Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
TheupdatedOUIdatabaseisavailableforanyISEdeploymentasafeedthatCiscoISEdownloadstoitsown database.CiscoISEupdatesendpointsandthenstartsreprofilingendpoints. ThedesignatedCiscofeedserverislocatedathttps://ise.cisco.com:8443/feedserver/.Ifyouhaveanyissues accessingtheservice,ensurethatyournetworksecuritycomponents(likeafirewallorproxyserver,for example)allowdirectaccesstothisURL. Configure Profiler Feed Service TheProfilerFeedServiceretrievesnewandupdatedendpointprofilingpoliciesandMACOUIdatabase updatesfromtheCiscoFeedserver.IftheFeedServiceisunavailableorothererrorshaveoccurred,itis reportedintheOperationsAuditreport. YoucanconfigureCiscoISEtosendthefeedserviceusagereportbacktoCisco,whichsendsthefollowing informationtoCisco: •Hostname-CiscoISEhostname •MaxCount-Totalnumberofendpoints •ProfiledCount-Profiledendpointscount •UnknownCount-Unknownendpointscount •MatchSystemProfilesCount-CiscoProvidedprofilescount •UserCreatedProfiles-Usercreatedprofilescount YoucanchangetheCoAtypeinaCisco-providedprofilingpolicy.Whenthefeedserviceupdatesthatpolicy, theCoAtypewillnotbechanged,buttherestofthatpolicy'sattributeswillbestillbeupdated. Before You Begin TheProfilerfeedservicecanonlybeconfiguredfromtheCiscoISEAdminportalinadistributeddeployment orinastandaloneISEnode. SetupaSimpleMailTransferProtocol(SMTP)serverifyouplantosende-mailnotificationsfromtheAdmin portalaboutfeedupdates(Administration>System>Settings). Cisco Identity Services Engine Administrator Guide, Release 1.3 505 Profiler Feed Service
Procedure Step 1ChooseAdministration>Certificates>TrustedCertificates,andcheckifVerisignClass3PublicPrimary CertificationAuthorityandVerisignClass3ServerCA-G3areenabled. Step 2ChooseAdministration>FeedService>Profiler. Step 3ChecktheEnableProfilerFeedServicecheckbox. Step 4EntertimeinHH:MMformat(localtimezoneoftheCiscoISEserver)intheFeedServiceSchedulersection. Bydefault,CiscoISEfeedserviceisscheduledat1.00AMeveryday. Step 5ChecktheNotifyadministratorwhendownloadoccurscheckboxintheAdministratorNotificationOptions sectionandenteryoure-mailaddressasanadministratorofCiscoISEintheAdministratoremailaddress textbox. Step 6ChecktheProvidesubscriberinformationtoCiscocheckboxintheFeedServiceSubscriberInformation sectionandenteryourdetailsasanadministratorofCiscoISEandanalternateCiscoISEadministratordetails. Step 7ClickAccept. Step 8ClickSave. Step 9ClickUpdateNow. InstructsCiscoISEtocontactCiscofeedserverfornewandupdatedprofilescreatedsincethelastfeedservice update.Thisre-profilesallendpointsinthesystem,whichmaycauseanincreasetheloadonthesystem.Due toupdatedendpointprofilingpolicies,theremaybechangesintheauthorizationpolicyforsomeendpoints thatarecurrentlyconnectedtoCiscoISE. TheUpdateNowbuttonisdisabledwhenyouupdatenewandupdatedprofilescreatedsincethelastfeed serviceandenabledonlyafterthedownloadiscompleted.Youmustnavigateawayfromtheprofilerfeed serviceConfigurationpageandreturntothispage. Step 10ClickYes. Related Topics ConfigureProfilerFeedServicesOffline Remove Updates to Endpoint Profiling Policies Youcanrevertendpointprofilingpoliciesthatwereupdatedinthepreviousupdateandremoveendpoint profilingpoliciesthatarenewlyaddedthroughthepreviousupdateoftheprofilerfeedservicebutOUIupdates arenotchanged. Anendpointprofilingpolicy,ifmodifiedafteranupdatefromthefeedserverisnotchangedinthesystem. Cisco Identity Services Engine Administrator Guide, Release 1.3 506 Profiler Feed Service
Procedure Step 1ChooseAdministration>FeedService>Profiler. Step 2ChecktheEnableProfilerFeedServicecheckbox. Step 3ClickGotoUpdateReportPageifyouwanttoviewtheconfigurationchangesmadeintheChange ConfigurationAuditreport. Step 4ClickUndoLatest. Profiler Reports CiscoISEprovidesyouwithvariousreportsonendpointprofiling,andtroubleshootingtoolsthatyoucanuse tomanageyournetwork.Youcangeneratereportsforhistoricalaswellascurrentdata.Youmaybeableto drilldownonapartofthereporttoviewmoredetails.Forlargereports,youcanalsoschedulereportsand downloadtheminvariousformats. YoucanrunthefollowingreportsforendpointsfromOperations>Reports>EndpointsandUsers: •EndpointSessionHistory •ProfiledEndpointSummary •EndpointProfileChanges •TopAuthorizationsbyEndpoint •RegisteredEndpoints Cisco ISE Integration with Cisco NAC Appliance CiscoISEsupportsintegrationonlywiththeCiscoNetworkAdmissionControl(NAC)ApplianceRelease 4.9andisavailablewhenyouhaveinstalledanAdvancedorWirelesslicenseinCiscoISE. TheCiscoISEprofilerissimilartotheCiscoNetworkAdmissionControl(NAC)Profilerthatmanages endpointsinaCiscoNACdeployment.ThisintegrationallowsyoutoreplacetheexistingCiscoNACProfiler thatisinstalledinaCiscoNACdeployment.ItallowsyoutosynchronizeprofilenamesfromtheCiscoISE profilerandtheresultofendpointclassificationintotheCiscoCleanAccessManager(CAM). Cisco Clean Access Manager Configuration in Administration Nodes CiscoISEallowsyoutoregistermultipleCleanAccessManagers(CAMs)onthePrimaryPANinadistributed deploymentforRESTAPIscommunicationsettings.ThelistofCAMsthatisregisteredinCiscoISEisthe listtowhichalltheprofilerconfigurationchangesarenotified.ThePrimaryPANisresponsibleforallthe communicationbetweenCiscoISEandtheCiscoNACAppliance.YoucanconfigureCAMsonlyinthe PrimaryPANinCiscoISE.ThecredentialsthatareusedatthetimeofregisteringoneormoreCAMsinthe PrimaryPANareusedtoauthenticateconnectivitywithCAMs. ThecommunicationbetweenCiscoISEandtheCiscoNACApplianceissecureoverSecureSocketsLayer (SSL).Itisalsobidirectionalinnature,becauseCiscoISEpushestheprofilerconfigurationchangestoCAMs, Cisco Identity Services Engine Administrator Guide, Release 1.3 507 Profiler Reports
andCAMsperiodicallypullthelistofMACaddressesofendpointsandtheircorrespondingprofilesandthe listofalltheprofilenames,fromCiscoISE. YoumustexportthecontentsoftheX509CertificatefromtheCleanAccessManagerinAdministration> CleanAccessManager>SSL,andimportitintothePrimaryPANunderAdministration>System>Certificates >TrustedCertificatesStoreinCiscoISEforapropersecurecommunicationbetweenCiscoISEandCAM. FormoreinformationonhowtosetupapairofCAMsforhighavailability,seethelinkbelow. Cisco ISE Profiler and Cisco Clean Access Manager Communication TheCiscoISEprofilernotifiestheprofilerconfigurationchangestoalltheregisteredCleanAccessManagers (CAMs)fromthePrimaryPAN.ItavoidsduplicatingnotificationinaCiscoISEdistributeddeployment.It usestheRESTAPIstonotifytheprofilerconfigurationchangeswhenendpointsareaddedorremoved,and endpointprofilingpolicieschanged,intheCiscoISEdatabase.Duringanimportofendpoints,theCiscoISE profilernotifiesCAMsonlyaftertheimportiscomplete. ThefollowingRESTAPIflowisimplementedtopushtheprofilerconfigurationchangestoCAMs: CiscoISEprofilerendpointchangepush—Whenendpointsareprofiledandtherearechangesintheprofiles ofendpointsinCiscoISE,thentheCiscoISEprofilernotifiesalltheregisteredCAMsaboutthechangesin theendpointprofiles. YoucanconfigureCiscoISEinCAMs,whichallowsyoutosynchronizeCAMswithCiscoISE,depending onyourSyncSettingsinCAMs.Youmustcreaterules,whereyoucanselectoneormorematchingprofiles fromthelistofCiscoISEprofilesandmapendpointstoanyoneoftheAccessTypesinCAMs.CAMs periodicallyretrieveendpointsandtheircorrespondingprofilesandthelistofalltheprofilenames,fromthe CiscoISEprofiler. ThefollowingRESTAPIflowsareimplementedtopulltheprofilerconfigurationchangesfromtheCisco ISEprofiler: •NACManagerendpointpull—PullsthelistofMACaddressesofendpointsandtheircorresponding profilesofknownendpoints. •NACManagerprofilepull—PullstheprofilenamesfromtheCiscoISEprofiler. TheCiscoISEprofilernotifiestheCiscoISEMonitoringpersonaofalltheeventsthatcanbeusedtomonitor andtroubleshootCiscoISEandCiscoNACApplianceRelease4.9integration. TheCiscoISEprofilerlogcapturesthefollowingeventsformonitoringandtroubleshootingintegration: •ConfigurationchangesforNACSettings(Information) •NACnotificationeventfailure(Error) Add Cisco Clean Access Managers IntegratingCiscoISEwiththeCiscoNACAppliance,Release4.9allowsyoutoutilizetheCiscoISEprofiling serviceinaCiscoNACdeployment.toutilizetheCiscoISEprofilingserviceinaCiscoNACdeployment. TheNACManagerspageallowsyoutoconfiguremultipleCiscoAccessManagers(CAMs),whichprovides anoptiontofiltertheCAMsthatyouhaveregistered.ThispageliststheCAMsalongwiththeirnames, descriptions,IPaddresses,andthestatusthatdisplayswhetherendpointnotificationisenabledornotforthose CAMs. Cisco Identity Services Engine Administrator Guide, Release 1.3 508 Cisco ISE Integration with Cisco NAC Appliance
Procedure Step 1ChooseAdministration>NetworkResources>NACManagers. Step 2ClickAdd. Step 3EnterthenamefortheCiscoAccessManager. Step 4ClicktheStatuscheckboxtoenableRESTAPIcommunicationfromtheCiscoISEprofilerthatauthenticates connectivitytotheCAM. Step 5EntertheIPaddressfortheCAMexceptthefollowingIPaddresses:0.0.0.0and255.255.255.255. Step 6EntertheusernameandpasswordoftheCAMadministratorthatyouusetologintotheuserinterfaceofthe CAM. Step 7ClickSubmit. Create Endpoints with Static Assignments of Policies and Identity Groups YoucancreateanewendpointstaticallybyusingtheMACaddressofanendpointintheEndpointspage. YoucanalsochooseanendpointprofilingpolicyandanidentitygroupintheEndpointspageforstatic assignment. Theregularandmobiledevice(MDM)endpointsaredisplayedintheEndpointsIdentitieslist.Inthelisting page,columnsforattributeslikeHostname,DeviceType,DeviceIdentifierforMDMendpointsaredisplayed. OthercolumnslikeStaticAssignmentandStaticGroupAssignmentarenotdisplayedbydefault. Youcannotadd,edit,delete,import,orexportMDMEndpointsusingthispage.Note Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickAdd. Step 3EntertheMACaddressofanendpointinhexadecimalformatandseparatedbyacolon. Step 4ChooseamatchingendpointpolicyfromthePolicyAssignmentdrop-downlisttochangethestaticassignment statusfromdynamictostatic. Step 5ChecktheStaticAssignmentcheckboxtochangethestatusofstaticassignmentthatisassignedtothe endpointfromdynamictostatic. Step 6ChooseanendpointidentitygrouptowhichyouwanttoassignthenewlycreatedendpointfromtheIdentity GroupAssignmentdrop-downlist. Step 7ChecktheStaticGroupAssignmentcheckboxtochangethedynamicassignmentofanendpointidentity grouptostatic. Step 8ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 509 Create Endpoints with Static Assignments of Policies and Identity Groups
Import Endpoints from CSV Files YoucanimportendpointsfromaCSVfileforwhichyouhavealreadyexportedendpointsfromaCiscoISE server,oraCSVfilethatyouhavecreatedfromCiscoISEandupdatedwithendpointdetails. Thefileformathastobeintheformatasspecifiedinthedefaultimporttemplatesothatthelistofendpoints appearsasfollows:MAC,EndpointPolicy,EndpointIdentityGroup. BothendpointpolicyandendpointidentitygroupareoptionalforimportingendpointsinaCSVfile.Ifyou wanttoimporttheendpointidentitygroupwithouttheendpointpolicyforendpoints,thevaluesarestill separatedbythecomma. Forexample, •MAC1,EndpointPolicy1,EndpointIdentityGroup1 •MAC2 •MAC3,EndpointPolicy3 •MAC4,,EndpointIdentityGroup4 Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import. Step 2ClickImportFromFile. Step 3ClickBrowsetolocatetheCSVfilethatyouhavealreadyexportedfromtheCiscoISEserverortheCSV filethatyouhavecreatedandupdatedwithendpointsinthefileformatasspecified. Step 4ClickSubmit. Default Import Template Available for Endpoints Youcangenerateatemplateinwhichyoucanupdateendpointsthatcanbeusedtoimportendpoints.By default,youcanusetheGenerateaTemplatelinktocreateaCSVfileintheMicrosoftOfficeExcelapplication andsavethefilelocallyonyoursystem.ThefilecanbefoundinAdministration>IdentityManagement >Identities>Endpoints>Import>ImportFromFile.YoucanusetheGenerateaTemplatelinktocreate atemplate,andtheCiscoISEserverwilldisplaytheOpeningtemplate.csvdialog.Thisdialogallowsyouto openthedefaulttemplate.csvfile,orsavethetemplate.csvfilelocallyonyoursystem.Ifyouchoosetoopen thetemplate.csvfilefromthedialog,thefileopensintheMicrosoftOfficeExcelapplication.Thedefault template.csvfilecontainsaheaderrowthatdisplaystheMACaddress,EndpointPolicy,andEndpointIdentity Group,columns. YoumustupdatetheMACaddressesofendpoints,endpointprofilingpolicies,andendpointidentitygroups andsavethefilewithadifferentfilenamethatyoucanusetoimportendpoints.Seetheheaderrowinthe template.csvfilethatiscreatedwhenyouusetheGenerateaTemplatelink. Table 43: CSV Template File Endpoint Identity GroupEndpoint PolicyMAC RegisteredDevicesCisco-Device00:1f:f3:4e:c1:8e Cisco Identity Services Engine Administrator Guide, Release 1.3 510 Create Endpoints with Static Assignments of Policies and Identity Groups
Unknown Endpoints Reprofiled During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpoliciesistheUnknownprofile,thenthoseendpointsareimmediatelyreprofiledinCiscoISEtothe matchingendpointprofilingpoliciesduringimport.However,theyarenotstaticallyassignedtotheUnknown profile.IfendpointsdonothaveendpointprofilingpoliciesassignedtothemintheCSVfile,thentheyare assignedtotheUnknownprofile,andthenreprofiledtothematchingendpointprofilingpolicies.Seebelow howCiscoISEreprofilesUnknownprofilesthatmatchtheXerox_Deviceprofileduringimportandalsohow CiscoISEreprofilesanendpointthatisunassigned. Table 44: Unknown Profiles: Import from a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Xerox-DeviceUnknown.00:00:00:00:01:02 Xerox-DeviceUnknown.00:00:00:00:01:03 Xerox-DeviceUnknown.00:00:00:00:01:04 Xerox-DeviceIfnoprofileisassignedtoanendpoint,then itisassignedtotheUnknownprofile,andalso reprofiledtothematchingprofile. 00:00:00:00:01:05 Static Assignments of Policies and Identity Groups for Endpoints Retained During Import IfthefileusedforimportcontainsendpointsthathavetheirMACaddresses,andtheirassignedendpoint profilingpolicyisthestaticassignment,thentheyarenotreprofiledduringimport.SeebelowhowCiscoISE retainstheCisco-Deviceprofile,thestaticassignmentofanendpointduringimport. Table 45: Static Assignment: Import From a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Cisco-DeviceCisco-Device(staticassignment)00:00:00:00:01:02 Endpoints with Invalid Attributes Not Imported IfanyoftheendpointspresentintheCSVfilehaveinvalidattributes,thentheendpointsarenotimported andanerrormessageisdisplayed. Forexample,ifendpointsareassignedtoinvalidprofilesinthefileusedforimport,thentheyarenotimported becausetherearenomatchingprofilesinCiscoISE.Seebelowhowendpointsarenotimportedwhenthey areassignedtoinvalidprofilesintheCSVfile. Cisco Identity Services Engine Administrator Guide, Release 1.3 511 Create Endpoints with Static Assignments of Policies and Identity Groups
Table 46: Invalid Profiles: Import from a File Endpoint Profiling Policy Assigned After Import in Cisco ISE Endpoint Profiling Policy Assigned Before Import in Cisco ISE MAC Address Xerox-DeviceUnknown.00:00:00:00:01:02 Theendpointisnotimportedbecause thereisnomatchingprofileinCiscoISE. Ifanendpointsuchas00:00:00:00:01:05 isassignedtoaninvalidprofileotherthan theprofilesthatareavailableinCiscoISE, thenCiscoISEdisplaysawarningmessage thatthepolicynameisinvalidandthe endpointwillnotbeimported. 00:00:00:00:01:05 Import Endpoints from LDAP Server YoucanimporttheMACaddresses,theassociatedprofiles,andtheendpointidentitygroupsofendpoints securelyfromanLDAPserver. Before You Begin Beforeyoubegintoimportendpoints,ensurethatyouhaveinstalledtheLDAPserver. YouhavetoconfiguretheconnectionsettingsandquerysettingsbeforeyoucanimportfromanLDAPserver. IftheconnectionsettingsorquerysettingsareconfiguredincorrectlyinCiscoISE,thenthe“LDAPimport failed:”errormessageappears. Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints>Import>ImportFrom LDAP. Step 2Enterthevaluesfortheconnectionsettings. Step 3Enterthevaluesforthequerysettings. Step 4ClickSubmit. Export Endpoints with Comma-Separated Values File YoucanexportselectedorallendpointsfromaCiscoISEservertodifferentCiscoISEserversina comma-separatedvalues(CSV)fileinwhichendpointsarelistedwiththeirMACaddresses,endpointprofiling policies,andendpointidentitygroupstowhichtheyareassigned. ExportAllisthedefaultoption.IfendpointsarefilteredintheEndpointspage,onlythosefilteredendpoints areexportedwhenyouareusingtheExportAlloption.Bydefault,theprofiler_endpoints.csvistheCSVfile andtheMicrosoftOfficeExcelisthedefaultapplicationtoopentheCSVfilefromtheOpening profiler_endpoints.csvdialogboxortosavetheCSVfile.Forexample,youcanexportselectedendpointsor allendpointsintheprofiler_endpoints.csvfile,whichyoucanusetoimportthoseendpoints. Cisco Identity Services Engine Administrator Guide, Release 1.3 512 Create Endpoints with Static Assignments of Policies and Identity Groups
Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Endpoints. Step 2ClickExport,andchooseoneofthefollowing: •ExportSelected—YoucanexportonlytheselectedendpointsintheEndpointspage. •ExportAll—Bydefault,youcanexportalltheendpointsintheEndpointspage. Step 3ClickOKtosavetheprofiler_endpoints.csvfile. Identified Endpoints CiscoISEdisplaysidentifiedendpointsthatconnecttoyournetworkanduseresourcesonyournetworkin theEndpointspage.Anendpointistypicallyanetwork-capabledevicethatconnecttoyournetworkthrough wiredandwirelessnetworkaccessdevicesandVPN.Endpointscanbepersonalcomputers,laptops,IPphones, smartphones,gamingconsoles,printers,faxmachines,andsoon. TheMACaddressofanendpoint,expressedinhexadecimalform,isalwaystheuniquerepresentationofan endpoint,butyoucanalsoidentifyanendpointwithavaryingsetofattributesandthevaluesassociatedto them,calledanattribute-valuepair.Youcancollectavaryingsetofattributesforendpointsbasedonthe endpointcapability,thecapabilityandconfigurationofthenetworkaccessdevicesandthemethods(probes) thatyouusetocollecttheseattributes. Dynamically Profiled Endpoints Whenendpointsarediscoveredonyournetwork,theycanbeprofileddynamicallybasedontheconfigured profilingendpointprofilingpolicies,andassignedtothematchingendpointidentitygroupsdependingon theirprofiles. Statically Profiled Endpoints AnendpointcanbeprofiledstaticallywhenyoucreateanendpointwithitsMACaddressandassociatea profiletoitalongwithanendpointidentitygroupinCiscoISE.CiscoISEdoesnotreassigntheprofiling policyandtheidentitygroupforstaticallyassignedendpoints. Unknown Endpoints Ifyoudonothaveamatchingprofilingpolicyforanendpoint,youcanassignanunknownprofilingpolicy (Unknown)andtheendpointthereforewillbeprofiledasUnknown.TheendpointprofiledtotheUnknown endpointpolicyrequiresthatyoucreateaprofilewithanattributeorasetofattributescollectedforthat endpoint.TheendpointthatdoesnotmatchanyprofileisgroupedwithintheUnknownendpointidentity group. Identified Endpoints Locally Stored in Policy Service Nodes Database CiscoISEwritesidentifiedendpointslocallyinthePolicyServicenodedatabase.Afterstoringendpoints locallyinthedatabase,theseendpointsarethenmadeavailable(remotewrite)intheAdministrationnode Cisco Identity Services Engine Administrator Guide, Release 1.3 513 Identified Endpoints
databaseonlywhensignificantattributeschangeintheendpoints,andreplicatedtotheotherPolicyService nodesdatabase. Thefollowingarethesignificantattributes: •ip •EndPointPolicy •MatchedValue •StaticAssignment •StaticGroupAssignment •MatchedPolicyID •NmapSubnetScanID •PortalUser •DeviceRegistrationStatus •BYODRegistration WhenyouchangeendpointprofiledefinitionsinCiscoISE,allendpointshavetobereprofiled.APolicy Servicenodethatcollectstheattributesofendpointsisresponsibleforreprofilingofthoseendpoints. WhenaPolicyServicenodestartscollectingattributesaboutanendpointforwhichattributeswereinitially collectedbyadifferentPolicyServicenode,thentheendpointownershipchangestothecurrentPolicyService node.ThenewPolicyServicenodewillretrievethelatestattributesfromthepreviousPolicyServicenode andreconcilethecollectedattributeswiththoseattributesthatwerealreadycollected. Whenasignificantattributechangesintheendpoint,attributesoftheendpointareautomaticallysavedinthe Administrationnodedatabasesothatyouhavethelatestsignificantchangeintheendpoint.IfthePolicy Servicenodethatownsanendpointisnotavailableforsomereasons,thentheAdministratorISEnodewill reprofileanendpointthatlosttheownerandyouhavetoconfigureanewPolicyServicenodeforsuch endpoints. Policy Service Nodes in Cluster CiscoISEusesPolicyServicenodegroupasaclusterthatallowstoexchangeendpointattributeswhentwo ormorenodesintheclustercollectattributesforthesameendpoint.Werecommendtocreateclustersforall PolicyServicenodesthatresidebehindaloadbalancer. Ifadifferentnodeotherthanthecurrentownerreceivesattributesforthesameendpoint,itsendsamessage acrosstheclusterrequestingthelatestattributesfromthecurrentownertomergeattributesanddetermineif achangeofownershipisneeded.IfyouhavenotdefinedanodegroupinCiscoISE,itisassumedthatall nodesarewithinonecluster. TherearenochangesmadetoendpointcreationandreplicationinCiscoISE.Onlythechangeofownership forendpointsisdecidedbasedonalistofattributes(whitelist)usedforprofilingthatarebuiltfromstatic attributesanddynamicattributes. Uponsubsequentattributescollection,theendpointisupdatedontheAdministrationnode,ifanyoneofthe followingattributeschanges: •ip •EndPointPolicy Cisco Identity Services Engine Administrator Guide, Release 1.3 514 Identified Endpoints