Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1554
Views
0
Helpful
3
Replies

DHCP class id to find as corporate Asset

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎11-15-2018 11:22 PM

Hello,

 

Can someone elaborate me, how to find the machine as Corporate Asset based on DHCP user class id.

I understand that we have to set the class id like ipconfig \setclassid "Ethernet" Myclassid .

I would like to understand, what are all changes need to done at DHCP server, like whether we have to enable any option for this? and Also i would like to know, will these attributes will be sent only by DHCP probe to ISE.

 

-Aravind

-Aravind
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎11-16-2018 09:49 AM

You shouldn't need to set anything on the DHCP server as this is an attribute sent by the client.  You intercept this attribute with the DHCP profiler if you are doing ip helper forwarding of DHCP packets or the RADIUS profiler if you are doing IOS device sensor to capture DHCP information.  When ISE captures this field it will be in hex so make sure you are doing the correct string matching.

 

I am not sure if this is still useful anymore because the system has so many different names for the Ethernet adapter.  Used to be "Ethernet" or "Local LAN Adapter" would work, but it doesn't in all cases now.  I haven't checked this option out in years though.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎11-16-2018 09:49 AM

You shouldn't need to set anything on the DHCP server as this is an attribute sent by the client.  You intercept this attribute with the DHCP profiler if you are doing ip helper forwarding of DHCP packets or the RADIUS profiler if you are doing IOS device sensor to capture DHCP information.  When ISE captures this field it will be in hex so make sure you are doing the correct string matching.

 

I am not sure if this is still useful anymore because the system has so many different names for the Ethernet adapter.  Used to be "Ethernet" or "Local LAN Adapter" would work, but it doesn't in all cases now.  I haven't checked this option out in years though.

0 Helpful

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to paul

‎11-16-2018 10:19 AM

Hi Paul,

Thanks for your valuable help!

Is there any other way to find endpoint(MacBook and Linux) is belong to company asset? + user Auth for dynamic authentication.

 

-Aravind
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Aravind Ravichandran

‎11-16-2018 11:40 AM

The way I approach this is two ways:



1) If the number of Mac/Linux devices is small then put the AD user accounts into a specific AD group, Allowed_Mac_Users as an example, and let those users connect with PEAP use credentials. You can use a whitelist to hold the MAC address of these devices to further lock the rule down.

2) The best way is to manage these devices with an MDM like JAMF or AirWatch for Macs (not sure on Linux) and push out a certificate from the customer's CA and enabled EAP-TLS authentication using that certificate.






0 Helpful
Customers Also Viewed These Support Documents