ISE profiling - "User-agent" - device-sensor

YC2 · ‎03-01-2023

I'm trying to get additional profiling data into ISE so things like macbooks don't show up as "Free-BSD". It looks like ISE depends heavily on the "User-Agent" http attribute for the apple related profiles.

Access switches are 3650's. ISE 3.1. Dot1x / MAB overall works.

I see the profile guide suggests doing it through device-sensor. I must be missing something because that only supports cdp, lldp, and dhcp. How do I use device-sensor to get http info, more specifically "User-Agent" attribute? Is it buried in one of the dhcp options? I already have my ISE nodes listed on the SVI as dhcp helpers along with my dhcp server.

Rodrigo Diaz · ‎03-01-2023

hello @YC2 the User-Agent information that you mention, this is got when the ISE is used in any redirection flow normally with portals , so you can get some feed from http; the device-sensor that you configured should be enough to listed your apple devices , with such feature the information concerning the apple devices will be sent from the NAD to ISE as radius-accounting packets so I might start from there , or in any case use any kind of flow using portals with ISE to get information through http .

For your reference https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-1396030984

Let me know if that helped you .

YC2 · ‎03-01-2023

Rodrigo - in that very same document, this paragraph below exists:

RADIUS Probe with Device Sensor

As explained later in the Device Sensor section of this guide, Cisco offers the capability to collect HTTP User-Agent and other information using a local classification technology referred to as Device Sensor. This feature makes it possible to collect the User-Agent attribute even when it is not possible through URL Redirection, direct ISE web portal access, or SPAN techniques. This solution offers a much more efficient and scalable approach to endpoint attribute collection and classification and is generally recommended over other methods when the network access devices support this feature for HTTP profiling.

I don't know how it's done, or how to set it up, but apparently its possible unless I'm somehow misinterpreting the document.

Rodrigo Diaz · ‎03-01-2023

the document is correct, the http probe info however it's going to retrieved depending on the platform from where you are profiling, kindly review if the one you're using is applicable as per the table https://community.cisco.com/t5/security-knowledge-base/device-sensor-catalyst-supported-platforms/ta-p/3618782 or review the feature itself within the platform NAD documents to verify.

YC2 · ‎03-01-2023

We are using 3650 access switches running 16.12 code. Chart shows "wireless with Cisco AP From 3.6.1; no filter on switch".

No filter on switch... does that mean it's on by default? I'll try to look through the 16.12/3650 docs to see if I can find anything but didn't have luck the first time around. Link below for 3850, which has same result on the chart. Doesn't mention http or user-agent

Security Configuration Guide, Cisco IOS XE Gibraltar 16.12.x (Catalyst 3850 Switches) - Configuring Device Sensor [Support] - Cisco

Arne Bier · ‎03-02-2023

I have not looked into the MACOS DHCP Discovery packet, but if it's anything like Microsoft, then you might get a hint. I assume that is where the FreeBSD comes from (since IIRC MACOS has some relation to FreeBSD). Have a look at the device-sensor cache for a MACOS device when the device is using DCHP.

To refine that profiling a bit, have you tried running an NMAP against the endpoint? Perhaps that will fingerprint the endoint OS a bit better.

For the Remote Access VPN using ISE as the RADIUS server, then a MACOS endpoint using AnyConnect will provide very detailed information about the OS.

As the others have already mentioned, the user-agent only comes if you involve ISE and the endpoint in a http conversation. That happens only for ISE guest portals.

In the case of AD-joined devices, the ISE AD Probe can glean a lot of information. But if the MAC is not AD joined (not sure if that is even possible) then that doesn't help.

Ha - if the MACOS ran an SNMP agent (unlikely) then you might glean some information there too - but it might only return the SNMP vendor and not the MACOS.

I think NMAP is worth a shot.

YC2 · ‎03-02-2023

I’ll try fussing with nmap. Haven’t touched it yet in this implementation. In a past one I vaguely recall having bad experiences with it completely miss-identifying things so I’m a bit hesitant.

Quoting the doc, “This feature makes it possible to collect the User-Agent attribute even when it is not possible through URL Redirection, direct ISE web portal access, or SPAN techniques.” Someone put that there for a reason…. There must be a way to do it.

hslai · ‎03-12-2023

@YC2 That is mainly for Cisco wireless network devices. Most of Cisco wired switches do not support HTTP attributes in device-sensor or AFAIK.

YC2 · ‎03-12-2023

Then why is 3850 and 3650 on the comparability chart?

Just dawned on me… didn’t those switches have a built in wlc at one point? Perhaps it’s referring to when that feature is turned on, not for the wired clients.

I noticed ise uses option 55 string from the clients to profile some macs. My test mac is on Ventura. I added that string to the MacBook conditions and it’s ok now.