I was looking into Radius profiling on the WLAN controller. I would like to make the recommendation that DHCP should not have to be required in order to do profiling. I understand that DHCP is required to actually profile. However, it would not be necessary to profile a device with a static IP address.
Here is some additional logic:
If a device that is allowed on the network has a static IP address, that would be ok.
If a device that should not be allowed on the network is trying to get on the network with a static IP address, it should still be blocked by ISE.
Is there any reason for this requirement that is not obvious which would make it 100% necessary?
Both the DHCP and DHCP SPAN probes deliver the same key profiling attributes to ISE. These include some of the following:
dhcp-message-type (Option 53)
mud-url (Option 161)
dhcpv6-user-class (Option 15)
dhcpv6-vendor-class (Option 16)
dhcpv6-vendor-opts (Option 17)
dhcpv6-mud-url (Option 112)
Since DHCP provides both a MAC address (dhcp-client-identifier) and an IP address (dhcp-requested-address), it is also capable of establishing IP-to-MAC address bindings for the ISE ARP cache table. This is useful in supporting other probes that rely on IP address rather than MAC address. To apply and save the attributes they provide about a specific endpoint into the ISE database, the IP address needs to be correlated to a specific endpoint based on its MAC address.
In addition todhcp-client-identifieranddhcp-requested-address, other key attributes includedhcp-class-identifier,dhcp-user-class-id, anddhcp-parameters-request-list. The class identifier is often used to convey platform or OS information. Class identifier as well as User Class ID may be customized on some client operating systems like Mac OS and Microsoft Windows, respectively, to be used as unique corporate identifiers for profiling or to return unique scope values by the DHCP server.
Thedhcp-parameters-request-listoffers a potentially unique indicator of the device type since the values and sequence of parameters requested are often unique to a limited set of device types or operating systems. For example, adhcp-parameters-request-listvalue of 1, 3, 6, 15, 119, 252 is indicative of an Apple iOS device such as an iPad, iPod, or iPhone.
Hello Community, I have an issue where APs do not connect to the WLC. Connection is made over VPN. Until yesterday all 3 APfailed with below errors. We change the LAN connection to a cisco router and now one of the AP magically connected to the...
Where to download
Attached files on this post
Alternatively, cloud version (only summaries)
New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks
Support for IOS...
Cisco Champion Radio · S8|E6: Fastlane+ Optimizes Network and Device Communication
Cisco Fastlane+ is a co-developed solution with Apple that significantly improves the experience of any Wi-Fi 6 capable iPhone or iPad connected to a Cisco Catalyst 9130 A...
We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
Table of Contents
The purpose of this document is to provide step-by-step instructions regarding how to connect your read-only Catalyst 9800 WLC or AireOS WLC with Cisco DNA Center for Assurance monitoring through manual configuration. I...