cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1074
Views
15
Helpful
5
Replies

how to override the client attibutes from ISE

lupingyao
Level 1
Level 1

we have the ISE 2.6 with Profiling license, after we update one client system from win7 to win10, in ISE we can just see the old information(win7), how can I override the old attibutes? I tried with nmap mauel scan, but after scan the ISE show me win7... But the system is already updated to win10...

 

anyone have a good idea?

 

regards

 

Robin

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
You can't manually update this attribute on an endpoint. You could delete it from the context visibility database, and on the next authentication it would refresh itself.

If AD has stale information, then ISE will have stale information. If you do nothing, ISE should update this endpoint the next time the AD profiling probe runs against it.

View solution in original post

Hi Robin,

To answer your question, there is no way to schedule a weekly manual NMAP scan. Triggered NMAP scans only take place if the Exception Action is configured in the Profiling Policies.

Keep in mind that discovering the Windows OS version via NMAP requires the use of the SMB Discovery scan. This is typically not very useful because SMB ports would normally be blocked somewhere in the path between the PSN and the end PC or limited by the host firewall.

There is no difference between the DHCP Class Identifier for Windows 7 and 10 (both are 'MSFT 5.0'), so the AD Probe provides the best method for profiling the OS on AD-joined computers. If you're not using the AD Probe, you should consider enabling it. If you're using the AD Probe, but ISE is receiving incorrect OS info from AD, you might need to investigate AD.

 

Cheers,

Greg

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Moved the discussion to ISE Forum for better visibility.

Depending on your profiler probes that are active, you would normally get new information and overwrite any previous values when the probe receives it.

You could also remove the endpoint from context visibility to "force" a new profile to be discerned the next time the device connects.

Hi Marvin,

thanks for quickly answer. yes i can do this, but we don't know which one client is updated to win 10, I would like to do a scan-override action for one network every week. is it possible?

Hi Robin,

To answer your question, there is no way to schedule a weekly manual NMAP scan. Triggered NMAP scans only take place if the Exception Action is configured in the Profiling Policies.

Keep in mind that discovering the Windows OS version via NMAP requires the use of the SMB Discovery scan. This is typically not very useful because SMB ports would normally be blocked somewhere in the path between the PSN and the end PC or limited by the host firewall.

There is no difference between the DHCP Class Identifier for Windows 7 and 10 (both are 'MSFT 5.0'), so the AD Probe provides the best method for profiling the OS on AD-joined computers. If you're not using the AD Probe, you should consider enabling it. If you're using the AD Probe, but ISE is receiving incorrect OS info from AD, you might need to investigate AD.

 

Cheers,

Greg

Hi Greg,

 

thanks for your answer. we have already actived the AD Probe. we will check the AD.

 

Regards

 

Robin 

Damien Miller
VIP Alumni
VIP Alumni
You can't manually update this attribute on an endpoint. You could delete it from the context visibility database, and on the next authentication it would refresh itself.

If AD has stale information, then ISE will have stale information. If you do nothing, ISE should update this endpoint the next time the AD profiling probe runs against it.