Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
UDP PortsTCP Ports ServicePortsServicePorts ntp123/udpsmtp25/tcp msrpc135/udpdomain53/tcp netbios-ns137/udphttp80/tcp netbios-dgm138/udppop3110/tcp netbios-ssn139/udpmsrpc135/tcp snmp161/udpnetbios-ssn139/tcp microsoft-ds445/udpimap143/tcp isakmp500/udphttps443/tcp route520/udpmicrosoft-ds445/tcp ms-sql-m1434/udpms-term-serv3389/tcp upnp1900/udphttp-proxy8080/tcp Create Endpoints with Static Assignments of Policies and Identity Groups YoucancreateanewendpointstaticallybyusingtheMACaddressofanendpointintheEndpointspage. YoucanalsochooseanendpointprofilingpolicyandanidentitygroupintheEndpointspageforstatic assignment. Theregularandmobiledevice(MDM)endpointsaredisplayedintheEndpointsIdentitieslist.Inthelisting page,columnsforattributeslikeHostname,DeviceType,DeviceIdentifierforMDMendpointsaredisplayed. OthercolumnslikeStaticAssignmentandStaticGroupAssignmentarenotdisplayedbydefault. Youcannotadd,edit,delete,import,orexportMDMEndpointsusingthispage.Note Cisco Identity Services Engine Administrator Guide, Release 1.3 495 Create Endpoints with Static Assignments of Policies and Identity Groups
Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickAdd. Step 3EntertheMACaddressofanendpointinhexadecimalformatandseparatedbyacolon. Step 4ChooseamatchingendpointpolicyfromthePolicyAssignmentdrop-downlisttochangethestaticassignment statusfromdynamictostatic. Step 5ChecktheStaticAssignmentcheckboxtochangethestatusofstaticassignmentthatisassignedtothe endpointfromdynamictostatic. Step 6ChooseanendpointidentitygrouptowhichyouwanttoassignthenewlycreatedendpointfromtheIdentity GroupAssignmentdrop-downlist. Step 7ChecktheStaticGroupAssignmentcheckboxtochangethedynamicassignmentofanendpointidentity grouptostatic. Step 8ClickSubmit. Import Endpoints from CSV Files YoucanimportendpointsfromaCSVfileforwhichyouhavealreadyexportedendpointsfromaCiscoISE server,oraCSVfilethatyouhavecreatedfromCiscoISEandupdatedwithendpointdetails. Thefileformathastobeintheformatasspecifiedinthedefaultimporttemplatesothatthelistofendpoints appearsasfollows:MAC,EndpointPolicy,EndpointIdentityGroup. BothendpointpolicyandendpointidentitygroupareoptionalforimportingendpointsinaCSVfile.Ifyou wanttoimporttheendpointidentitygroupwithouttheendpointpolicyforendpoints,thevaluesarestill separatedbythecomma. Forexample, •MAC1,EndpointPolicy1,EndpointIdentityGroup1 •MAC2 •MAC3,EndpointPolicy3 •MAC4,,EndpointIdentityGroup4 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import. Step 2ClickImportFromFile. Step 3ClickBrowsetolocatetheCSVfilethatyouhavealreadyexportedfromtheCiscoISEserverortheCSV filethatyouhavecreatedandupdatedwithendpointsinthefileformatasspecified. Step 4ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 496 Create Endpoints with Static Assignments of Policies and Identity Groups
Default Import Template Available for Endpoints Youcangenerateatemplateinwhichyoucanupdateendpointsthatcanbeusedtoimportendpoints.By default,youcanusetheGenerateaTemplatelinktocreateaCSVfileintheMicrosoftOfficeExcelapplication andsavethefilelocallyonyoursystem.ThefilecanbefoundinAdministration>IdentityManagement >Identities>Endpoints>Import>ImportFromFile.YoucanusetheGenerateaTemplatelinktocreate atemplate,andtheCiscoISEserverwilldisplaytheOpeningtemplate.csvdialog.Thisdialogallowsyouto openthedefaulttemplate.csvfile,orsavethetemplate.csvfilelocallyonyoursystem.Ifyouchoosetoopen thetemplate.csvfilefromthedialog,thefileopensintheMicrosoftOfficeExcelapplication.Thedefault template.csvfilecontainsaheaderrowthatdisplaystheMACaddress,EndpointPolicy,andEndpointIdentity Group,columns. YoumustupdatetheMACaddressesofendpoints,endpointprofilingpolicies,andendpointidentitygroups andsavethefilewithadifferentfilenamethatyoucanusetoimportendpoints.Seetheheaderrowinthe template.csvfilethatiscreatedwhenyouusetheGenerateaTemplatelink. Table 39: CSV Template File Endpoint Identity GroupEndpoint PolicyMAC RegisteredDevicesCisco-Device00:1f:f3:4e:c1:8e Unknown Endpoints Reprofiled During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpoliciesistheUnknownprofile,thenthoseendpointsareimmediatelyreprofiledinCiscoISEtothe matchingendpointprofilingpoliciesduringimport.However,theyarenotstaticallyassignedtotheUnknown profile.IfendpointsdonothaveendpointprofilingpoliciesassignedtothemintheCSVfile,thentheyare assignedtotheUnknownprofile,andthenreprofiledtothematchingendpointprofilingpolicies.Seebelow howCiscoISEreprofilesUnknownprofilesthatmatchtheXerox_Deviceprofileduringimportandalsohow CiscoISEreprofilesanendpointthatisunassigned. Table 40: Unknown Profiles: Import from a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Xerox-DeviceUnknown.00:00:00:00:01:02 Xerox-DeviceUnknown.00:00:00:00:01:03 Xerox-DeviceUnknown.00:00:00:00:01:04 Xerox-DeviceIfnoprofileisassignedtoanendpoint,then itisassignedtotheUnknownprofile,andalso reprofiledtothematchingprofile. 00:00:00:00:01:05 Cisco Identity Services Engine Administrator Guide, Release 1.3 497 Create Endpoints with Static Assignments of Policies and Identity Groups
Static Assignments of Policies and Identity Groups for Endpoints Retained During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpolicyisthestaticassignment,thentheyarenotreprofiledduringimport.SeebelowhowCiscoISE retainstheCisco-Deviceprofile,thestaticassignmentofanendpointduringimport. Table 41: Static Assignment: Import From a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Cisco-DeviceCisco-Device(staticassignment)00:00:00:00:01:02 Endpoints with Invalid Attributes Not Imported IfanyoftheendpointspresentintheCSVfilehaveinvalidattributes,thentheendpointsarenotimported andanerrormessageisdisplayed. Forexample,ifendpointsareassignedtoinvalidprofilesinthefileusedforimport,thentheyarenotimported becausetherearenomatchingprofilesinCiscoISE.Seebelowhowendpointsarenotimportedwhenthey areassignedtoinvalidprofilesintheCSVfile. Table 42: Invalid Profiles: Import from a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Xerox-DeviceUnknown.00:00:00:00:01:02 Theendpointisnotimportedbecause thereisnomatchingprofileinCiscoISE. Ifanendpointsuchas00:00:00:00:01:05 isassignedtoaninvalidprofileotherthan theprofilesthatareavailableinCiscoISE, thenCiscoISEdisplaysawarningmessage thatthepolicynameisinvalidandthe endpointwillnotbeimported. 00:00:00:00:01:05 Import Endpoints from LDAP Server YoucanimporttheMACaddresses,theassociatedprofiles,andtheendpointidentitygroupsofendpoints securelyfromanLDAPserver. Before You Begin Beforeyoubegintoimportendpoints,ensurethatyouhaveinstalledtheLDAPserver. YouhavetoconfiguretheconnectionsettingsandquerysettingsbeforeyoucanimportfromanLDAPserver. IftheconnectionsettingsorquerysettingsareconfiguredincorrectlyinCiscoISE,thenthe“LDAPimport failed:”errormessageappears. Cisco Identity Services Engine Administrator Guide, Release 1.3 498 Create Endpoints with Static Assignments of Policies and Identity Groups
Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import>ImportFrom LDAP. Step 2Enterthevaluesfortheconnectionsettings. Step 3Enterthevaluesforthequerysettings. Step 4ClickSubmit. Export Endpoints with Comma-Separated Values File YoucanexportselectedorallendpointsfromaCiscoISEservertodifferentCiscoISEserversina comma-separatedvalues(CSV)fileinwhichendpointsarelistedwiththeirMACaddresses,endpointprofiling policies,andendpointidentitygroupstowhichtheyareassigned. ExportAllisthedefaultoption.IfendpointsarefilteredintheEndpointspage,onlythosefilteredendpoints areexportedwhenyouareusingtheExportAlloption.Bydefault,theprofiler_endpoints.csvistheCSVfile andtheMicrosoftOfficeExcelisthedefaultapplicationtoopentheCSVfilefromtheOpening profiler_endpoints.csvdialogboxortosavetheCSVfile.Forexample,youcanexportselectedendpointsor allendpointsintheprofiler_endpoints.csvfile,whichyoucanusetoimportthoseendpoints. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickExport,andchooseoneofthefollowing: •ExportSelected—YoucanexportonlytheselectedendpointsintheEndpointspage. •ExportAll—Bydefault,youcanexportalltheendpointsintheEndpointspage. Step 3ClickOKtosavetheprofiler_endpoints.csvfile. Identified Endpoints CiscoISEdisplaysidentifiedendpointsthatconnecttoyournetworkanduseresourcesonyournetworkin theEndpointspage.Anendpointistypicallyanetwork-capabledevicethatconnecttoyournetworkthrough wiredandwirelessnetworkaccessdevicesandVPN.Endpointscanbepersonalcomputers,laptops,IPphones, smartphones,gamingconsoles,printers,faxmachines,andsoon. TheMACaddressofanendpoint,expressedinhexadecimalform,isalwaystheuniquerepresentationofan endpoint,butyoucanalsoidentifyanendpointwithavaryingsetofattributesandthevaluesassociatedto them,calledanattribute-valuepair.Youcancollectavaryingsetofattributesforendpointsbasedonthe endpointcapability,thecapabilityandconfigurationofthenetworkaccessdevicesandthemethods(probes) thatyouusetocollecttheseattributes. Cisco Identity Services Engine Administrator Guide, Release 1.3 499 Identified Endpoints
Dynamically Profiled Endpoints Whenendpointsarediscoveredonyournetwork,theycanbeprofileddynamicallybasedontheconfigured profilingendpointprofilingpolicies,andassignedtothematchingendpointidentitygroupsdependingon theirprofiles. Statically Profiled Endpoints AnendpointcanbeprofiledstaticallywhenyoucreateanendpointwithitsMACaddressandassociatea profiletoitalongwithanendpointidentitygroupinCiscoISE.CiscoISEdoesnotreassigntheprofiling policyandtheidentitygroupforstaticallyassignedendpoints. Unknown Endpoints Ifyoudonothaveamatchingprofilingpolicyforanendpoint,youcanassignanunknownprofilingpolicy (Unknown)andtheendpointthereforewillbeprofiledasUnknown.TheendpointprofiledtotheUnknown endpointpolicyrequiresthatyoucreateaprofilewithanattributeorasetofattributescollectedforthat endpoint.TheendpointthatdoesnotmatchanyprofileisgroupedwithintheUnknownendpointidentity group. Identified Endpoints Locally Stored in Policy Service Nodes Database CiscoISEwritesidentifiedendpointslocallyinthePolicyServicenodedatabase.Afterstoringendpoints locallyinthedatabase,theseendpointsarethenmadeavailable(remotewrite)intheAdministrationnode databaseonlywhensignificantattributeschangeintheendpoints,andreplicatedtotheotherPolicyService nodesdatabase. Thefollowingarethesignificantattributes: •ip •EndPointPolicy •MatchedValue •StaticAssignment •StaticGroupAssignment •MatchedPolicyID •NmapSubnetScanID •PortalUser •DeviceRegistrationStatus •BYODRegistration WhenyouchangeendpointprofiledefinitionsinCiscoISE,allendpointshavetobereprofiled.APolicy Servicenodethatcollectstheattributesofendpointsisresponsibleforreprofilingofthoseendpoints. WhenaPolicyServicenodestartscollectingattributesaboutanendpointforwhichattributeswereinitially collectedbyadifferentPolicyServicenode,thentheendpointownershipchangestothecurrentPolicyService node.ThenewPolicyServicenodewillretrievethelatestattributesfromthepreviousPolicyServicenode andreconcilethecollectedattributeswiththoseattributesthatwerealreadycollected. Cisco Identity Services Engine Administrator Guide, Release 1.3 500 Identified Endpoints
Whenasignificantattributechangesintheendpoint,attributesoftheendpointareautomaticallysavedinthe Administrationnodedatabasesothatyouhavethelatestsignificantchangeintheendpoint.IfthePolicy Servicenodethatownsanendpointisnotavailableforsomereasons,thentheAdministratorISEnodewill reprofileanendpointthatlosttheownerandyouhavetoconfigureanewPolicyServicenodeforsuch endpoints. Policy Service Nodes in Cluster CiscoISEusesPolicyServicenodegroupasaclusterthatallowstoexchangeendpointattributeswhentwo ormorenodesintheclustercollectattributesforthesameendpoint.Werecommendtocreateclustersforall PolicyServicenodesthatresidebehindaloadbalancer. Ifadifferentnodeotherthanthecurrentownerreceivesattributesforthesameendpoint,itsendsamessage acrosstheclusterrequestingthelatestattributesfromthecurrentownertomergeattributesanddetermineif achangeofownershipisneeded.IfyouhavenotdefinedanodegroupinCiscoISE,itisassumedthatall nodesarewithinonecluster. TherearenochangesmadetoendpointcreationandreplicationinCiscoISE.Onlythechangeofownership forendpointsisdecidedbasedonalistofattributes(whitelist)usedforprofilingthatarebuiltfromstatic attributesanddynamicattributes. Uponsubsequentattributescollection,theendpointisupdatedontheAdministrationnode,ifanyoneofthe followingattributeschanges: •ip •EndPointPolicy •MatchedValue •StaticAssignment •StaticGroupAssignment •MatchedPolicyID •NmapSubnetScanID •PortalUser •DeviceRegistrationStatus •BYODRegistration WhenanendpointiseditedandsavedintheAdministrationnode,theattributesareretrievedfromthecurrent owneroftheendpoint. Create Endpoint Identity Groups CiscoISEgroupsendpointsthatitdiscoversintothecorrespondingendpointidentitygroups.CiscoISE comeswithseveralsystem-definedendpointidentitygroups.Youcanalsocreateadditionalendpointidentity groupsfromtheEndpointIdentityGroupspage.Youcaneditordeletetheendpointidentitygroupsthatyou havecreated.Youcanonlyeditthedescriptionofthesystem-definedendpointidentitygroups;youcannot editthenameofthesegroupsordeletethem. Cisco Identity Services Engine Administrator Guide, Release 1.3 501 Create Endpoint Identity Groups
Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2ClickAdd. Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof theendpointidentitygroup). Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate. Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate thenewlycreatedendpointidentitygroup. Step 6ClickSubmit. Identified Endpoints Grouped in Endpoint Identity Groups CiscoISEgroupsdiscoveredendpointsintotheircorrespondingendpointidentitygroupsbasedontheendpoint profilingpolicies.Profilingpoliciesarehierarchical,andtheyareappliedattheendpointidentifygroupslevel inCiscoISE.Bygroupingendpointstoendpointidentitygroups,andapplyingprofilingpoliciestoendpoint identitygroups,CiscoISEenablesyoutodeterminethemappingofendpointstotheendpointprofilesby checkingcorrespondingendpointprofilingpolicies. CiscoISEcreatesasetofendpointidentitygroupsbydefault,andallowsyoutocreateyourownidentity groupstowhichendpointscanbeassigneddynamicallyorstatically.Youcancreateanendpointidentity groupandassociatetheidentitygrouptooneofthesystem-createdidentitygroups.Youcanalsoassignan endpointthatyoucreatestaticallytoanyoneoftheidentitygroupsthatexistsinthesystem,andtheprofiling servicecannotreassigntheidentitygroup. Default Endpoint Identity Groups Created for Endpoints CiscoISEcreatesthefollowingfiveendpointidentitygroupsbydefault:Blacklist,GuestEndpoints,Profiled, RegisteredDevices,andUnknown.Inaddition,itcreatestwomoreidentitygroups,suchasCisco-IP-Phone andWorkstation,whichareassociatedtotheProfiled(parent)identitygroup.Aparentgroupisthedefault identitygroupthatexistsinthesystem. CiscoISEcreatesthefollowingendpointidentitygroups: •Blacklist—Thisendpointidentitygroupincludesendpointsthatarestaticallyassignedtothisgroupin CiscoISEandendpointsthatareblacklistedinthedeviceregistrationportal.Anauthorizationprofile canbedefinedinCiscoISEtopermit,ordenynetworkaccesstoendpointsinthisgroup. •GuestEndpoints—Thisendpointidentitygroupincludesendpointsthatareusedbyguestusers. •Profiled—Thisendpointidentitygroupincludesendpointsthatmatchendpointprofilingpoliciesexcept CiscoIPphonesandworkstationsinCiscoISE. •RegisteredDevices—Thisendpointidentitygroupincludesendpoints,whichareregistereddevicesthat areaddedbyanemployeethroughthedevicesregistrationportal.Theprofilingservicecontinuesto profilethesedevicesnormallywhentheyareassignedtothisgroup.Endpointsarestaticallyassigned tothisgroupinCiscoISE,andtheprofilingservicecannotreassignthemtoanyotheridentitygroup. Thesedeviceswillappearlikeanyotherendpointintheendpointslist.Youcanedit,delete,andblacklist Cisco Identity Services Engine Administrator Guide, Release 1.3 502 Create Endpoint Identity Groups
thesedevicesthatyouaddedthroughthedeviceregistrationportalfromtheendpointslistintheEndpoints pageinCiscoISE.Devicesthatyouhaveblacklistedinthedeviceregistrationportalareassignedtothe Blacklistendpointidentitygroup,andanauthorizationprofilethatexistsinCiscoISEredirectsblacklisted devicestoanURL,whichdisplays“UnauthorisedNetworkAccess”,adefaultportalpagetotheblacklisted devices. •Unknown—ThisendpointidentitygroupincludesendpointsthatdonotmatchanyprofileinCiscoISE. Inadditiontotheabovesystemcreatedendpointidentitygroups,CiscoISEcreatesthefollowingendpoint identitygroups,whichareassociatedtotheProfiledidentitygroup: •Cisco-IP-Phone—AnidentitygroupthatcontainsalltheprofiledCiscoIPphonesonyournetwork. •Workstation—Anidentitygroupthatcontainsalltheprofiledworkstationsonyournetwork. Endpoint Identity Groups Created for Matched Endpoint Profiling Policies Ifyouhaveanendpointpolicythatmatchesanexistingpolicy,thentheprofilingservicecancreateamatching endpointidentitygroup.ThisidentitygroupbecomesthechildoftheProfiledendpointidentitygroup.When youcreateanendpointpolicy,youcanchecktheCreateMatchingIdentityGroupcheckboxintheProfiling Policiespagetocreateamatchingendpointidentitygroup.Youcannotdeletethematchingidentitygroup unlessthemappingoftheprofileisremoved. Add Static Endpoints in Endpoint Identity Groups Youcanaddorremovestaticallyaddedendpointsinanyendpointidentitygroup. YoucanaddendpointsfromtheEndpointswidgetonlytoaspecificidentitygroup.Ifyouaddanendpoint tothespecificendpointidentitygroup,thentheendpointismovedfromtheendpointidentitygroupwhereit wasdynamicallygroupedearlier. Uponremovalfromtheendpointidentitygroupwhereyourecentlyaddedanendpoint,theendpointisreprofiled backtotheappropriateidentitygroup.Youdonotdeleteendpointsfromthesystembutonlyremovethem fromtheendpointidentitygroup. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2Chooseanendpointidentitygroup,andclickEdit. Step 3ClickAdd. Step 4ChooseanendpointintheEndpointswidgettoaddtheselectedendpointintheendpointidentitygroup. Step 5ClicktheEndpointGroupListlinktoreturntotheEndpointIdentityGroupspage. Dynamic Endpoints Reprofiled After Adding or Removing in Identity Groups Ifanendpointidentitygroupassignmentisnotstatic,thenendpointsarereprofiledafteryouaddorremove themfromanendpointidentitygroup.EndpointsthatareidentifieddynamicallybytheISEprofilerappear inappropriateendpointidentitygroups.Ifyouremovedynamicallyaddedendpointsfromanendpointidentity Cisco Identity Services Engine Administrator Guide, Release 1.3 503 Create Endpoint Identity Groups
group,CiscoISEdisplaysamessagethatyouhavesuccessfullyremovedendpointsfromtheidentitygroup butreprofilesthembackintheendpointidentitygroup. Endpoint Identity Groups Used in Authorization Rules Youcaneffectivelyuseendpointidentitygroupsintheauthorizationpoliciestoprovideappropriatenetwork accessprivilegestothediscoveredendpoints.Forexample,anauthorizationruleforalltypesofCiscoIP PhonesisavailablebydefaultinCiscoISEinthefollowinglocation:Policy>Authorization>Standard. Youmustensurethattheendpointprofilingpoliciesareeitherstandalonepolicies(notaparenttoother endpointprofilingpolicies),ortheirparentpoliciesoftheendpointprofilingpoliciesarenotdisabled. Profiler Feed Service Profilerconditions,exceptionactions,andNMAPscanactionsareclassifiedasCisco-providedor administrator-created(seetheSystemTypeattribute).Also,theendpointprofilingpoliciesareclassifiedas Ciscoprovided,administratorcreated,oradministratormodified(seetheSystemTypeattribute). Youcanperformdifferentoperationsontheprofilerconditions,exceptionactions,NMAPscanactions,and endpointprofilingpoliciesdependingontheSystemTypeattribute.YoucannoteditordeleteCisco-provided conditions,exceptionactions,andnmapscanactions.EndpointpoliciesthatareprovidedbyCiscocannotbe deleted.Whenpoliciesareedited,theyareconsideredasadministrator-modified.whenadministrator-modified policiesaredeleted,theyarereplacedbytheup-to-dateversionoftheCisco-providedpolicythatitwasbased on. YoucanretrievenewandupdatedendpointprofilingpoliciesandtheupdatedOUIdatabaseasafeedfrom adesignatedCiscofeedserverthroughasubscriptionintoCiscoISE.Youcanalsoreceivee-mailnotifications tothee-mailaddressasanadministratorofCiscoISEthatyouhaveconfiguredforapplied,success,and failuremessages.Youcanalsoprovideadditionalsubscriberinformationtoreceivenotifications.Youcan sendthesubscriberinformationbacktoCiscoformaintainingtherecordsandtheyaretreatedasprivileged andconfidential. Bydefault,theprofilerfeedserviceisdisabled,anditrequiresaPluslicensetoenabletheservice.Whenyou enabletheprofilerfeedservice,CiscoISEdownloadsthefeedservicepoliciesandOUIdatabaseupdates everydayat1:00A.MofthelocalCiscoISEservertimezone.CiscoISEautomaticallyappliesthese downloadedfeedserverpolicies,whichalsostoresthesetofchangessothatyoucanrevertthesechanges backtothepreviousstate.Whenyourevertfromthesetofchangesthatyoulastapplied,endpointprofiling policiesthatarenewlyaddedareremovedandendpointprofilingpoliciesthatareupdatedarerevertedtothe previousstate.Inaddition,theprofilerfeedserviceisautomaticallydisabled. Whentheupdatesoccur,onlytheCiscoprovidedprofilingpoliciesandtheendpointprofilingpolicieswhich weremodifiedbythepreviousupdate,areupdated.Ciscoprovideddisabledprofilingpoliciesarealsoupdated buttheyremaindisabled.AdministratorCreatedorAdministratorModifiedprofilingpoliciesarenot overwritten.IfyouwanttorevertanyAdministratorModifiedendpointprofilingpolicytoanyCiscoProvided endpointprofilingpolicy,thenyoumustdeleteorreverttheAdministratorModifiedendpointprofilingpolicy tothepreviousCiscoProvidedendpointprofilingpolicy. OUI Feed Service ThedesignatedCiscofeedserverdownloadstheupdatedOUIdatabasefrom http://standards.ieee.org/develop/regauth/oui/oui.txt,whichisthelistofvendorsassociatedtotheMACOUI. Cisco Identity Services Engine Administrator Guide, Release 1.3 504 Profiler Feed Service