cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

381
Views
0
Helpful
3
Replies
NetWright
Beginner

Unexpected Results in Endpoint Profiling

We're not seeing as many wireless endpoints with AD attributes as we'd expect.
Also after spot checking a small number of workstations, we're not seeing any wired workstations with AD attributes.
Some wireless endpoints have these AD attributes in Context Visibility --> Endpoints --> MAC hot link --> Attributes :
AD-Hosts-Exists
AD-Join-Point
AD-Last-Fetch-Time
AD-OS-Version
AD-Operating-System
AD-Service-Pack

Many wireless endpoints only have this AD attribute:
AD-Last-Fetch-Time

We're currently on ISE v2.4, patch 4 in a two node deployment.
We implemented rules with Administrator Created Profiler Conditions that are looking for AD-Operating-System and noticed AD attributes were missing for many Endpoints despite having a working Active Directory probe in place.

Feed service is working (TAC had us check):
Administration --> Feed Service --> Test Feed connection --> Works

Unfortunately haven't been getting much traction on a TAC case where we've uploaded an ISE support bundle along with screen shots and the details above.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Surendra
Cisco Employee

AD probe relies on the hostname sent in the DHCP packets. If you do not see a “hostname” attributes on the ISE for that endpoint, you may want to collect a packet capture on the ISE when you connect the endpoint and then check for DHCP packets and see if they have this attribute.

View solution in original post

3 REPLIES 3
Surendra
Cisco Employee

AD probe relies on the hostname sent in the DHCP packets. If you do not see a “hostname” attributes on the ISE for that endpoint, you may want to collect a packet capture on the ISE when you connect the endpoint and then check for DHCP packets and see if they have this attribute.

View solution in original post

Ok, I see what you're saying.  I'm seeing most impacted endpoints don't have a 'Hostname' and 'Username' is MAC in this format ( 0000ccccbbbb ) with no hyphens.  Most other 'Usernames' are in this format ( 00-00-cc-cc-bb-bb ).  I'll see if I can get a packet capture.

In the meantime, is there a way to make sure the client provides a 'Hostname', presuming it's the client that's not providing the 'Hostname'?

Configure IP Helper Address as ISE IP on the Network devices.
Content for Community-Ad