cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3024
Views
0
Helpful
2
Replies

RADIUS Probe on WLC for ISE

JHILL2
Level 1
Level 1

I am doing a Proof-of-Concept for wireless, and I'm getting the infamous "Unknown" endpoint for a device that should be getting profiled as a Windows-Workstation based on the info that I received from Identity-Endpoints section.  My question is whether it is possible pull out the information from the attribute list of the endpoint (such as tcp port 135) to use as a profile?

Here are the attributes:

Endpoint

* MAC Address 

* Policy Assignment      

Static Assignment        

* Identity Group Assignment      

Static Group Assignment           

Attribute List

135-tcp msrpc

139-tcp netbios-ssn

3389-tcp            ms-term-serv

445-tcp microsoft-ds

ADDomain         truncated

AcsSessionID    ise-poc/133205055/184

Airespace-Wlan-Id          10

AuthState          Authenticated

AuthenticationIdentityStore         AD1

AuthenticationMethod     MSCHAPV2

AuthorizationPolicyMatchedRule truncated

CPMSessionID  0a64001d00000005502568b6

Called-Station-ID            64-d9-89-43-09-70:NACTEST1

Calling-Station-ID           18-3d-a2-92-0a-ec

DestinationIPAddress    

DestinationPort  1812

Device IP Address         

Device Type       Device Type#All Device Types#WLCs

DeviceRegistrationStatus            notRegistered

EapAuthentication          EAP-MSCHAPv2

EapTunnel         PEAP

EndPointMACAddress    18-3D-A2-92-0A-EC

EndPointMatchedProfile Unknown

EndPointPolicy  Unknown

EndPointProfilerServer    ise-poc

EndPointSource RADIUS Probe

ExternalGroups  ad.tdfadfa.org/departments/is/groups/sms-remote\,truncated

FQDN   lc20-isnetwrk03.ad.xxxxxx.orgg.

Framed-IP-Address       

IdentityAccessRestricted            false

IdentityGroup     Unknown

IdentityPolicyMatchedRule          Default

LastNmapScanTime       2012-Aug-10 16:30:41 CDT

Location            Location#All Locations#

MACAddress     18:3D:A2:92:0A:EC

MatchedPolicy   Unknown

MessageCode   5200

Model Name      Unknown

NAS-IP-Address            truncated

NAS-Identifier    truncated

NAS-Port          13

NAS-Port-Type  Wireless - IEEE 802.11

NetworkDeviceGroups    Device Type#All Device Types#WLCs, Location#All Locations#truncated

NetworkDeviceName      WLC09

NmapScanCount            2

OUI       Intel Corporate

PolicyVersion    4

PostureAssessmentStatus         NotApplicable

RequestLatency 54

Response          {User-Name=foo\\webb; State=ReauthSession:0a64001d00000005502568b6; Class=CACS:0a64001d00000005502568b6:-poc/133205055/184; Termination-Action=RADIUS-Request; MS-MPPE-Send-Key=9c:b0:32:f4:ec:35:91:8a:6a:fc:87:05:ba:6a:4a:3c:fd:7e:3a:bb:ff:dc:c6:cd:36:ed:14:63:3b:88:34:18; MS-MPPE-Recv-Key=16:62:80:7d:6f:1e:09:5f:24:ed:f5:5e:c5:af:7d:fb:ef:95:c4:12:f8:55:f8:52:da:dd:b0:7b:9f:69:04:ce; }

SelectedAccessService  Default Network Access

SelectedAuthenticationIdentityStores       AD1, Internal Users, Internal Endpoints

SelectedAuthorizationProfiles      PermitAccess

Service-Type      Framed

Software Version            Unknown

StaticAssignment          false

StaticGroupAssignment  false

Total Certainty Factor     0

attribute-52        00:00:00:00

attribute-53        00:00:00:00

cisco-av-pair      audit-session-id=0a64001d00000005502568b6

ip          truncated

operating-system           Microsoft Windows XP SP2 or SP3

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

James,

That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?

There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.

However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.

Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.

Hope that helps,

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

James,

That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?

There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.

However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.

Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.

Hope that helps,

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik,

I'm going to try this on Monday.  FYI, I did test it with DHCP and did see the MSFT class identifier, but i don't have the option to use DHCP as one of the DHCP servers, nor is the helper statement currently used in the current config.  I tried a subset of this, but didn't set the certainty factor to 30.

I'll let you know how it goes.