topic Re: profiling pcs in Network Access Control

profiling pcs

edondurguti — Mon, 11 Mar 2019 02:25:10 GMT

I use ISE only for profiling ( no posturing ) and it's L3 adjent with other devices (wlc).

for iphones and stuff I only need OUI=Apple and i'm good ( no need to go deeper), but I'm having problems identifiying Laptops, they show up as unknown, eventhough I use the DHCP option.

Is there any quick rule to identify them, DHCP or Radius or whatever?, or maybe a redirect to ISE http somehow but I don't want them to posture and all that(including NAC Agents), I just want to identify them and then assign appropriate access.

Re: profiling pcs

Tarik Admani — Mon, 13 Aug 2012 20:24:28 GMT

Are they not being profiled as a workstation? When you check the endpoint what does policy match does it show? Do you see any of the dhcp attributes in the endpoint attribute list?

Also, you can build a posture redirect policy but do not create any client provisioning rules, what this does it will redirect the client, gather the http user agent string, then it will profile the user and issue coa.

The user will see a message that lets them know a profile doesn't match but the can retry their request n 60 seconds.

thanks,

Sent from Cisco Technical Support iPad App

Re: profiling pcs

edondurguti — Mon, 13 Aug 2012 20:35:12 GMT

EndPointSource RADIUS Probe

profiling pcs

edondurguti — Mon, 13 Aug 2012 20:40:11 GMT

this is for iphones:

Total Certainty Factor 40

EndPointSource RADIUS Probe

dhcp-client-identifier	01:ec:85:2f:be:56:dd
dhcp-message-type	DHCPREQUEST
dhcp-parameter-request-list	1, 3, 6, 15, 119, 252

FOR PCS

Total Certainty Factor 0 and no DHCP eventhough i have set DHCP = class-identifier CONTAINS MSFT

Re: profiling pcs

Tarik Admani — Mon, 13 Aug 2012 20:43:54 GMT

Are you seeing this with all your workstations? Do you have a static ip configured on the client? Also is the windows client wireless just like the apple device?

Sent from Cisco Technical Support iPad App

Re: profiling pcs

edondurguti — Mon, 13 Aug 2012 20:48:35 GMT

Well I've tried two IBM laptops so far with different OUIs and they show up as unknown, no static ip on the client pc.

not sure what you mean by:

Also is the windows client wireless just like the apple device?

Re: profiling pcs

Tarik Admani — Mon, 13 Aug 2012 20:50:32 GMT

How are they joining the network....wireless or wired?

Sent from Cisco Technical Support iPad App

Re: profiling pcs

edondurguti — Mon, 13 Aug 2012 20:52:31 GMT

Everything is wireless same ssid, NO DHCP PROXY, added ISE_IP_ADDRESS in the ip-helper config.

Re: profiling pcs

Tarik Admani — Mon, 13 Aug 2012 20:55:58 GMT

Is the dhcp probe enabled under the deployment settings?

Sent from Cisco Technical Support iPad App

profiling pcs

edondurguti — Mon, 13 Aug 2012 20:57:02 GMT

Yes on both, primary/secondary, i've got secondary as a primary monitor node.

profiling pcs

Tarik Admani — Mon, 13 Aug 2012 21:11:45 GMT

One way to troubleshoot this is to use the tcdump utiltity to see if the dhcp packet is hitting the ISE node. See if you can set the filter for 'ip host sviofvlan' and then run the capture after reassociating to the network. Then see if the mac address of you client and dhcp requests comes to ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*