Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
5
Helpful
7
Replies

Viewing and troubleshooting profiler data

Go to solution
bberry
Level 1
Level 1

‎11-09-2018 02:59 PM

Hello all,

I am now starting to wade into using profiling policies on our ISE system. I am looking to see if there is a way to see the data returned from a device as part of the profile process. I have been working to create an authentication policy for our new Cisco 7965 phones. There is a specific profiling policy for this model that uses the CiscoIPPhone7965Check profiler condition. This condition looks at the cdpCachePlatform attribute to see if it contains Cisco IP Phone 7965. Apparently my phones do not say this or something as the system is not matching this but is matching the more attributes under the more generic Cisco-Device profiling policy. I am looking to see if there is a way to see what exactly is happening. Is something different being returned? Is there something missing in the configuration of these phones? I figure there is some way to look at the profiler data and try to figure this out. So far though I have not seen a way to troubleshoot this. I have created the authentication policy using just the Cisco-Device but would like to possibly taylor this down a bit. If nothing else a good exercise for other odd devices that are connected to the network. 

 

Any thoughts or ideas?

 

Thanks...

Brent  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-09-2018 09:01 PM

If your question is how you can view the data profiler collected, it will be present as part of endpoint attributes under Context Visibility > Endpoints > <Mac Address> > Attributes. You will see all the attributes that were added to the endpoint collected using various probes. Then you can check the profiling conditions to see if the attributes present in the condition are actually received for this endpoint or not.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-09-2018 08:35 PM

You might need to send enough data to ISE for further classifying the device. Try to configure dhcp helper on the switch point the helper to actual server and also to ISE. ISE will use dhcp data to classify the device.

 

In general you can check what data ISE need to classify the device.

 

In following screenshot you can see ISE need cdp data to classify the device.

profilling.png

 

Now in following screenshot we can see ISE need DHCP data as well.

 

Profilling2.png

 

Now after adding dhcp helper if ISE not able to classify the phone as 7965 try to add a DHCP condition in 7965 policy. Make sure in DHCP packet from phone dhcp-class-identifier data is present.

 

Hope this helps!

Go to solution
bberry
Level 1
Level 1
In response to pan

‎11-12-2018 06:55 AM

I do not use helper addresses as the local core switch provides the DHCP support. This is my standard DHCP definition for the VoIP phones...

ip dhcp pool Cisco_VoIP_2nd
 network 10.16.5.0 255.255.255.0
 default-router 10.16.5.1
 dns-server 172.16.4.243 172.16.4.247
 domain-name spd.mli.corp
 netbios-node-type h-node
 option 150 ip 10.16.1.5
 lease 30

 

That is why I am wondering if there is something missing from the configuration on the phone. Is there a phone template that the system uses when the phone registers? I work with the phone guy but we have never discussed any type of template for feature or function on the phone. That was the whole reason to see what ISE is getting when trying to profile the phone and determine if anything is missing and why.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-09-2018 09:01 PM

If your question is how you can view the data profiler collected, it will be present as part of endpoint attributes under Context Visibility > Endpoints > <Mac Address> > Attributes. You will see all the attributes that were added to the endpoint collected using various probes. Then you can check the profiling conditions to see if the attributes present in the condition are actually received for this endpoint or not.
0 Helpful

Go to solution
bberry
Level 1
Level 1
In response to Surendra

‎11-12-2018 07:03 AM

Context visibility ??? I do not have anything in the GUI labeled as that. The endpoint identity > endpoint profile for the specific device does list attributes but nothing like what is in the policy profiler process. 

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to bberry

‎11-12-2018 08:01 AM

What is your ISE version? Check the screenshot provided by me, there is a tab named context visibility. Context visibility will not be present in older version of ISE.

0 Helpful

Go to solution
bberry
Level 1
Level 1
In response to pan

‎11-12-2018 08:39 AM

I am running

 

Version: 1.3.0.876

Patch: 1,2,7,8

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to bberry

‎11-12-2018 08:49 AM

ISE 1.3 is EOL/EOS. I would recommend evaluating ISE 2.4 moving forward.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-737392.html

0 Helpful
Customers Also Viewed These Support Documents