cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3560
Views
0
Helpful
7
Replies

ISE, WLC Device Profiling

Kenny Godfrey
Level 1
Level 1

Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.

My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.

Thanks for any advice/assistance.

Kenny.

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

Kenny,

For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.

As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038

However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.

http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik for the great reply. I have setup a SPAN session to span the relevant traffic to a second NIC on the ISE server. I am seeing an improvement in the profiling of some devices. Some devices it is still not fully recognising. I've configured both HTTP and DHCP SPAN and it appears it is recognising and profiling devices based on DHCP SPAN(when the device properties are checked under Identities), I'm not seeing devices being profiled in any way via HTTP. Is this a behaviour you would expect and HTTP information would be learned/confirmed as the device remains connected? I've spent some time browsing etc so hopefully more info  would be passed onto ISE about my device, but it still doesn't fully profile it. Any hints  would be greatly appreciated.

Thanks,

Kenny.

Kenny,

On virtual machine issue the command: "show interface" and verify the status is "UP RUNNING MULTICAST" after turning on the span, you will have to issue the no shut command for this interface.

Just to confirm you were able to turn on the http and dhcp probes under the deployment configuration?

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik,

I was able to turn on both HTTP and DHCP SPAN under Deployment>Profiling. Both of these are set to my second spare NIC. I've verified that my interface is up and it is showing UP RUNNING MULTICAST. I can see plenty of traffic on the RX count. I've checked again looking at clients and it appears that information is being learned via DHCP Span, nothing appears to be getting learned via HTTP span. Anything else I can check?

thanks,

Kenny.

Kenny,

Are you still running the ip helper statements on the WLC or the switch? I am wondering if the span is even since the dhcp information can be sent through this method also.

Can you do me a favor and go to the Monitoring section in ISE, and make your way to the Tools and run the tcpdump utility. Set up a trace on the ISE node's interface that has the span terminated and see if you can let that run for a few seconds after running through a test with your endpoint, then download the capture and attach it.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1240485

Thanks,

Tarik Admani
*Please rate helpful posts*

Just updating here what I've faced:

I had DHCP option enabled for dhcp-class-identifier=contains=MSFT and it didnt' work.

I've set ip helper the ISE ip address and the DHCP server ip address.

The problem was the dhcp was in the same vlan as ise was connected so the IP helpers didn't help  because clients were offered DHCP in the same vlan and they wouldn't even ask ISE. As soon as I moved the DHCP to be L3 adjent with ISE it worked and is still working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: