Profiling Probes and Endpoint Classification
Profiling Probes and Endpoint Classification
Introduction
Every device that connects to your network carries a fingerprint — a combination of attributes drawn from protocols like DHCP, CDP, LLDP, HTTP, and more. Cisco ISE uses profiling to collect those attributes, match them against known patterns, and classify each endpoint into an identity group. That classification then drives authorization policy, determining which VLAN, ACL, or Security Group Tag an endpoint receives.
In this lesson you will learn how ISE gathers endpoint data through profiling probes, how profile conditions combine multiple attributes to reach a classification decision, and how endpoint ownership and caching work across a distributed ISE deployment. You will also explore the resiliency features introduced in ISE 3.4 and 3.5 that protect the profiler from performance degradation, and understand the static versus dynamic group assignment model that controls whether profiling results can override an administrator's manual classification.
By the end of this lesson you will be able to:
- Describe the data sources ISE uses for profiling and how probe data flows through the system.
- Explain the endpoint cache, Context Visibility database, and the Lightweight Distribution Data (LDD) framework.
- Configure and verify static group assignment behavior.
- Apply best practices for profiler scalability and resiliency.
Key Concepts
Profiling Probes and Data Sources
ISE collects endpoint attributes from several protocol-level probes. Each probe contributes a different piece of the classification puzzle.
| Probe / Source | Attributes Collected |
|---|---|
| MAC OUI | Vendor organizationally unique identifier from the MAC address |
| CDP / LLDP | Device type, platform, capabilities advertised by the endpoint or neighboring switch |
| DHCP | DHCP class identifier, hostname, requested options |
| HTTP | User-Agent string, OS fingerprint |
| mDNS | Service advertisements (printers, Apple devices, IoT) |
| H323 | IP telephony device attributes |
| MSI-Proxy | Machine Service Information proxy attributes |
| RADIUS Accounting | Session attributes forwarded from the network access device |
| Device Sensor | CDP, LLDP, and DHCP data collected directly on the Catalyst switch and sent to ISE |
Important: RADIUS and HTTP probes continuously supply the profiler with all incoming updates even if the profiling service is disabled on that ISE node. Keep this in mind when troubleshooting unexpected attribute collection.
Profile Conditions
A single probe rarely provides enough information to identify an endpoint with confidence. ISE uses profile conditions that combine multiple attributes into a weighted score. For example, a printer might be identified through a two-step match:
- The MAC OUI indicates a Lexmark device.
- The DHCP Class ID contains the string
E260dn.
When both conditions are satisfied, ISE classifies the endpoint as a Lexmark E260n printer. This layered approach — combining the OUI with protocol-specific fields — is the foundation of accurate endpoint classification.
Endpoint Ownership and the LDD Framework
In a distributed ISE deployment with multiple Policy Service Nodes (PSNs), each endpoint is assigned an owner — the ISE node responsible for maintaining the complete set of that endpoint's attributes. The Lightweight Distribution Data (LDD) framework ties the deployment together:
- Session cache — stores abbreviated session information and identifies which ISE node owns each endpoint.
- Owner cache — maps endpoints to their owning PSN.
- Message broker — coordinates updates between nodes.
- Endpoint cache — separate on each PSN, stores the full endpoint record used for local policy decisions.
Best Practice: Keep endpoint replication disabled unless explicitly advised. It is automatically enabled when LDD is disabled. If endpoint replication has not been previously enabled and must be activated, manually synchronize ISE nodes with the PAN first.
How It Works
Probe Data Flow and Classification
When an endpoint connects to the network, the access switch collects protocol attributes through Device Sensor (CDP, LLDP, DHCP) and forwards them to ISE via RADIUS accounting. ISE also gathers data directly through its own probes — HTTP, mDNS, H323, and others configured on the PSN.
The profiler engine on the receiving PSN evaluates incoming attributes against the library of profiling policies. Each policy contains one or more conditions with certainty-factor weights. When the cumulative score exceeds the minimum threshold defined in the policy, ISE assigns the endpoint to the matching Endpoint Identity Group.
Once classified, the endpoint's attributes are persisted to the Context Visibility (CV) database and, if the classification triggers a group change with an active session, a Change of Authorization (CoA) is issued to the network access device to re-evaluate the endpoint's authorization policy.
Context Visibility Database
Context Visibility is the centralized store of endpoint attributes consumed by the ISE GUI. It runs on the Primary PAN (PPAN) and Secondary PAN (SPAN) and provides the ability to aggregate, store, and search high volumes of endpoint data. Profiling updates are persisted to the Context Visibility database, which maintains its own set of significant attributes for persistence.
Before ISE 3.4, Context Visibility was backed by an Elasticsearch cluster with the PPAN as the master and the SPAN as the replica. Starting with ISE 3.4, the Elasticsearch instances are independent on the PPAN and SPAN. This architectural change is important to understand when performing a Context Visibility reset — always follow the latest reset procedure for your ISE version.
Profiler as a Service
The profiler operates as a service layer that merges and retrieves information from the endpoint cache and performs persistence operations when needed. Several ISE subsystems feed data into the profiler:
- MDM integration — the profiler queries the MDM server, grabs endpoint MDM attributes, updates MDM data in the endpoint cache, and performs a remote save to the PPAN where the data is merged with the existing endpoint record.
- Posture — posture assessment results are reported back to the profiler, which updates the posture data in the endpoint cache.
- Guest services — after guest authentication, the guest portal updates the profiler with Identity Group information for the endpoint.
Profiler Resiliency (ISE 3.5 and Later)
ISE 3.5 introduced Profiler Resiliency, a set of safeguards that prevent the profiling engine from being overwhelmed by high-volume attribute updates. The system monitors three areas and takes graduated action:
| Monitoring Area | Thresholds and Actions |
|---|---|
| Endpoint Attribute Updates | Context Visibility updates capped at 30 updates/min; DB updates capped at 5 updates/min. Chatty endpoints are suppressed for a 5-minute cool-off period. |
| Profiler Queue | At 80% full: suppress interim updates and reclassification. At 90% and 100% full: process only new endpoints. Cool-off period of 5 minutes. |
| PSN Resource Monitoring | Degrades profiler service by suppressing interim updates and reclassification. Cool-off period of 5 minutes (depends on alarm timers). |
In every case, ISE generates an audit log whenever the profiler service is degraded, giving administrators visibility into capacity events.
Resiliency configuration is managed through Open APIs:
GET /api/v1/profiler/resiliency/config— retrieve the current configuration.PUT /api/v1/profiler/resiliency/config— update thresholds, durations, and cool-off periods.
The configurable parameters include the threshold (maximum cutoff for endpoint updates, queue counters in percent), the duration (time period in seconds during which the counter is monitored), and the cool-off period (time to suppress endpoint updates after a threshold is hit).
Configuration Example
Static Group Assignment
Static Group Assignment (SGA) allows administrators to lock an endpoint's Identity Group so that profiling results do not override the manual classification. SGA is a significant attribute that resides in the ISE database and triggers global replication when changed.
There are two ways to assign a static group:
- Manual assignment — through the ISE GUI or via the ERS API.
- Dynamic assignment — according to profiling policies, where the profiling engine assigns the group automatically.
The SGA checkbox on the endpoint record controls behavior:
! When the "Static Group Assignment" checkbox is CHECKED:
! - The Identity Group attribute is assigned statically
! - Profiling classification results will NOT change the group
! When the "Static Group Assignment" checkbox is UNCHECKED:
! - Assignment status is set to dynamic
! - The endpoint is open to dynamic profiling and reclassification
Key Point: ISE relies on the database — not the endpoint cache — to retrieve information about static group assignments. This ensures consistency across all PSNs in the deployment.
CoA Triggered by Group Change
When an endpoint's group changes — whether by manual assignment, API update, or dynamic profiling — ISE triggers a CoA if two conditions are met:
- An active session for the endpoint exists on ISE.
- The Identity Group is referenced in an authorization policy rule.
This ensures that the network access device re-evaluates the endpoint's session and applies the correct segmentation policy (VLAN, dACL, or SGT) without requiring the endpoint to re-authenticate.
Segmentation Options in Authorization Policy
Once an endpoint is classified, ISE can enforce access through several segmentation mechanisms:
| Segmentation Method | Description |
|---|---|
| Dynamic VLAN Assignment | Assigns a VLAN per port, per domain, or per MAC in the RADIUS Access-Accept |
| Downloadable ACL (dACL) | Pushes a named or downloadable ACL to the switch for wired or wireless enforcement |
| Security Group Tags (SGT) | Assigns a 16-bit SGT for group-based policy enforcement across the fabric |
Real-World Application
Common Deployment Scenarios
Profiling is essential in any environment where unknown or unmanaged devices connect to the network. Typical use cases include:
- Healthcare — medical devices such as CT scanners, infusion pumps, and patient monitors must be identified and segmented into dedicated VLANs with restrictive ACLs.
- Manufacturing and OT — industrial controllers and IoT sensors need automatic classification to enforce micro-segmentation without manual intervention.
- Enterprise campus — BYOD phones, laptops, and printers are profiled and assigned appropriate SGTs for group-based policy.
AI Endpoint Analytics
For environments that require deeper classification, AI Endpoint Analytics on Cisco Catalyst Center uses Deep Packet Inspection powered by NBAR on Catalyst 9000 series switches. This provides multifactor classification — identifying not just the endpoint type but also the operating system, manufacturer, and model. Machine-learning-based crowdsourcing offers profile label suggestions to administrators, and additional context is shared with ISE for SGT assignment.
Design Considerations and Best Practices
- Endpoint stickiness — avoid load-balancer persistency issues. Endpoints must remain sticky to a single PSN to maintain consistent attribute ownership.
- Prevent profiling floods — more endpoints and more frequent attribute updates increase profiler operations, which can bottleneck ISE scalability. Use the resiliency API to tune thresholds for your environment.
- Avoid aggressive profiling policies — do not overcomplicate policies with excessive rules, conditions, or custom attributes that are not used for asset classification. Prevent duplicate probe information from reaching the profiler.
- Infrastructure health — network latency between ISE nodes should not exceed 300 ms. Ensure proper DNS resolution and verify required port availability if firewalls sit between ISE nodes.
- Endpoint purging — monitor the total number of endpoints on ISE and set custom purging rules based on your requirements. Preserve common high-volume endpoint categories to avoid unnecessary re-profiling.
- Stay current — always use the latest recommended ISE versions and patches to ensure up-to-date fixes for profiler behavior and performance.
Summary
- Profiling probes (DHCP, CDP, LLDP, HTTP, mDNS, RADIUS, Device Sensor) collect endpoint attributes that ISE combines through weighted profile conditions to classify devices into Identity Groups.
- Context Visibility stores endpoint data on the PPAN and SPAN; starting with ISE 3.4, Elasticsearch instances run independently on each node rather than in a master-replica cluster.
- Profiler Resiliency in ISE 3.5 and later protects the system with graduated suppression actions at 80%, 90%, and 100% queue thresholds, configurable via REST API.
- Static Group Assignment locks an endpoint's Identity Group in the database, preventing dynamic profiling from overriding the classification, while dynamic assignment allows the profiler to reclassify freely.
- CoA is triggered whenever an endpoint's group changes and the group is referenced in an active authorization policy, ensuring segmentation enforcement updates in real time.
In the next lesson, we will build on these profiling foundations and examine how ISE authorization policies leverage endpoint classification to enforce segmentation at scale across wired, wireless, and VPN access.