cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

193
Views
0
Helpful
2
Replies
Contributor

WLAN Controller Radius and Local Profiling

I was looking into Radius profiling on the WLAN controller. I would like to make the recommendation that DHCP should not have to be required in order to do profiling. I understand that DHCP is required to actually profile. However, it would not be necessary to profile a device with a static IP address.

Here is some additional logic:

If a device that is allowed on the network has a static IP address, that would be ok.

If a device that should not be allowed on the network is trying to get on the network with a static IP address, it should still be blocked by ISE.

 

Is there any reason for this requirement that is not obvious which would make it 100% necessary?

 

Thank you,

 

Alex

 

Everyone's tags (6)
2 REPLIES 2
Rising star

Re: WLAN Controller Radius and Local Profiling

profiling is done with multiple sources.

one of htem is dhcp-packets other are accounting packets and/or proliling agents on the switch.

a dhcp-packet is one of the first packets sent by a client and as such an interesting source for profiling (but not required)

 

but!

if a device with a static address is connected to your network, this is NOT a guarantee that this is an authorized device!

profiling can help in the authentication phase to determine what type of device this is and if this is a known device.

(if you only use windows-workstations in your company, than you may reject a Linux worktstation?)

 

so what do you want to achieve by not using profiling? some privacy requirement?

 

Highlighted
VIP Mentor

Re: WLAN Controller Radius and Local Profiling

RADIUS & DHCP probes are very useful for device profiling. Refer below document for more details

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-826550277

 

DHCP Attributes

Both the DHCP and DHCP SPAN probes deliver the same key profiling attributes to ISE. These include some of the following:

 

  • DHCPv4 Options
    • client-fqdn (Option 81)
    • dhcp-class-identifier (Option 60)
    • dhcp-client-identifier (Option 61)
    • dhcp-message-type (Option 53)
    • dhcp-parameter-request-list (Option 55)
    • dhcp-requested-address (Option 50)
    • dhcp-user-class-id (Option 77)
    • host-name (Option 12)
    • mud-url (Option 161)
  • DHCPv6 Options
    • dhcpv6-user-class (Option 15)
    • dhcpv6-vendor-class (Option 16)
    • dhcpv6-vendor-opts (Option 17)
    • dhcpv6-mud-url (Option 112)

Since DHCP provides both a MAC address (dhcp-client-identifier) and an IP address (dhcp-requested-address), it is also capable of establishing IP-to-MAC address bindings for the ISE ARP cache table. This is useful in supporting other probes that rely on IP address rather than MAC address. To apply and save the attributes they provide about a specific endpoint into the ISE database, the IP address needs to be correlated to a specific endpoint based on its MAC address.

In addition to dhcp-client-identifier and dhcp-requested-address, other key attributes include dhcp-class-identifier, dhcp-user-class-id, and dhcp-parameters-request-list. The class identifier is often used to convey platform or OS information. Class identifier as well as User Class ID may be customized on some client operating systems like Mac OS and Microsoft Windows, respectively, to be used as unique corporate identifiers for profiling or to return unique scope values by the DHCP server.

The dhcp-parameters-request-list offers a potentially unique indicator of the device type since the values and sequence of parameters requested are often unique to a limited set of device types or operating systems. For example, a dhcp-parameters-request-list value of 1, 3, 6, 15, 119, 252 is indicative of an Apple iOS device such as an iPad, iPod, or iPhone.

 

HTH

Rasika

*** Pls rate all useful responses ***

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.