Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
3
Replies

Unexpected Results in Endpoint Profiling

Go to solution
NetWright
Level 1
Level 1

‎12-05-2018 03:26 PM

We're not seeing as many wireless endpoints with AD attributes as we'd expect.
Also after spot checking a small number of workstations, we're not seeing any wired workstations with AD attributes.
Some wireless endpoints have these AD attributes in Context Visibility --> Endpoints --> MAC hot link --> Attributes :
AD-Hosts-Exists
AD-Join-Point
AD-Last-Fetch-Time
AD-OS-Version
AD-Operating-System
AD-Service-Pack

Many wireless endpoints only have this AD attribute:
AD-Last-Fetch-Time

We're currently on ISE v2.4, patch 4 in a two node deployment.
We implemented rules with Administrator Created Profiler Conditions that are looking for AD-Operating-System and noticed AD attributes were missing for many Endpoints despite having a working Active Directory probe in place.

Feed service is working (TAC had us check):
Administration --> Feed Service --> Test Feed connection --> Works

Unfortunately haven't been getting much traction on a TAC case where we've uploaded an ISE support bundle along with screen shots and the details above.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-05-2018 03:32 PM

AD probe relies on the hostname sent in the DHCP packets. If you do not see a “hostname” attributes on the ISE for that endpoint, you may want to collect a packet capture on the ISE when you connect the endpoint and then check for DHCP packets and see if they have this attribute.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-05-2018 03:32 PM

AD probe relies on the hostname sent in the DHCP packets. If you do not see a “hostname” attributes on the ISE for that endpoint, you may want to collect a packet capture on the ISE when you connect the endpoint and then check for DHCP packets and see if they have this attribute.
0 Helpful

Go to solution
NetWright
Level 1
Level 1
In response to Surendra

‎12-05-2018 04:33 PM

Ok, I see what you're saying.  I'm seeing most impacted endpoints don't have a 'Hostname' and 'Username' is MAC in this format ( 0000ccccbbbb ) with no hyphens.  Most other 'Usernames' are in this format ( 00-00-cc-cc-bb-bb ).  I'll see if I can get a packet capture.

In the meantime, is there a way to make sure the client provides a 'Hostname', presuming it's the client that's not providing the 'Hostname'?

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to NetWright

‎12-06-2018 11:54 PM

Configure IP Helper Address as ISE IP on the Network devices.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents