topic I actually enabled all probes in Network Access Control

MacBook profiles as Cisco-Switch in 2.1

Dustin Anderson — Mon, 11 Mar 2019 06:51:00 GMT

I'm experimenting with trying to get Mac's to profile on ISE. 2.1. I've tried installing AnyConnect and for some reason it sees it as a Nexus 7000 switch.

Here's info from the debug

Attribute:AAA-Server value:ise-2
Attribute:Airespace-Wlan-Id value:5
Attribute:AllowedProtocolMatchedRule value:EAP_Chaining_Wireless
Attribute:AuthenticationMethod value:MSCHAPV2
Attribute:AuthorizationPolicyMatchedRule value:Default
Attribute:BYODRegistration value:Unknown
Attribute:CacheUpdateTime value:1465417705907
Attribute:Called-Station-ID value:20-3a-07-66-96-20
Attribute:Calling-Station-ID value:a4-5e-60-cf-81-83
Attribute:CreateTime value:1464896196500
Attribute:DestinationIPAddress value:10.10.207.156
Attribute:DestinationPort value:1812
Attribute:DetailedInfo value:Authentication succeed
Attribute:Device IP Address value:10.10.204.114
Attribute:Device Identifier value:
Attribute:Device Port value:32772
Attribute:Device Type value:Device Type#All Device Types
Attribute:DeviceCompliance value:Unknown
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointMACAddress value:A4-5E-60-CF-81-83
Attribute:EndPointPolicy value:Cisco-Switch
Attribute:EndPointPolicyID value:4afc4ae0-6d8e-11e5-978e-005056bf2f0a
Attribute:EndPointProfilerServer value:ise-2
Attribute:EndPointSource value:RADIUS Probe
Attribute:FailureReason value:5440 Endpoint abandoned EAP session and started new
Attribute:FirstCollection value:1464896196418
Attribute:Framed-IP-Address value:
Attribute:Framed-IPv6-Address value:
Attribute:IdentityAccessRestricted value:false
Attribute:IdentityGroup value:Profiled
Attribute:IdentityGroupID value:b132c920-6d8d-11e5-978e-005056bf2f0a
Attribute:IsThirdPartyDeviceFlow value:false
Attribute:LastActivity value:1465417705904
Attribute:LastNmapScanTime value:1465245395228
Attribute:Location value:Location#All Locations
Attribute:LogicalProfile value:Infrastructure Network Devices
Attribute:MACAddress value:A4:5E:60:CF:81:83
Attribute:MDMServerID value:
Attribute:MatchedPolicy value:Cisco-Switch
Attribute:MatchedPolicyID value:4afc4ae0-6d8e-11e5-978e-005056bf2f0a
Attribute:MessageCode value:5440
Attribute:NAS-IP-Address value:10.10.204.114
Attribute:NAS-Identifier value:WLC-3
Attribute:NAS-Port value:1
Attribute:NAS-Port-Type value:Wireless - IEEE 802.11
Attribute:Network Device Profile value:Cisco
Attribute:NetworkDeviceGroups value:Location#All Locations, Device Type#All Device Types
Attribute:NetworkDeviceName value:WLC-3
Attribute:NetworkDeviceProfileId value:8ade1f15-aef1-4a9a-8158-d02e835179db
Attribute:NetworkDeviceProfileName value:Cisco
Attribute:NmapScanCount value:1
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:Apple, Inc.
Attribute:PhoneID value:
Attribute:PolicyVersion value:32
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:PostureAssessmentStatus value:NotApplicable
Attribute:PostureExpiry value:
Attribute:PostureStatus value:Unknown
Attribute:RadiusFlowType value:Wireless802_1x
Attribute:RadiusPacketType value:AccessRequest
Attribute:RegistrationTimeStamp value:0
Attribute:Response value:{RadiusPacketType=Drop; }
Attribute:SSID value:20-3a-07-66-96-20
Attribute:SelectedAccessService value:Default Network Access
Attribute:SelectedAuthenticationIdentityStores value:Internal Users, ise-2, All_AD_Join_Points
Attribute:SelectedAuthorizationProfiles value:DenyAccess
Attribute:Service-Type value:Framed
Attribute:StaticAssignment value:false
Attribute:StaticGroupAssignment value:false
Attribute:StepData value:4= Normalised Radius.RadiusFlowType, 5=EAP_Chaining_Wireless
Attribute:TLSCipher value:ECDHE-RSA-AES256-SHA
Attribute:TLSVersion value:TLSv1
Attribute:TimeToProfile value:44
Attribute:Total Certainty Factor value:30
Attribute:UniqueSubjectID value:
Attribute:UpdateTime value:1465245396597
Attribute:allowEasyWiredSession value:false
Attribute:host-name value:
Attribute:ip value:
Attribute:operating-system value:Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)
Attribute:operating-system-result value:Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)
Attribute:SkipProfiling value:false

Hi

Francesco Molino — Wed, 08 Jun 2016 22:45:58 GMT

as per number of years I'm installing ISE, I experienced that issue only 1 time. To solve this issue for me it was to update Administration>Feed Service>Profiler.

I don't know why the 1st time it was saying successful but not working. I had stopped and restarted all services, do again update and then it was profiled correctly.

You may try this. If not working, I hope someone else could give you some helps otherwise you need to open a TAC case.

Thanks

I increased the weights on

Dustin Anderson — Thu, 09 Jun 2016 14:31:45 GMT

I increased the weights on the apple profile, but still hate that mac's don't profile at all. Most I get is the MAC oui. Anyconnect doesn't seem to pass any more info along. Wish it would be like windows and at least give me the OS version.

Did you tried feed update?

Francesco Molino — Thu, 09 Jun 2016 20:25:50 GMT

Did you tried feed update?

When I got this issue i had played with all profiles but nothing was working except feed updates as I mentioned before.

Maybe you need to raise a Tac case?

I'm sorry to not helping more but I had this issue only 1 time on several deployment and no time to troubleshoot more as I solved it after updates in a specific order.

Yeah, I tried feed update. I

Dustin Anderson — Thu, 09 Jun 2016 22:54:10 GMT

Yeah, I tried feed update. I can't do a TAC since it's only a demo atm. It looks like we will be going to it, so may just have to wait for purchase and then open a TAC.

Have you patched ISE with

Francesco Molino — Thu, 09 Jun 2016 23:00:40 GMT

Have you patched ISE with latest patches?

I've not tested yet version 2.1 in production. As it is a test, have you done the same work with version 2.0?

Yeah, had the same issue with

Dustin Anderson — Fri, 10 Jun 2016 00:29:42 GMT

Yeah, had the same issue with 2.0.1. all Apple came in as Apple-Device. Could be an issue because of doing EAP-Chaining for windows PC's

Apple-Device is quite good

Francesco Molino — Fri, 10 Jun 2016 00:34:08 GMT

Apple-Device is quite good compare to cisco-switch has you said. What kind of probes are you using? I don't see any related issue with EAP-CHAINING

I actually enabled all probes

Dustin Anderson — Fri, 10 Jun 2016 14:35:38 GMT

I actually enabled all probes to see if it would help. One thing my cisco rep said is to check the prob log, do you know where to access that?

You will find all things on

Francesco Molino — Fri, 10 Jun 2016 14:58:17 GMT

You will find all things on Monitor tab, Troubleshooting.

If you want to set the level of logs, you need to go on Administration/System/Logging

HA! Got it, We set up the ISE

Dustin Anderson — Fri, 10 Jun 2016 16:04:05 GMT

HA! Got it, We set up the ISE server on the firewall as a DHCP server so all the traffic is also forwarded to it. This and the DHCP probe finally gave me the hostname and we start all them with the prefix MB, so I was able to make a new profile rule looking for hostname starting with MB and added it to Apple-MacBook.

Can you explain this a little

michaellperrin — Fri, 10 Jun 2016 18:42:06 GMT

Can you explain this a little bit?

I have read adding the ISE node to the DHCP helper command will help with profiling.

On the WLC I point the interface to our DHCP servers, how can I also forward that traffic to ISE to use for profiling?

Ok you've done it manually,

Francesco Molino — Fri, 10 Jun 2016 18:45:38 GMT

Ok you've done it manually, but normally you don't need question. I asked which probe you were using. Could you confirm me that you set ip dhcp helper on all SVI pointing to your ISE server?

Ok, wish I was still at work

Dustin Anderson — Fri, 10 Jun 2016 20:43:35 GMT

Ok, wish I was still at work to verify and get some screenshots. Our main networker set it up, but I think I caught what he did. Basically, for 2 of our wireless networks, we have DHCP relay set up to forward requests to our 2 servers. We just added the ISE server as a third DHCP server for our onboarding network. This way, when a wireless device connects, the firewall sends the DHCP request to the servers and the ISE.

This at least gets me the hostname to use in profiling.

As for a WLC, I would guess if you are doing DHCP relay on that, you could just add your ISE in as a DHCP server so it also gets the traffic.

Yes you need to add ISE

Francesco Molino — Fri, 10 Jun 2016 21:54:07 GMT

Yes you need to add ISE server in your dhcp helper (dhcp relay) in order to get some information on DHCP request to profile correctly devices.

Even after setting correctly ISE in your DHCP relay, you aren't able to profile?

Better than it was. It just

Dustin Anderson — Sat, 11 Jun 2016 02:58:38 GMT

Better than it was. It just gives me hostname, so if the name contains iPhone iPad etc it works.

I was more concerned on MacBooks, but we use a specific naming scheme, so can profile those by the name prefix.

This is just for company managed devices, so not a BYOD setup. I know you can get more if you do a web redirect to a login page, but we don't want to do that for company systems.