Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3023
Views
0
Helpful
5
Replies

Cisco ISE profiling

Go to solution
anson-bates
Level 1
Level 1

‎10-05-2018 08:40 AM

I am trying to implement profiling within Cisco ISE to profile IPADs that try to login into the network get immediate internet access. 

 

Every time an IPAD authenticates on the network it is placed in Apple-Device profile but not specifically in the IPAD profile.

 

 

I have turned on the profiling configuration under Admin > System > Deployment (click on a PSN node) and click Profiling configuration

 

I have attached a picture of the Profiling configuration

 

Preview file
41 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anthonylofreso
Level 4
Level 4

‎10-05-2018 09:39 AM

Definitely take a look at the documentation that Nidhi referenced. Also, you do not want to check every box under Profiling Configuration. Netflow especially could degrade performance depending on your Policy Node Hardware.

To your question:

  • you should see in you attribute list (found at: Context Visibility > Endpoints > filter on mac, click mac, click Attributes tab) a Profile Policy match of 'Apple-iPad'
  • This gets matched because there is a built in profiler policy which you can view here: Work Centers > Profiler > Profiling Policies > Apple-Device > Apple-iPad (may vary depending on your version.)
  • With this data, you can create an auth z condition here: Policy > Policy Elements > Conditions > Authorization > Simple Conditions > Add
  • Once you create an auth z condition, you can create your rule in your policy set which will match on the condition.

There's a lot to profiling. Hopefully some of this will help you get started!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎10-05-2018 09:13 AM

Apple-device profile checks for the OUI and since it matches , this is the profile matched. 

ISE has an in build profile for Apple-iPad which checks for user-agent value. 

can you share the attribute list for the endpoint ?

I would also suggest you to look at this document to know how profiling works.

https://community.cisco.com/t5/security-documents/how-to-ise-profiling-design-guide/ta-p/3630914

 

 

Thanks,

Nidhi

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4

‎10-05-2018 09:39 AM

Definitely take a look at the documentation that Nidhi referenced. Also, you do not want to check every box under Profiling Configuration. Netflow especially could degrade performance depending on your Policy Node Hardware.

To your question:

  • you should see in you attribute list (found at: Context Visibility > Endpoints > filter on mac, click mac, click Attributes tab) a Profile Policy match of 'Apple-iPad'
  • This gets matched because there is a built in profiler policy which you can view here: Work Centers > Profiler > Profiling Policies > Apple-Device > Apple-iPad (may vary depending on your version.)
  • With this data, you can create an auth z condition here: Policy > Policy Elements > Conditions > Authorization > Simple Conditions > Add
  • Once you create an auth z condition, you can create your rule in your policy set which will match on the condition.

There's a lot to profiling. Hopefully some of this will help you get started!

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to anthonylofreso

‎10-05-2018 08:12 PM

All you need to do is look at the Apple-iPad profile and look at the rules to understand why it is not working like you expect.  The Apple-iPad rule relies on DHCP or User-Agent data.  Unless you bring the iPad into a portal controlled by ISE you will probably not get User Agent data.  If you turn on HTTP/DHCP profiling on the WLC (under the WLAN advanced tab), you may get the data.  If you don't turn in profiling on the WLAN, then you will need to forward DHCP requests to ISE.  

0 Helpful

Go to solution
anson-bates
Level 1
Level 1
In response to paul

‎10-08-2018 03:23 PM

Would be under radius client profiling option to turn on dhcp profiling and http profiling.
Or is it under the local client profiling to turn on dhcp profiling and http profiling from this section?


Dhcp is not being handled by the WLC.


What would break if I change the radius authentication option for auth called station ID type from IP address to system MAC address


0 Helpful

Go to solution
paul
Level 10
Level 10
In response to anson-bates

‎10-08-2018 03:33 PM

Under RADIUS client profiling. Note that you can only have one type configured. So if you turn on RADIUS client profiling you will lose client type information on the WLC dashboards. Not sure if you care about that or not. It doesn't matter if DHCP is handled by the WLC or not. It can still intercept DHCP attributes and feed them to ISE if you turn on RADIUS DHCP profiling.



On the called station ID, it all depends what systems if any are using it. I usually setup my called station ID to be AP name:SSID name. That way I can use the called station ID to know what SSID the client is connecting to and I can write location specific policies by knowing what AP name the client is connecting to. Not sure why you would want System MAC in there.


0 Helpful
Customers Also Viewed These Support Documents