cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live- Understanding How Multicast Works with Cisco
151
Views
0
Helpful
3
Replies
Beginner

WLC Device profiling through ISE

We want to enable Profiling feature in Cisco WLC. Currently all devices in WLC are showing unknown.  As a consequence, devices in ISE coming from WLC also showing unknown.

 

we are using Flexconnect groups.

 

what changes required in WLC for Device profiling through ISE?

 

3 REPLIES 3
VIP Advisor

Re: WLC Device profiling through ISE

here is the good document for reference :

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/NativeProfiling75.html

BB
*** Rate All Helpful Responses ***
Beginner

Re: WLC Device profiling through ISE

Actually im already read the provided document.

 

my query is  we want to device profiling through ISE whats option and configuration required can you please summarize also in our environment Flexconnect is configure so how it is possible to create Dynamic interface for each profile ?

 

Highlighted
VIP Advocate

Re: WLC Device profiling through ISE

Hi @Abdullah2u 

 

In order for ISE to perform profiling, there are a few answers. Since you have a Cisco WLC, you should be using the Device Sensor option on your SSID Advanced Settings (called RADIUS Profiling) which will provide HTTP and DHCP profiling to ISE via RADIUS Accounting Interim-Update requests.  If you do not have ISE Plus Licenses installed, then you won't be able to benefit from this, since Profiling requires active Plus Licenses.

Assuming you have Plus Licenses installed, then ISE will decode (profile) the WLC's Device Sensor data and display this in the Live Logs etc. You get better visibility of the end devices.

To create Policy Sets using profiled information, you need to spend some time researching how that works. I recommend the www.labminutes.com series - explains it really well.  

The trick with profiling in ISE POlicy Sets in general, is that it can be a chicken and egg problem. e.g. with 802.1X you don't know if the device is an Android device until you Authorize the device with 802.1X - so there is no way to make that a condition of the primary authorization Policy. ISE can however collect information about endpoints via things like SNMP polling. In the wired profiling scenario, you can ask ISE to SNMP poll a switch and it can learn a lot about attached devices before you even start thinking about profiling policies. But with wireless I have not found that to be the case. Wireless clients come and go and with 802.1X you have to succeed 802.1X in order to get onto the network. Perhaps there is a way to re-authorize a user once you have profiled them as an Android device (to use the same example as before) and then place that Policy Set Rule higher up to ensure that it gets matched. The more specific Policy Set Rules need to be placed higher up than less specific Rules, or else the more specific ones will never get matched.

 

See how you go.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.