cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2142
Views
5
Helpful
11
Replies

http profiling

edondurguti
Level 4
Level 4

Hi,

Did anyone try WLC 7.3 Http profiling -

• Support for detection and forwarding of the first HTTP packet with a user-agent attribute from a

client per session to profile the client, where the controller acts as a collector, is added in this release.

It works great, it sends http probe to ISE (it works for me cuz i am not using posture, so there was no way to hit ISE with HTTP except for span which would suck accross the wan and requires configuration)

Just to let everyone know it works pretty good.

11 Replies 11

Tarik Admani
VIP Alumni
VIP Alumni

That is awesome, i just had a customer upgrade and didnt even think this was a feature already!

Tarik Admani
*Please rate helpful posts*

Yeah it's awesome, but here is the deal for iPhones

The user agent attribute wlc sends to ISE is:


iPhone\;

ISE default user agent check is iPhone;

so it wouldn't recognize it as an iPhone because it doesn't match ( see the backslash "\") so I had to change that and increase certanity, before that it was recognizing my iPhone as Workstation - I didn't have hostname "ed's iphone" or anything so dhcp probe wasn't used.

I haven't tested anything else, besides iphones and windows7 pcs - windows7 pc worked with no change, i just had to change that Iphone thing.

Hope to help

By the way, isn't that considered like a bug?

Yes that is a bug on the WLC side, it looks like there may have been something missed. Also can you post a screenshot of the setting (is it where the dhcp profiling checkbox is)? I havent had a chance to upgrade my environment yet.

thanks,

Tarik Admani
*Please rate helpful posts*

          As you can see  

       As you can see there is iPhone; thingy, i had to create another one with just iphone or I could've added iPhone\;

  Thanks

Message was edited by: Edon Durguti

Thanks for the info.

Tarik Admani
*Please rate helpful posts*

You are more than welcome :]

sfm
Level 1
Level 1

Does something have to be configured on the ISE for this to work? I have ISE configured for RADIUS, DHCP, and HTTP profiling. I also have HTTP Profiling enabled on the WLAN on our test WLC running 7.3. The ISE is successfully learning the endpoint via DHCP and RADIUS probe, but I am not seeing the http information. I am testing using both an iPad and Nexus tablet. Both successfully do the PEAP authentication with the ISE and can browse without issue. The Nexus 7 is profiled as Android from the host name and the iPad is profiled as an Apple device because of the OUI.

Any pointers as to what I could be missing?

Thanks

Shawn

I don't know about Nexus, on the ipad under Administration - Identities - Endpoints, find that iPad and see if there is a User-Agent attribute.

I have tried with iphones and windows7 machine, but anyways i see this iPad on my ISE it has been profiles cuz of the hostname but I also see a weird user agents info:

User-Agent$%7BPRODUCT_NAME%7D/1 CFNetwork/548.1.4 Darwin/11.0.0

I will have to do a research and see whats goin on, but anyway try connecting and browsing for a second and then see if you get that user agent attribute.

Seems like WLC sends interesting stuff

here is one for one of the iPhones

User-AgentFidelity/1.8.3851 CFNetwork/548.1.4 Darwin/11.0.0

LoL

I think I must have something mis-configured. I don't see the User-Agent information on ISE under Endpoints. I do see a lot of information, but nothing looking like http profiling. Both test tablets have no issue with authentication to the ISE and browsing to the Internet. I am looking now for some way to debug on the WLC. "debug profiling" does not seem to provide any information at this point.

I still need to test with an iPhone and a Windows device to see if I am just unlucky in trying to test with an iPad and an Android tablet.

Hi,

Can you check the radius probe, and see if the attribute is sent in the cisco-av-pair? This intent of this feature is act as a device sensor where it will obtain the user agent string and encapsulate that in a radius packet.

Thanks,

Tarik Admani
*Please rate helpful posts*