Solved: Re: Cisco AP 2700 profiling

Wesoley · ‎06-07-2020

Dear community,

I am having a nightmare profiling a Cisco AP 2700. I have used sensors and created a profile matching the details but no success. Even the built in one does not work. If I use the Cisco-Device endpoint profile it matches. However, we desire to have something a little bit more granular. Does anyone have a profile for an AP-2700 that works and is willing to share? Any other recommendations to assist with profiling is also welcomed.

Btw, I'm using ISE 2.60.156 Patch 6.

poongarg · ‎06-07-2020

DHCP and CDP attributes are mainly used to profile the Cisco-AP-Aironet-2700. Check the endpoint attributes in Context-visibility and match if any of the attribute listed is matching with the rule under Profiler Policy List > Cisco-AP-Aironet-2700. This Profile have Parent Profile of Cisco-Access-Point, so also make sure that the AP attribute should match one of the rule under Profiler Policy List > Cisco-Access-Point.

Enabling the device-sensor on switch should do the job.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html
On switch verify device-sensor cache on the AP connected port and make sure that accounting is configured correctly on the switch as per the above document.
switch#show device-sensor cache interface <>

View solution in original post

saxenanitesh8522 · ‎06-08-2020

As a good rule with cisco ise profiling using DHCP server is best method.

Do rate if helpful

Thanks

View solution in original post

poongarg · ‎06-07-2020

DHCP and CDP attributes are mainly used to profile the Cisco-AP-Aironet-2700. Check the endpoint attributes in Context-visibility and match if any of the attribute listed is matching with the rule under Profiler Policy List > Cisco-AP-Aironet-2700. This Profile have Parent Profile of Cisco-Access-Point, so also make sure that the AP attribute should match one of the rule under Profiler Policy List > Cisco-Access-Point.

Enabling the device-sensor on switch should do the job.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html
On switch verify device-sensor cache on the AP connected port and make sure that accounting is configured correctly on the switch as per the above document.
switch#show device-sensor cache interface <>

Wesoley · ‎06-08-2020

Thanks for your feedback. I previously followed this article and did just that. In this case, it's CDP. I have checked the attribute listed, for example, NetworkDeviceProfileName Cisco, OUI Cisco Systems, Inc on the Context-visibility and made an AP attribute for those and still no match. I even assigned the Policy Cisco-Access-Point and I still don't get a match on that. I will try it again though. For example, the attached photo is exactly what I see in the device-sensor cache.

poongarg · ‎06-08-2020

Just a quick check, same you are seeing in the Context visibility as well, still the AP is not profiled? Can you attach the detailed attributes of the AP (Context Visibility>Endpoint>Select the AP mac address> Attributes)

Wesoley · ‎06-08-2020

Here are the detail requested.

saxenanitesh8522 · ‎06-08-2020

Hi,

Which profiling methods are using? as the profiling is using only Radius profiled.

It is preferred using dhcp profiling.

Wesoley · ‎06-08-2020

I have both Radius and DHCP enabled for profiling. The AP-2700 profile also has dhcp conditions.

saxenanitesh8522 · ‎06-08-2020

what is your DHCP server ? is a windows DHCP server or Core Switch as a dhcp server?

Wesoley · ‎06-08-2020

It's a windows DHCP server.

poongarg · ‎06-08-2020

As per the conditions in the Cisco-Access-Point Profile: If any of the below attribute matches then the AP will be profiled as Cisco-Access-Point:

cdpCachePlatform CONTAINS CISCO AIR
dhcp-parameter-request-list EQUALS 1, 6, 15, 44, 3, 7, 33, 150, 43
dhcp-class-identifier CONTAINS Cisco AP

As per the screenshot, you are getting only CDP attributes not the DHCP attributes from the switch and cdpCachePlatform is equal to cisco AIR-CAP2702l-E-k9, which doesn't match CISCO AIR (being not all characters are in CAP).
I would suggest you to duplicate the Profiling condition-Cisco-Access-PointRule1Check1_copy and in attribute Value define it as "cisco AIR" and add it as one of the rule in the Cisco-Access-Point profiling policy with certainty factor 10 and make sure that Minimum Certainty Factor should also be 10 in this policy.

Check, if post this change AP is profiled correctly or not.

Wesoley · ‎06-08-2020

The modification of the cdpCachePlatform did not work :( However, under the SVI for the AP's, I added the ip helper address to the ISE node and boom, it got profiled. Very strange that the cdp is not working. Thank you for you time and expert knowledge.

saxenanitesh8522 · ‎06-08-2020

As a good rule with cisco ise profiling using DHCP server is best method.

Do rate if helpful

Thanks

saxenanitesh8522 · ‎06-08-2020

Hi

Under the context visibility search for the MAC address of the AP and check the source for the profiling which it is using to profile the device.