Any device, unless you know what it is, that connects to your network can pose a risk. Cisco ISE profiling is the mechanism that answers the question: "What kind of device just joined my network?" It automatically detects and classifies endpoints based on attributes collected from the network. Using MAC addresses as unique identifiers, the system builds a continuously updated internal endpoint database and matches each device against a library of hundreds of built-in profiles. The result is a precise, dynamic classification—whether the device is a corporate laptop, an IP phone, a medical sensor, or an unauthorized smartphone.
This blog is a practical guide to Cisco ISE profiling for decision-makers and security teams. It covers how the profiling engine works, which probes collect the right data, how Cisco ISE profiling attributes drive policy decisions, and what best practices protect against misclassification.
Networks no longer connect a predictable set of company-owned desktops. They support smartphones, tablets, printers, IP cameras, IoT sensors, building automation systems, and healthcare devices, many of which cannot use 802.1X certificate-based authentication. Without endpoint profiling, these devices appear as anonymous MAC addresses, and applying meaningful access control turns into guesswork.
The business consequences of misidentification are real. An IoT sensor misclassified as a workstation may receive unrestricted corporate access. A personal smartphone may land in a VLAN reserved for managed devices. A networked medical device may connect to segments it should never reach. Accurate endpoint profiling closes these gaps by enabling the network to enforce policy based on device type, not just credentials.
Cisco ISE builds context about endpoints, including device type, access time, access location, and access method, which can be wired, wireless, or VPN. This context feeds into the authorization engine so that a corporate workstation and a personal iPhone belonging to the same employee automatically receive different network permissions. The profiling capability also extends to IoT, classifying building automation devices used to control heating, ventilation, and air conditioning systems, as well as vertical-specific endpoints such as healthcare patient monitors, imaging devices, manufacturing controllers, and sensors.
For C-suite leaders, Cisco ISE profiling and posturing together form the operational backbone of a zero-trust access model. Profiling establishes identity; posturing verifies compliance. Neither can substitute for the other, and both are essential to a mature network access control program.
The profiling engine runs on the Policy Service Node (PSN) in an ISE deployment. When a device connects to the network, probes begin collecting attributes. Those attributes are matched against conditions. Conditions are organized into profiling policies. Each matching condition increases a score called the Certainty Factor (CF). The profile with the highest cumulative CF at or above the minimum threshold wins, and the endpoint is classified accordingly.
This architecture has four essential layers:
· Probes collect raw network data about the endpoint.
· Attributes are the specific data fields extracted by each probe—MAC address, DHCP options, HTTP User-Agent strings, and dozens of others.
· Conditions are logical tests applied to those attributes.
· Profiling policies group conditions into rules and assign CF scores to determine the final classification.
Cisco ISE profiling probes are the data collection engines of the profiling system. Each probe uses a different method and produces different Cisco ISE profiling attributes. The table below summarizes the key probes and their primary use cases:
The RADIUS probe is the foundational probe for most deployments. The Calling-Station-ID populates the MAC address attribute and provides information on the vendor network adapter based on the Organizationally Unique Identifier (OUI) taken from the first three bytes of the MAC address. This OUI value alone can classify certain devices, such as game consoles from specific manufacturers, specialty IP phones, or industrial controllers, without needing any additional attributes.
The DHCP probe is equally critical because it provides unique vendor identifiers and DHCP option fingerprints that reveal the operating system. It also supplies the IP-to-MAC binding that allows the DNS, HTTP, NetFlow, and NMAP probes to correlate data to specific endpoints.
The device sensor is one of the most operationally efficient features in a Cisco ISE profiling deployment. Rather than relying on centralized SPAN-based traffic mirroring, the device sensor moves data collection to the access layer—the switches and wireless controllers physically closest to the endpoints.
The device sensor collects endpoint information using CDP, LLDP, and DHCP. It then forwards this data in RADIUS accounting packets to the ISE Policy Service Node. The key benefit is that the ISE RADIUS probe can process this data without requiring separate DHCP SPAN infrastructure. With Device Sensor, data collection is highly distributed across the access layer: the points closest to the endpoint and source of data. Information is selectively filtered at the point of origin and transmitted in RADIUS accounting packets to centralized Policy Service nodes for analysis and classification.
This approach reduces network complexity, lowers SPAN port requirements, and scales more effectively across large campus environments. Device sensor also supports wireless controller deployments, where it forwards DHCP profiling data for all clients joining sensing-enabled WLANs—making it a practical tool for wifi analytics and wireless endpoint profiling.
Cisco ISE profiling attributes are the raw data points that conditions evaluate. Each attribute comes from a specific probe. For example, dhcp-class-identifier from the DHCP probe or lldpSystemDescription from the SNMP probe.
The Certainty Factor (CF) model determines which profile an endpoint receives when it matches conditions across multiple profiles. Every matching condition adds its assigned CF value to the cumulative score for a given profile. The endpoint is assigned to the profile where it meets the minimum CF threshold and has the highest cumulative CF among all matching profiles.
For instance, if an Android device matches an OUI condition, its CF for the Android profile increases by 30. If it also matches a DHCP hostname condition containing the string "android," the CF increases by another 30, for a total of 60. If no other profile has a higher cumulative CF, the endpoint is classified as Android.
This design means that profiling decisions are probabilistic and hierarchical; a device can progress from a generic parent profile (Apple-Device) to a more specific child profile (Apple-iPad) as additional attributes are collected.
H2: Cisco ISE Profiling and Posturing: The Policy Enforcement Connection
Cisco ISE profiling and posturing are closely related but serve distinct functions. Profiling identifies what a device is. Posturing verifies that the device meets compliance requirements, such as having current antivirus software or a managed OS configuration. Together, they enable two-dimensional authorization: a device must be both correctly identified and compliant before receiving full network access.
Once an endpoint is profiled, it is assigned to an Endpoint Identity Group. Authorization policies reference these groups to assign network permissions. A Cisco IP phone receives voice VLAN access through MAC Authentication Bypass because it matches the Cisco-IP-Phone profile. An employee connecting from a personal iPad receives guest-level internet access rather than full corporate access because the device matches the Apple-iPad profile rather than the corporate workstation profile.
The Change of Authorization (CoA) mechanism connects profiling to live policy enforcement. When an endpoint transitions from one profile to another, for example, from Unknown to Apple-iPad, ISE can send a CoA request to the access switch or wireless controller, forcing the endpoint to reauthenticate and receive updated network permissions. This happens automatically when the profile transition results in a change to the authorization policy.
A CoA based on profiling can be consequential in environments with PoE VoIP desk phones. If ISE reclassifies a phone model, a broad CoA action can cause multiple phones across the organization to reboot simultaneously. This underscores the importance of testing CoA behavior carefully before enabling it in production, particularly for critical voice infrastructure.
The most practical starting point for any Cisco ISE profiling guide implementation is a full inventory of the device types that require classification. Before configuring a single probe, identify which devices will require authorization based on their profile, such as IP phones, printers, cameras, IoT sensors, or BYOD mobile devices. Review the built-in ISE profile library under Policy > Profiling to determine which profiles already exist and which attributes they use. This review directly informs probe selection.
A phased deployment beginning in Monitor Mode allows profiling to run without enforcing policy, giving administrators time to observe how devices are classified before activating CoA and authorization rules.
H3: Select the Right Cisco ISE Profiling Probes for Each Environment
Not every probe should be active in every deployment. Over-enabling probes increases processing load, network traffic, and operational complexity without adding proportional profiling value.
For most environments, the RADIUS probe should always be enabled first because it provides the IP-to-MAC binding that other probes depend on. The DHCP probe (using IP helper address relay, not SPAN) should be enabled wherever DHCP relay is available—it is low in network impact and high in classification value. The SNMP Query probe is valuable in environments with Cisco IP phones, cameras, and access points that support CDP and LLDP. The HTTP probe with URL redirection is recommended for environments using Central WebAuth for guest or BYOD access, where User-Agent strings provide strong OS classification signals.
Only enable the correct profiling probes for your ISE deployment, and disable probes you do not need. Each active probe adds to the data that PSN nodes must process. For large deployments, selectively enabling probes based on actual endpoint types is a direct lever on system performance.
Where the network supports device sensor capability on access switches, this should be preferred over SPAN-based DHCP collection. Device sensor scales more gracefully, avoids SPAN port bottlenecks, and does not require additional network taps.
The default CF values in built-in profiles are carefully calibrated. For custom profiles, initial CF values should be set conservatively. For example, start at 10 or 20, monitor classification results, and adjust as needed. Setting CF values too high in custom profiles can prevent more accurate built-in profiles from winning the classification decision.
When building custom profiles for IoT devices or specialty equipment, use multiple conditions that together provide high confidence rather than relying on a single high-CF rule. For example, combining an OUI check with a DHCP class identifier check provides much stronger classification confidence than either attribute alone.
The ISE Profiler Feed Service regularly delivers updates containing new device fingerprints and OUI database entries. If you want control over when updates are installed rather than automatic updates from Cisco, you can visit the Feed Service Management website to manually download separate packages for new profiling policies and OUI lists and then install them manually. This is especially relevant in regulated environments where change management processes govern system updates.
Staying current with feed updates is particularly important as new device types enter the market. BYOD trends, IoT expansion, and the proliferation of medical and industrial devices all bring device types that may lack built-in profiles in older ISE deployments.
The following are the common pitfalls in Cisco ISE profiling deployment:
No single probe provides complete endpoint visibility. Organizations that enable only the RADIUS probe may classify devices to vendor OUI alone, which is insufficient for differentiating between device types from the same manufacturer. Relying exclusively on DHCP without RADIUS leaves gaps in IP-to-MAC binding. A well-designed endpoint profiling strategy uses multiple probes in combination, with each probe filling the classification gaps left by others.
The DHCP SPAN and HTTP SPAN probes require a switch port analyzer to copy traffic to the ISE PSN interface. In high-traffic environments, this can generate significant load on both the infrastructure and the PSN. Best practices from TAC escalation teams consistently highlight performance impact as one of the most commonly seen pitfalls in ISE profiling deployments. Where a device sensor is available, it should replace SPAN-based collection for DHCP and CDP/LLDP data.
The 802.1X deployment mode directly affects which profiling attributes can be collected. In Closed Mode, DHCP packets cannot reach the network until the port is authorized. This means the DHCP probe may collect no data for initial classification, leaving the endpoint in an Unknown state at the time of its first authorization decision. Open Authentication mode or Low-Impact mode allows DHCP traffic to flow before authorization, giving the profiling engine more data to work with before the policy decision is made.
The order of authentication methods, whether MAB runs before or after 802.1X, also affects the timing of profile assignment. Teams that configure profiling without considering these interactions often encounter Unknown endpoint classifications on first connection.
Enabling Change of Authorization without fully understanding its scope is a common source of unexpected outages. CoA sends reauthentication or port bounce signals to access devices when a profile changes. In voice environments, this can cause IP phones to reset. In critical OT or healthcare environments, it can interrupt sessions for process control endpoints or medical devices.
For critical devices, exception actions can be used to assign a static profile once specific conditions are met, preventing further reclassification. This is recommended for medical devices, manufacturing controllers, or any endpoint where profile transitions during active sessions are unacceptable.
Wireless profiling has specific requirements that differ from wired deployments. Profiling of wireless endpoints authenticated via MAC Filtering requires CoA support from the wireless controller. The Call Station ID Type must be set to System MAC Address on the wireless controller to ensure that ISE can associate profiling data with non-802.1X clients. Missing this configuration setting is one of the most common reasons wireless endpoint profiling fails to classify devices accurately.
Use this checklist before and after configuring endpoint profiling in your environment:
Before Deployment
During Configuration
After Deployment
Once Cisco ISE profiling is operational and endpoints are being classified accurately, the logical next step is to integrate profiling data into the authorization policy. This means creating Endpoint Identity Groups for your primary device categories, such as phones, printers, managed workstations, personal mobile devices, IoT sensors, and building authorization rules that assign the correct VLAN, downloadable ACL, or SGACL to each.
For organizations with BYOD programs, combining endpoint profiling with posture assessment creates a layered access model. Profiling identifies the device type; posturing confirms compliance. Together, they grant access to sensitive resources based on both device identity and health status.
Organizations with large IoT deployments should evaluate AI-based endpoint analytics as a complement to traditional rule-based profiling. AI endpoint analytics provides multifactor classification using traffic telemetry embedded in Catalyst 9000 Series switches, giving administrators an endpoint inventory and contextual labels that extend well beyond what standard probe-based profiling can determine.
Finally, for any organization in a regulated industry, such as healthcare, finance, or critical infrastructure, the profiling configuration should be documented formally and reviewed as part of the access control policy lifecycle. Profile changes, CoA settings, and exception actions all directly affect what devices can access what segments of the network.
Cisco ISE profiling is the prerequisite for any access control decision that depends on device identity. Without it, the authorization policy applies uniformly across device types that deserve very different levels of trust. With accurate endpoint profiling, the network can automatically enforce differentiated access, placing a personal iPhone in a restricted VLAN while a managed workstation receives full corporate access, or quarantining an unknown IoT device while authorizing a known IP phone to the voice VLAN.
The technology works because it is multi-layered. Cisco ISE profiling probes collect different attributes. Cisco ISE profiling attributes feed conditions. Conditions drive policy rules with weighted CF scores. The output is a dynamic, continuously updated classification that responds as devices are discovered, updated, and reclassified. The challenge is deploying the right probes, calibrating CF values, and configuring CoA safely. Done correctly, the result is a network that knows what every device is and enforces access accordingly.
Explore our latest insights on AI, cybersecurity, and data center innovation. Discover how SecurView delivers scalable, Cisco-integrated solutions for complex enterprise needs.
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a31400e44613cb23af3a32a_hiiii.png)
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a2f99a53f9feeabc241db0d_hi.png)
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a0e11fe9ba1572a628c2b5d_Split%20Screen%20Tech%20Illustration.png)