Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
0
Helpful
10
Replies

profiling pcs

edondurguti
Level 4
Level 4

‎08-13-2012 01:10 PM - edited ‎03-10-2019 07:25 PM

I use ISE only for profiling ( no posturing ) and it's L3 adjent with other devices (wlc).

for iphones and stuff I only need OUI=Apple and i'm good ( no need to go deeper), but I'm having problems identifiying Laptops, they show up as unknown, eventhough I use the DHCP option.

Is there any quick rule to identify them, DHCP or Radius or whatever?, or maybe a redirect to ISE http somehow but I don't want them to posture and all that(including NAC Agents), I just want to identify them and then assign appropriate access.

Labels:
0 Helpful
10 Replies 10

Tarik Admani
VIP Alumni
VIP Alumni

‎08-13-2012 01:24 PM

Are they not being profiled as a workstation? When you check the endpoint what does policy match does it show? Do you see any of the dhcp attributes in the endpoint attribute list?

Also, you can build a posture redirect policy but do not create any client provisioning rules, what this does it will redirect the client, gather the http user agent string, then it will profile the user and issue coa.

The user will see a message that lets them know a profile doesn't match but the can retry their request n 60 seconds.

thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-13-2012 01:35 PM

EndPointSource                                 RADIUS Probe

0 Helpful

edondurguti
Level 4
Level 4
In response to edondurguti

‎08-13-2012 01:40 PM

this is for iphones:

Total Certainty Factor                                 40

EndPointSource                                 RADIUS Probe

dhcp-client-identifier01:ec:85:2f:be:56:dd
dhcp-message-typeDHCPREQUEST
dhcp-parameter-request-list1, 3, 6, 15, 119, 252

FOR PCS    

Total Certainty Factor                                 0 and no DHCP eventhough i have set DHCP = class-identifier CONTAINS MSFT

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-13-2012 01:43 PM

Are you seeing this with all your workstations? Do you have a static ip configured on the client? Also is the windows client wireless just like the apple device?

Sent from Cisco Technical Support iPad App

0 Helpful

edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-13-2012 01:48 PM

Well I've tried two IBM laptops so far with different OUIs and they show up as unknown, no static ip on the client pc.

not sure what you mean by:

Also is the windows client wireless just like the apple device?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-13-2012 01:50 PM

How are they joining the network....wireless or wired?

Sent from Cisco Technical Support iPad App

0 Helpful

edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-13-2012 01:52 PM

Everything is wireless same ssid, NO DHCP PROXY, added ISE_IP_ADDRESS in the ip-helper config.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-13-2012 01:55 PM

Is the dhcp probe enabled under the deployment settings?

Sent from Cisco Technical Support iPad App

0 Helpful

edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-13-2012 01:57 PM

Yes on both, primary/secondary, i've got secondary as a primary monitor node.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-13-2012 02:11 PM

One way to troubleshoot this is to use the tcdump utiltity to see if the dhcp packet is hitting the ISE node. See if you can set the filter for 'ip host sviofvlan' and then run the capture after reassociating to the network. Then see if the mac address of you client and dhcp requests comes to ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents