ISE Profiling Filters - Blacklist and Whitelist

ISE Profiling Filters - Blacklist and Whitelist

Introduction

Cisco Identity Services Engine (ISE) uses multiple probes to profile endpoints. When these probes are enabled on a Policy node they collect profiling data which is then forwarded to the Primary Admin Node (PAN) for storage. The PAN then replicates this data to other nodes. In large networks this process can be very resource intensive.

To reduce the impact of the profiling services ISE uses blacklist and whitelist features. These lists determine which attributes from a profiling probe are saved and which are dropped.

Blacklist

ISE has a default static list of attributes that the profiling probes will ignore. This list is not visible on ISE GUI and cannot be modified. As of ISE version 1.1.1 Patch 4 the blacklist consists of the attributes in Table 1.

Table 1 - Profiling Attribute Blacklist in ISE 1.1.1 Patch 4

Attribute Name / Profiling Probe
cdpCacheAddressType / SNMP
cdpCacheApplianceID / SNMP
cdpCacheDeviceIndex / SNMP
cdpCacheDevicePort / SNMP
cdpCacheDuplex / SNMP
cdpCacheEntry / SNMP
cdpCacheIfIndex / SNMP
cdpCacheLastChange / SNMP
cdpCacheMTU / SNMP
cdpCacheNativeVLAN / SNMP
cdpCachePhysLocation / SNMP
cdpCachePowerConsumption / SNMP
cdpCachePrimaryMgmtAddr / SNMP
cdpCachePrimaryMgmtAddrType / SNMP
cdpCacheSecondaryMgmtAddr / SNMP
cdpCacheSecondaryMgmtAddrType / SNMP
cdpCacheSysName / SNMP
cdpCacheSysObjectID / SNMP
cdpCacheVlanID / SNMP
cdpCacheVTPMgmtDomain / SNMP
cLApAMSDUEnable / SNMP
cLApDomainName / SNMP
cLApEncryptionEnable / SNMP
cLApEncryptionSupported / SNMP
cLApEntPhysicalIndex / SNMP
cLApEntry / SNMP
cLApFailoverPriority / SNMP
cLApLastRebootReason / SNMP
cLApMaxNumberOfDot11Slots / SNMP
cLApMaxNumberOfEthernetSlots / SNMP
cLApMonitorModeOptimization / SNMP
cLApPowerStatus / SNMP
cLApPreStdStateEnabled / SNMP
cLApPrimaryControllerAddress / SNMP
cLApPrimaryControllerAddressType / SNMP
cLApPwrInjectorSelection / SNMP
cLApPwrInjectorStateEnabled / SNMP
cLApPwrInjectorSwMacAddr / SNMP
cLApRogueDetectionEnabled / SNMP
cLApSecondaryControllerAddress / SNMP
cLApSecondaryControllerAddressType / SNMP
cldcApMacAddress / SNMP
cldcClientCurrentTxRateSet / SNMP
cldcClientDataRateSet / SNMP
cldcClientEntry / SNMP
cldcClientLoginTime / SNMP
cldcClientMacAddress / SNMP
cldcClientNacState / SNMP
cldcClientPowerSaveMode / SNMP
cldcClientProtocol / SNMP
cldcClientQuarantineVLAN / SNMP
cldcClientUpTime / SNMP
cldcClientWgbMacAddress / SNMP
cldcClientWgbStatus / SNMP
cldcClientWlanProfileName / SNMP
cldcIfType / SNMP
cLLwappJoinTakenTime / SNMP
cLLwappUpTime / SNMP
dot1dBasePort / SNMP
dot1dBasePortIfIndex / SNMP
dot1dTpFdbPort / SNMP
ifAdminStatus / SNMP
ifPhysAddress / SNMP
ifSpeed / SNMP
ifType / SNMP
ipAdEntIfIndex / SNMP
ipAdEntNetMask / SNMP
lldpEntry / SNMP
lldpTimeMark / SNMP
lldpLocalPortNum / SNMP
lldpIndex / SNMP
lldpChassisIdSubtype / SNMP
lldpPortIdSubtype / SNMP
locIfReason / SNMP
MacStatus / SNMP
MoveFromPort / SNMP
MoveToPort / SNMP
sysORLastChange / SNMP
sysORTable / SNMP
sysServices / SNMP
system / SNMP
Timestamp / SNMP
sysUpTime / SNMP
all-subnets-local / DHCP
ap-backoff-retry / DHCP
arp-cache-timeout / DHCP
as-backoff-retry / DHCP
auth / DHCP
authentication / DHCP
auto-configure / DHCP
bcmcs-server-a / DHCP
bcmcs-server-d / DHCP
bcmcs-servers-a / DHCP
bcmcs-servers-d / DHCP
boot-size / DHCP
broadcast-address / DHCP
cablelabs-client-configuration / DHCP
circuit-id / DHCP
cisco-auto-configure / DHCP
cisco-client-last-transaction-time / DHCP
cisco-client-requested-host-name / DHCP
cisco-leased-ip / DHCP
cisco-server-id-override / DHCP
cisco-subnet-selection / DHCP
cisco-vpn-id / DHCP
classless-static-route / DHCP
client-data / DHCP
clt-time / DHCP
cookie-servers / DHCP
default-ip-ttl / DHCP
default-tcp-ttl / DHCP
dhcp-lease-time / DHCP
dhcp-max-message-size / DHCP
dhcp-message / DHCP
dhcp-option-overload / DHCP
dhcp-rebinding-time / DHCP
dhcp-renewal-time / DHCP
dhcp-server-identifier / DHCP
dns-servers / DHCP
domain-list / DHCP
domain-name-servers / DHCP
domain-search / DHCP
elapsed-time / DHCP
extensions-path / DHCP
finger-servers / DHCP
font-servers / DHCP
geo-conf / DHCP
geoconf-civic / DHCP
ia-na / DHCP
ia-pd / DHCP
ia-ta / DHCP
iaaddr / DHCP
iaprefix / DHCP
ieee802-3-encapsulation / DHCP
impress-servers / DHCP
info-refresh-time / DHCP
initial-url / DHCP
interface-id / DHCP
interface-mtu / DHCP
ip-forwarding / DHCP
irc-servers / DHCP
iSNS / DHCP
kdc-addresses / DHCP
kerberos-realm / DHCP
ldap-url / DHCP
log-servers / DHCP
lpr-servers / DHCP
lq-associated-ip / DHCP
lq-client-last-transaction-time / DHCP
lq-client-links / DHCP
lq-query / DHCP
lq-relay-data / DHCP
mask-supplier / DHCP
max-dgram-reassembly / DHCP
mcns-security-server / DHCP
merit-dump / DHCP
mobile-ip-home-agents / DHCP
name-service-search / DHCP
nds-context / DHCP
nds-servers / DHCP
nds-tree / DHCP
netbios-dd-servers / DHCP
netbios-name-servers / DHCP
netbios-node-type / DHCP
netbios-scope / DHCP
netinfo-parent-server-addr / DHCP
netinfo-parent-server-tag / DHCP
netwareip-domain / DHCP
netwareip-information / DHCP
nis-domain / DHCP
nis-domain-name / DHCP
nis-servers / DHCP
nis+-domain / DHCP
nis+-servers / DHCP
nisp-domain-name / DHCP
nisp-servers / DHCP
nntp-servers / DHCP
non-local-source-routing / DHCP
ntp-servers / DHCP
oro / DHCP
path-mtu-aging-timeout / DHCP
path-mtu-plateau-tables / DHCP
perform-mask-discovery / DHCP
policy-filters / DHCP
pop3-servers / DHCP
preference / DHCP
primary-dhcp-server / DHCP
provisioning-server / DHCP
provisioning-timer / DHCP
radius-attributes / DHCP
rapid-commit / DHCP
reconfigure-accept / DHCP
reconfigure-message / DHCP
relay-agent-info / DHCP
relay-agent-subscriber-id / DHCP
relay-message / DHCP
remote-id / DHCP
resource-location-servers / DHCP
root-path / DHCP
router-discovery / DHCP
router-solicitation-address / DHCP
routers / DHCP
secondary-dhcp-server / DHCP
server-id-override / DHCP
server-unicast / DHCP
sip-servers / DHCP
sip-servers-address / DHCP
sip-servers-name / DHCP
slp-directory-agent / DHCP
slp-service-scope / DHCP
smtp-servers / DHCP
sntp-servers / DHCP
static-routes / DHCP
status-code / DHCP
streettalk-directory-assistance-servers / DHCP
streettalk-servers / DHCP
subnet-alloc / DHCP
subnet-info / DHCP
subnet-mask / DHCP
subnet-name / DHCP
subnet-request / DHCP
subnet-selection / DHCP
subnet-suggested-lease-time / DHCP
subscriber-id / DHCP
swap-server / DHCP
tcp-keepalive-garbage / DHCP
tcp-keepalive-interval / DHCP
tftp-server / DHCP
ticket-control-mask / DHCP
time-offset / DHCP
time-servers / DHCP
trailer-encapsulation / DHCP
tranID / DHCP
use-tgt / DHCP
user-auth / DHCP
user-class / DHCP
v-i-vendor-class / DHCP
v-i-vendor-opts / DHCP
vendor-encapsulated-options / DHCP
vendor-opts / DHCP
vpn-id / DHCP
www-servers / DHCP
Accept / HTTP
Accept-Charset / HTTP
Accept-Encoding / HTTP
Accept-Language / HTTP
Cache-Control / HTTP
Connection / HTTP
If-Modified-Since / HTTP
If-None-Match / HTTP
Keep-Alive / HTTP
Referer / HTTP
Acct-Authentic / RADIUS
Acct-Delay-Time / RADIUS
Acct-Input-Octets / RADIUS
Acct-Input-Packets / RADIUS
Acct-Interim-Interval / RADIUS
Acct-Link-Count / RADIUS
Acct-Multi-Session-Id / RADIUS
Acct-Output-Octets / RADIUS
Acct-Output-Packets / RADIUS
Acct-Session-Id / RADIUS
Acct-Session-Time / RADIUS
Acct-Status-Type / RADIUS
Acct-Terminate-Cause / RADIUS
Acct-Tunnel-Connection / RADIUS
Acct-Tunnel-Packets-Lost / RADIUS
Callback-ID / RADIUS
Callback-Number / RADIUS
CHAP-Challenge / RADIUS
CHAP-Password / RADIUS
Class / RADIUS
Configuration-Token / RADIUS
Digest-Attributes / RADIUS
Digest-Response / RADIUS
EndPointMatchedProfile / RADIUS
EAP-Key-Name / RADIUS
EAP-Message / RADIUS
Error-Cause / RADIUS
Event-Timestamp / RADIUS
Filter-ID / RADIUS
Framed-AppleTalk-Link / RADIUS
Framed-AppleTalk-Network / RADIUS
Framed-AppleTalk-Zone / RADIUS
Framed-Compression / RADIUS
Framed-IPX-Network / RADIUS
Framed-MTU / RADIUS
Framed-Protocol / RADIUS
Framed-Route / RADIUS
Framed-Routing / RADIUS
Idle-Timeout / RADIUS
Ingress-Filters / RADIUS
Login-IP-Host / RADIUS
Login-LAT-Group / RADIUS
Login-LAT-Node / RADIUS
Login-LAT-Port / RADIUS
Login-LAT-Service / RADIUS
Login-Service / RADIUS
Login-TCP-Port / RADIUS
Message-Authenticator / RADIUS
MS-CHAPv2-Auth-Challenge / RADIUS
MS-CHAPv2-NT-Response / RADIUS
MS-CHAPv2-Peer-Challenge / RADIUS
NT-Password-Hash / RADIUS
Password-Retry / RADIUS
Port-Limit / RADIUS
PostureStatus / RADIUS
Proxy-State / RADIUS
Reply-Message / RADIUS
Session-Timeout / RADIUS
State / RADIUS
Termination-Action / RADIUS
Tunnel-Assignment-ID / RADIUS
Tunnel-Client-Auth-ID / RADIUS
Tunnel-Client-Endpoint / RADIUS
Tunnel-Medium-Type / RADIUS
Tunnel-Password / RADIUS
Tunnel-Preference / RADIUS
Tunnel-Private-Group-ID / RADIUS
Tunnel-Server-Auth-ID / RADIUS
Tunnel-Server-Endpoint / RADIUS
Tunnel-Type / RADIUS
User-Password / RADIUS
User-Priority-Table / RADIUS
RequestLatency / RADIUS
ExternalGroups / RADIUS

Whitelist

ISE 1.1.2 introduced the profiling whitelist feature. When enabled, this feature will disable the blacklist and enforce collection of only the attributes that exist in the whitelist. The whitelist starts with a default set of attributes shown in Table 2 but ISE changes the white list based on the profiling policy configuration. The purpose of the whitelist is to keep the number of attributes collected as small as possible without interfering with profiling policies.

Table 2 - Default Whitelist - ISE 1.1.2

Attribute Name
AcsSessionID
AuthState
Call Check
Calling-Station-ID
Certificate Expiration Date
Certificate Issue Date
Certificate Issuer Name
Certificate Serial Number
Description
DestinationIPAddress
Device Identifier
Device Name
DeviceRegistrationStatus
EapAuthentication
EapTunnel
EndPointPolicy
EndPointPolicyID
EndPointProfilerServer
EndPointSource
FQDN
FirstCollection
Framed-IP-Address
IdentityGroup
IdentityGroupID
IdentityStoreGUID
IdentityStoreName
L4_DST_PORT
LastNmapScanTime
MACAddress
MatchedPolicy
MatchedPolicyID
MessageCode
NADAddress
NAS-IP-Address
NAS-Port-Id
NAS-Port-Type
NmapScanCount
NmapSubnetScanID
OS Version
OUI
PolicyVersion
PortalUser
PostureApplicable
Product
RegistrationTimeStamp
Service-Type
StaticAssignment
StaticGroupAssignment
TimeToProfile
Total Certainty Factor
User-Agent
cdpCacheAddress
cdpCacheCapabilities
cdpCacheDeviceId
cdpCachePlatform
cdpCacheVersion
ciaddr
dhcp-class-identifier
dhcp-requested-address
host-name
hrDeviceDescr
ifIndex
ip
lldpCacheCapabilities
lldpCapabilitiesMapSupported
lldpSystemDescription
operating-system
sysDescr

The default configuration disables the whitelist while enabled the blacklist. You can enable the white list feature by selecting the "Endpoint Attribute Filter" option in the Administration > System Settings > Profilingpage on ISE.

Note: If you add a custom rule in ISE using a new attribute after enabling the whitelist, you will need to disable the white list and re-enable it once for the new attributes to be added to the whitelist.