cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

382
Views
0
Helpful
1
Replies
Highlighted
VIP Advisor

Wireless Device profiling recommendations

Hello Profiling experts,

 

I am busy reading through the profiling design guide and it's very detailed and useful.  I would probably have to re-read it a few times for it all to sink in.  The thing that I cannot understand is how one even gets to a point of being able to profile a device, before one is then able to send a CoA and have that device land in the correct VLAN.  My use case is like this:  imagine I had 5 types of Biomedical devices and I wanted them all to land in different VLANs for whatever reason.  The very first time this device connects to the SSID (let's say it's a PSK SSID) then I have to place the device somewhere, right?  Is it common practice to put an un-profiled device into VLAN x and then leave it there to be profiled?  How long can one expect it to hang around there before it's profiled?  And does this VLAN allow the client any access?  Or is it really just a quarantine VLAN for the purpose of profiling? I don't want my customer connecting their hospital equipment to the WiFi and then having to wait 30 minutes before they can actually use it - what's the real world experience?

 

Let's say ISE managed to profile the device as a Philips Pump XYZ ,and then sends CoA Reauth, will that cause the session to terminate?  I know in wired switches you'd send a port bounce (doesn't exist in wifi though).  I want the device to join WLC again and then ISE will match a more specific AuthZ rule that causes the Philips Pump to land in VLAN Y.  Is that roughly how the game plan goes?  In other words:  the most specific AuthZ rules at the top, and then the un-profiled (default case) is at the end of the Policy Set?

 

One more question:  Does it matter whether the SSID is 802.1X or PSK?  I guess it doesn't, but the point is that an un-profiled device must always land in the quarantine VLAN - is that right so far?

 

Last question:  ISE 2.4 has some new fancy biomed profiles but I noticed that one needs to send Netflow to ISE in order to increase the certainty factor (Netflow is amazing of course and it can tell us a lot about our end devices).  Has anyone had good or bad experience sending Netflow from a Cisco WLC to ISE?  I can't send Netflow from my virtual Cisco WLC because it only works on the hardware appliances :-(

1 REPLY 1
Highlighted
Cisco Employee

No expert on profiling but I found this CiscoLive session useful -- Cisco Medical Device Segmentation - BRKSEC-2039 -- and may address some of your questions.

NB:- http://cs.co/medical-nac links to the main portal on Cisco Medical NAC.

This widget could not be displayed.