Exam 350-701 topic 1 question 243 discussion

The answer is C, through DHCP Profiling. The OUI is part of the MAC address, which can be learned from the dhcp-client-identifier option 61.

The answer is SNMP. It will work and can pull ARP tables from the network devices. In fact, page 28 in the ISE Profiling guide recommends it if Radius or DHCP probes can't be effective. An NMAP scan cannot get a MAC address. If it is on the same subnet, then it would pull the MAC from the ARP table which would then be effective. That's a big IF DHCP would missing static devices as mentioned. A Netflow probe with additional attributes of SRC_MAC and DST_MAC should also be able to work for this situation if placed properly within the networks but I'm going with SNMP as that is what is recommended in the guide.

Explanation: To automatically assign endpoints with a specific Organizationally Unique Identifier (OUI) into a new endpoint group, Cisco ISE needs to identify the MAC addresses of those endpoints. The DHCP probe extracts MAC addresses from DHCP request packets, allowing Cisco ISE to determine the OUI (first 24 bits of the MAC address) and categorize devices accordingly. Why not the other options? A. SNMP – Used for network device discovery, but not effective for identifying endpoint MAC addresses dynamically. B. NMAP – Performs active scanning but does not focus on OUI-based profiling. D. NetFlow – Provides traffic flow analysis, but does not extract MAC addresses from endpoint traffic.

Correcting myself from my answer below. According to "Probe Selection Best Practices" in the ISE Profiling Designing Guide, from the official Cisco documentation, it's SNMP.

I vote for C. As many before have said, the DHCP probe in Cisco ISE can capture information from DHCP requests, including the MAC address of the endpoint. The OUI is part of the MAC address and can be used to profile and categorize endpoints into specific groups based on this information.

Answer c

OUI is know from the MAC address witch is located through the DHCP "DORA" process.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

DHCP. This is the most used function for ISE to learn about endpoints. Since it can learn about them even if the endpoints are not in a 802.1x enabled port. NMAP is a manually/triggered. Its teoretic that some clients use static IP. Most devices use dhcp

More relevant about OUI stil "probe DHCP". Answer C.

A and C will work, C for dynamic only. I just like it more. NMAP looks to me as and absolute nonsense , would work only scanning on same subnet

SNMP https://community.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/6096 Procedure 11

Why not D? Check profiling probe using net flow v9 ... also dhcp on security perspective uses ip to mac binding doesn't mean it is used as a probe to get mac details..

OUI is part of MAC Address

I vote for C As well, NMAP is layer 3.

Probe SNMP: Key profiling attributes: · MAC Address/OUI - CDP/LLDP - ARP tables Common Endpoint Profiling Use Cases See RADIUS probe for MAC info. Valuable for any vendor that uses CDP/LLDP. For example, Cisco IP phones, cameras, access points, appliances. Polling of device ARP tables populates ISE MAC-to-IP bindings. https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456 CTRL + F to the setion: "Probe Selection Best Practices"

NMAP scans for open ports and OS detection, how do you get MAC address in NMAP scans over L3? you can configure SNMP probes to start profiling and populating endpoints before enforcing MAB/802.1X IN ISE. I have done this a few times.