Re: Cisco ISE Endpoint Profile is wrong

SharveenNair51956 · ‎04-18-2021

Hi

When Cisco ISE is doing the profiling it captures wrong endpoints such as it captured as Windows 7 but actually the PC is Windows 10 and they upgraded the PC from win7 to win10 last year but in Cisco ISE it's still showing as Window 7 - workstation.

Anyone can help me with this?

poongarg · ‎04-18-2021

Kindly check, which profiling probes are enabled. Also check on which profiler probe basis the endpoint is profiled as Windows 7 (check endpoint detailed attributes). It is all about matching the minimum certainty factor for that Profiler Policy. In the Windows 10 Profiler policy, check if the conditions are matching to profile the device correctly.

SharveenNair51956 · ‎04-19-2021

Actually, we are using Radius probe, SNMP, HTTP, and also device-tracking in our environment but it still captures the wrong Win7 endpoint profile. The current endpoint is Windows 10.

Kindly advise.

poongarg · ‎04-19-2021

Kindly attach the endpoint attribute details from the context visibility page.

Arne Bier · ‎04-20-2021

Are you using a Cisco Device Sensor to provide the profiling data to ISE? If so, and if it's on a Cisco IOS-XE device then have a look at the device sensor cache to see if there is a DHCP class identifier that represents Windows 10. That DHCP class-identifier is what helps ISE distinguish between Windows 7 and Windows 10.

If you have AD joined machines then you could also try using the AD probe which will pull more data from AD for AD authenticated endpoints. But DHCP alone should do the trick.

And put a screenshot of the Context Visibility output of that endpoint - search for the keyword "probe" and see what was used as the source of the profiling.

Romzy · ‎04-27-2021

Arne,

Can you elaborate more about the DHCP option? do we know what DHCP class id specifically for Windows 10? I have seen both versions send "dhcp-class-identifier = MSFT 5.0" and by default ISE uses this attribute (dhcp-class-identifier CONTAINS MSFT) to profile clients as 'Microsoft-Workstation'.

Couldn't find details on https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/819e0181-af14-42c6-b454-9f37b133031b

In most use cases, main probe to differentiate Win7 and 10 is AD-Operating-System as you stated above.

Arne Bier · ‎04-27-2021

Oh dear. You're right. I have to be honest, I have never compared the old and new.

Information can come from so many directions - I just checked my own ISE. In my case all our machines are shown correctly as Windows 10 because we use AnyConnect. And the AnyConnect application passes that info to ISE. So I wasn't getting that level of granularity from DHCP at all!

Examples of Vendor Class Identifiers (if only using DHCP profiling)

“MSFT 5.0” for all Windows 2000 clients (and up)
“MSFT 98” for all Windows 98 and Me clients
“MSFT” for all Windows 98, Me and 2000 clients

It might be slightly trickier to sniff out a Windows 10 machine based purely on DHCP Discovery packets. I found a link that describes the "signature" of a Windows 10 device, since it uses the following DHCP Parameter List (the parameters that are requested by Win 10 clients) - if you wanted to, see if that differs from Windows 7, and if so, then you could create a Policy to match on that to increase Profiling certainty.