02-12-2013 05:28 PM - edited 03-10-2019 08:05 PM
I have a high amount of failed profiling attempts on the machine side of things. Some machines get profiled with no problems and then others fail. I have to manually change their type to Workstation.
The rule I have in place shows:
(Workstation OR Cisco-IP-Phone) AND (Wireless_802.1X AND AD1:ExternalGroups EQUALS ADDOMAIN/User Accounts/All Employees )
The workstation portion of the rule includes getting the information from from the user agent string. For example it includes the built-in workstation rule for Windows 7 based machines. That rule scans the User-Agent string for Windows NT 6.1. If I take a machine that has failed profiling, and connect it to a wired connection (not profiled through ise) and then go to whatsmyuseragent.com it will show me Windows NT 6.1. If I put that machine back on the wireless network it should join, ISE fails to profile it.
I'm trying to figure out why ISE won't properly profile the machines. Any thoughts?
02-14-2013 07:32 PM
What profiling sensors do you have enabled?
04-10-2013 06:53 PM
Verify switch configuration for those network segments where endpoints are not
being appropriately profiled to ensure that:
• The required information to profile the endpoint is being sent to Cisco ISE for it
to profile.
• Probes are configured on the network Policy Service ISE node entities.
• Verify that packets are received at the Cisco ISE profiler module by running the
tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General
Tools > Tcpdump.
Note If you are observing this issue with endpoints on a WAN collected by HTTP,
Netflow, and NMAP, ensure that the endpoint IP address has been updated
with a RADIUS/DHCP Probe before other attributes are updated using the
above probes.
There could be an SNMP configuration issue on Cisco ISE, the switch, or both.
• The profile is likely not configured correctly, or contains the MAC address of
the endpoint already.
Resolution • Verify the SNMP version configuration on both Cisco ISE and the switch for
SNMP trap and SNMP server settings.
• The Profiler profile needs to be updated. Navigate to Administration > Identity
Management > Identities > Endpoints, select the endpoint by MAC address
and click Edit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide