allows manual or triggered scan for specific OUI and assign to a emdpoint group https://i.imgur.com/EjzRK7r.png https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-1651437215