Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
15
Helpful
5
Replies

how to override the client attibutes from ISE

Go to solution
lupingyao
Level 1
Level 1

‎01-07-2020 05:45 AM - edited ‎01-07-2020 06:20 AM

we have the ISE 2.6 with Profiling license, after we update one client system from win7 to win10, in ISE we can just see the old information(win7), how can I override the old attibutes? I tried with nmap mauel scan, but after scan the ISE show me win7... But the system is already updated to win10...

 

anyone have a good idea?

 

regards

 

Robin

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-07-2020 01:15 PM

You can't manually update this attribute on an endpoint. You could delete it from the context visibility database, and on the next authentication it would refresh itself.

If AD has stale information, then ISE will have stale information. If you do nothing, ISE should update this endpoint the next time the AD profiling probe runs against it.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to lupingyao

‎01-07-2020 02:12 PM

Hi Robin,

To answer your question, there is no way to schedule a weekly manual NMAP scan. Triggered NMAP scans only take place if the Exception Action is configured in the Profiling Policies.

Keep in mind that discovering the Windows OS version via NMAP requires the use of the SMB Discovery scan. This is typically not very useful because SMB ports would normally be blocked somewhere in the path between the PSN and the end PC or limited by the host firewall.

There is no difference between the DHCP Class Identifier for Windows 7 and 10 (both are 'MSFT 5.0'), so the AD Probe provides the best method for profiling the OS on AD-joined computers. If you're not using the AD Probe, you should consider enabling it. If you're using the AD Probe, but ISE is receiving incorrect OS info from AD, you might need to investigate AD.

 

Cheers,

Greg

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-07-2020 05:59 AM

Moved the discussion to ISE Forum for better visibility.

Depending on your profiler probes that are active, you would normally get new information and overwrite any previous values when the probe receives it.

You could also remove the endpoint from context visibility to "force" a new profile to be discerned the next time the device connects.

Go to solution
lupingyao
Level 1
Level 1
In response to Marvin Rhoads

‎01-07-2020 06:08 AM

Hi Marvin,

thanks for quickly answer. yes i can do this, but we don't know which one client is updated to win 10, I would like to do a scan-override action for one network every week. is it possible?
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to lupingyao

‎01-07-2020 02:12 PM

Hi Robin,

To answer your question, there is no way to schedule a weekly manual NMAP scan. Triggered NMAP scans only take place if the Exception Action is configured in the Profiling Policies.

Keep in mind that discovering the Windows OS version via NMAP requires the use of the SMB Discovery scan. This is typically not very useful because SMB ports would normally be blocked somewhere in the path between the PSN and the end PC or limited by the host firewall.

There is no difference between the DHCP Class Identifier for Windows 7 and 10 (both are 'MSFT 5.0'), so the AD Probe provides the best method for profiling the OS on AD-joined computers. If you're not using the AD Probe, you should consider enabling it. If you're using the AD Probe, but ISE is receiving incorrect OS info from AD, you might need to investigate AD.

 

Cheers,

Greg

Go to solution
lupingyao
Level 1
Level 1
In response to Greg Gibbs

‎01-14-2020 07:23 AM

Hi Greg,

 

thanks for your answer. we have already actived the AD Probe. we will check the AD.

 

Regards

 

Robin 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-07-2020 01:15 PM

You can't manually update this attribute on an endpoint. You could delete it from the context visibility database, and on the next authentication it would refresh itself.

If AD has stale information, then ISE will have stale information. If you do nothing, ISE should update this endpoint the next time the AD profiling probe runs against it.
Customers Also Viewed These Support Documents