ISE 1.3 Chromebook profiling

Hi,
We are connecting our Chromebooks directly to a dot1x network with MSChapv2, and have no CWA/Client Provisioning policy defined for this network. The "problem" with this is that there is no ACL redirecting traffic to the ISE, and thus doesnt snap up the IP_UserAgent. 
Has anyone else tried to profile Chromebooks another way?
Thanks!

Hi Neno,
1) We have enabled DHCP, HTTP, RADIUS, NMAP, DNS, SNMPQuery. 
2) The problem here is that there are different vendorversions of the Chromebook, so different OUI's. The one Im testing on is a Samsung XE303C12. 
User-Agent Mozilla/5.0 (X11; CrOS armv7l 6680.24.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.41 Safari/537.36
3) Unknown Device. But if we redirect the chromebook to the ISE, we can profile it using IP_UserAgent (contains CrOS). 
I've tried to run Nmap (not with ISE), to find something unique with the Chromebook, without any good result. 
This is what I've done now.. 
* Made a new Authorization Profile with CWA redirection to a hotspot page with no AUP. 
* Defined a new Authorization Polilcy. If Unknown and Wireless 802.1x then -> redirect the device to the hotspot success page. 
This will profile the Chromebook using the UserAgent. I dont find this the best solution, but it may work for now. But if anyone else has a better way to profile a chromebook, I would love to hear it. :)

Similar Messages

  • ISE cannot push the profile to the cisco network setup assistant?

    We have tried a few android devices with version 4.2+ but still got the error message ‘Unable to download profile.(Have you logged into the guest portal?)’ as shown at the bottom picture.
    In fact, we are connecting the devices to an open SSID which performs MAC filtering, then redirect to CWA and login with AD credentials,
    then redirect to Google play store and can successfully download the network setup assistant.
    Could you please advise the possible reasons that would cause this error message and make ISE cannot push the profile to the cisco network setup assistant?

    Here's a snipit from the Android spw.log.  I see that there is an error trying to verify the hostname.  Is it possible that this is caused by a non-trusted certificate?  I'm using the self-signed cert built into ISE.  I have an entry in the public DNS for guest.domain.com that resolves to the IP of my ISE server accessible from the guest subnet.  I'm allowing all traffic from the guest VLAN to the ISE vlan on the firewall and all traffic to/from the ISE server in the provisioning ACL I have applied by ISE on the WLC during native supplicant provisioning.  I know that guests can communicate with the ISE server since regular guest portal redirection works, just not the network setup assistant.  I've renamed the domain to domain.com in this snipit.
    2014.07.20 23:44:48 INFO:verion :4.4.4 SDK Level : 19
    2014.07.20 23:44:48 INFO:State :START
    2014.07.20 23:44:48 INFO:Starting Discovery
    2014.07.20 23:44:48 INFO:Starting ISEDiscoveryAsynchTask
    2014.07.20 23:44:48 INFO:DHCP Stringipaddr 192.168.30.110 gateway 192.168.30.1 netmask 255.255.255.0 dns1 208.67.222.222 dns2 208.67.220.220 DHCP server 192.168.30.1 lease 3600 seconds
    2014.07.20 23:44:48 INFO:DHCP ipaddress192.168.30.110
    2014.07.20 23:44:48 INFO:DHCP gateway192.168.30.1
    2014.07.20 23:44:48 INFO:Discoverng ISE http return code :200
    2014.07.20 23:44:48 INFO:ISEServer =guest.domain.com
    2014.07.20 23:44:48 INFO:session =0516a8c000001932f37acc53
    2014.07.20 23:44:48 INFO:Discovered using gateway :18786496
    2014.07.20 23:44:48 INFO:Discovered ise server = guest.domain.com
    2014.07.20 23:44:48 INFO:Discovered client mac = 5C-0A-5B-FC-37-0F
    2014.07.20 23:44:48 INFO:Server:Key=guest.domain.com:0516a8c000001932f37acc53
    2014.07.20 23:44:48 INFO:Downloading config fromguest.domain.com
    2014.07.20 23:44:48 INFO:checkServerTrusted call
    2014.07.20 23:44:48 INFO:checkServerTrusted call
    2014.07.20 23:44:48 ERROR:DownloadprofileAsynchTask
    2014.07.20 23:44:48 ERROR:java.io.IOException: Hostname 'guest.domain.com' was not verified
    2014.07.20 23:44:48 ERROR:Hostname 'guest.domain.com' was not verified
    2014.07.20 23:44:48 INFO:Internal system error.
    On the ISE side, here is the snippet of logs during the same time as when the android network setup assistant was run.
    2014-07-20 23:41:38,586 INFO   [DefaultQuartzScheduler_Worker-6][] cisco.cpm.infrastructure.utils.NodeGroupFWUtil -:::::- Applied Firewall rules for node group.
    2014-07-20 23:42:35,251 INFO   [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -:::::- In AbandonedTransactionReaper :  MaxActive : 20
    0 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 2
    2014-07-20 23:42:39,394 INFO   [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -::::PDPInitialization:- In AbandonedTransactionReaper
    :  MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
    2014-07-20 23:42:49,765 INFO   [DataSourceListener Thread][] api.services.persistance.dao.DistributionDAO -:::::- In DAO getRepository method for HostConfig Type
    : ACTIVE
    2014-07-20 23:42:56,805 INFO   [PDP-Heartbeats-0][] com.cisco.cpm.clustering.MnTClient -::::pdpha:- Removing session 0516a8c00000196f2a95cc53
    2014-07-20 23:42:56,806 WARN   [PDP-Heartbeats-0][] cpm.nsf.session.impl.SystemStateManager -::::pdpha:- Session 0516a8c00000196f2a95cc53 not found at complete
    2014-07-20 23:43:35,441 INFO   [portal-http-844314][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
    2014-07-20 23:43:35,441 INFO   [portal-http-844314][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
    2014-07-20 23:43:35,750 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
    ble to determine language. Defaulting to English
    2014-07-20 23:43:35,768 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
    ble to determine language. Defaulting to English
    2014-07-20 23:43:35,768 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- initializing page definit
    ion
    2014-07-20 23:43:35,769 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- Created guest theme page
    def
    2014-07-20 23:44:18,090 WARN   [portal-http-844315][] cisco.cpm.guestportal.actions.SelfProvisioningAction -:test:0516a8c000001932f37acc53::guest:- ***BYOD Regi
    stration Data***
    macAddress: 5C:0A:5B:FC:37:0F
    portalUser: test
    authStoreName: Internal Users
    authStoreGuid: 78954c30-e0f0-11e3-af67-005056bf4689
    2014-07-20 23:44:18,113 INFO   [portal-http-844315][] com.cisco.epm.jms.AQMessgeHandler -:test:0516a8c000001932f37acc53::guest:- Publishing message for event [T
    xnCommit / commit] and message class[class com.cisco.epm.pap.api.transaction.Transaction]
    2014-07-20 23:44:18,167 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
    : Unable to determine language. Defaulting to English
    2014-07-20 23:44:18,168 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
    finition
    2014-07-20 23:44:18,169 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.CoAExecutorService -:test:0516a8c000001932f37acc53::guest:- Issue CoA reauth i
    n 2000 milliseconds for sessionName 0516a8c000001932f37acc53
    2014-07-20 23:44:18,171 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
    : Unable to determine language. Defaulting to English
    2014-07-20 23:44:18,172 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
    finition
    2014-07-20 23:44:18,173 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- Created guest theme
    page def
    2014-07-20 23:44:20,171 INFO   [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Running CoAReauthTask for
     _sessionName 0516a8c000001932f37acc53
    2014-07-20 23:44:20,194 INFO   [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Issue Local CoA for sessi
    on 0516a8c000001932f37acc53
    2014-07-20 23:44:50,768 INFO   [ContainerBackgroundProcessor[StandardEngine[Catalina]]][] cpm.admin.infra.action.SessionCounterListener -:::::- sessionDestroyed
    - deducted one session from counter - Session ID - 0FFE9C73C9209D4EE2534558CB8F723B - Session Count - 0
    2014-07-20 23:46:58,502 INFO   [portal-http-844315][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
    2014-07-20 23:46:58,502 INFO   [portal-http-844315][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
    2014-07-20 23:46:58,693 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
    ble to determine language. Defaulting to English
    2014-07-20 23:46:58,702 INFO   [portal-http-844315][] cisco.cpm.provisioning.cache.FlowStateCacheManager -::0516a8c000001932f37acc53::guest:- Deleted old flow st
    ate session with device id 5C-0A-5B-FC-37-0F

  • ISE Web Authentication with Profile

       Hi,
       I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
       The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
       But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
       the Web Authentication cause the endpoint is already in the internal endpoint store.
       What's the better way to solve this problem ?
       Thanks in Advanced
       Andre Gustavo Lomonaco

        Hi Neno, let me clarify my question
        I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
        Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

  • ISE - How long ISE will hold the profiled devices?

    Hi,
    After ISE profiles a device, for how long it holds that information in the endpoint identity store? Is there a purge mechanism? The reason I ask is, what if a guest comes and connects to a network and never comes back again. Will ISE hold the profiled MAC address of the device for ever?          Is there a way to purge if the MAC is not seen on the network for x days? Or is there a manual purge?
    Any help is appreciated.
    Regards,
    Mohan 

    I have an enhancement request in TAC asking for this feature. I have an ISE deployment which wants users to be statically assigned which will overwhelm the db after some time. I will have to check my notes and will forward the bug id to you.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • ISE Guest Portal Time Profiles

    G'day All,
    Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
    From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
    Currently using ISE 1.1.3
    Thanks in advanced guys.
    James.      

    Please follow the below steps to edite the time profile:
    Adding, Editing, or Duplicating Time Profiles
    To add or edit a time profile, complete the following steps:
    Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
    Step 2 Click one of the following:
    • Add—to create a new time profile
    • Edit—to edit an existing time profile
    • Duplicate—to duplicate an existing time profile
    Step 3 Enter the name and description of the new time profile.
    Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
    Step 5 From the Account Type drop- down menu, choose one of the predefined options:
    • StartEnd—allows sponsors to define start and end times for account durations
    • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
    • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
    Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
    Step 7 Set the Restrictions for the guest access.
    These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
    Step 8 Click Submit.

  • ISE Selecting wrong authorization profile

    Hi,
    We are testing ISE in a wired environment.
    We have set up two authorization profiles called AD_Machine and AD_User as recommned in Trustsec 2.0 doc.  The AD_Machine policy has a condition set on it to look at the AD External Group AD Machines, likewise the AD_User has a condition to look at AD External Group AD Users.  At the end of the authorization policy list we have the default policy, this is set to WEBAUTH authorization profile.
    What we see is machine auth is granted by the WEBAUTH policy as this is catch all.  If I disable WEBAUTH it picks AD_Machine, also if I enable WEBAUTH and remove the AD External Group AD Machines condition it also selects the correct policy.
    There seems to be some kind of timing issue when authorizing against an external DB.
    Any ideas?
    Thanks.
    Gary

  • ISE - Which is first, profiling or posturing?

    Hi,
    I am wondering, if both profiling and posturing is enabled on ISE, which happens first? My guess is profiling, but I could not find any Cisco document that says how this works?
    Also, one more question, during client provisioning, the ISE must know the OS of the client, so that I can download the appropriate agents. So, how does ISE learn about the OS of the client? I don't think RADIUS passes this info.
    Any clarification on this would be appreciated and must be pretty basic. But I am unable to find any document to prove this.
    Appreciate any help.
    REgards,
    Mohan         

    Mohan,
    Profiling can be done based on multipe factors, easiest way is to read user agent when user connects to a portal :-)
    There are also configurable actions on ISE:
    What kind of scenario are you thinking about to evaluate which is done before?
    Although from logic point of view, it might make sense to evaluate what you're dealing with (profiling) before you decide whether's it's fit to access your network (posture assessment). :-)
    M.

  • ISE - Cisco IP Phone profiling

    Dears
    i have issues profiling the Cisco ip phones , it's profiled as "PROFILED"  the only probes i enabled on switches and ISE is Radius and now i know the i need to enable CDP device sensor so it can be sent via Radius accounting but i can't find the commend "device-sensor account"  on my switch , i use "
    Version 15.0(2)SE3" and WS-C2960S-24PS
    any ideas ?

    With ISE Release 1.2*, Cisco is delivering,  a unique feed service that provides new and updated profiles for various IP  enabled devices when vendors release new devices. So ISE customers will be able  to recognize new devices, in addition to a multitude of other network attached  devices such as printers, video cameras, and specialized mobile computing  devices.
    Cisco works with various vendors, partners,  customers, etc. to profile the multitude of IP enabled devices that are expected  to be deployed in various customer environments and create profiles for these.  These profiles are made available through the Cisco Feed Service. An ISE server*  that is configured to connect to the Feed Service establishes a secure  connection with cloud based Feed Service. The various profiles on the Feed  Service are then automatically downloaded to the ISE server, thus providing ISE  customers the ability to stay abreast and detect various IP enabled devices that  connect to their network. The Feed Service will be available with the release of  ISE 1.2* software release and is part of the Advanced  License.

  • Cisco ISE windows workstation endpoint profiling

    Hi all,
    i am configuring cisco ISE to autenticate wireless clients using 802.1x . AP's are all lightweight managed by a cisco 5508 WLC . I would like to discriminate users accessing that wlan using mobile phones or tablet from users connecting using windows workstations. ISE profiles all mobile devices in the right way, iphones and ipad are profiled as apple devices and even MAC OSX devices are profiled correctly. The problem is that all windows workstation are profiled as unknown devices.In ISE i'm using windows workstation default profile configuration.
    what can i check to make windows workstation profile working correctly?
    Thanks in advance.
    Regards

    i noticed that default profile for microsoft workstations uses dhcp probe to profile devices, so i solved the issue adding in our core switch, to the vlan interface used to tag dot1x wireless lan,  ise ip address as ip helper-address. I don't know if that is the best solution or there's something i can do on WLC to avoid adding ip helper-address on vlan interface but this worked for me.
    Thanks to all for helping me.
    Regards

  • Cisco ISE and ATA 188 profiling.

    I have tried to profile cisco ATA 188 adapter, based on cdp attribute;
    Platform: Cisco ATA 188
    and assigned to a create a same identity group. I am not able to see device profiled according to identity group assigned. Instead of it its always assigned to "cisco - device" group.
    On cisco switch side, i am seeing device being in data domain instead of voice domain, but strange enough its getting ip address from voice dhcp pool. If dot1x configs are not applied on port device is getting ip address from voice vlan and working fine.
    Any suggestion for this case?

    Can you post a screenshot of the custom profiling policy that you configured?
    Also, what version of code do you run on the switch and ISE

  • ISE - Bulk change endpoint profiles?

    Anyone know how to actually do this? I've got about 300 devices that I want to change the endpoint profile on, and I'd like to do it in bulk as opposed to clicking on each one. When I check more than one, my "Edit" option is gone.
    I suppose I could export them, change the profile, delete all, then re-import the .csv... but that seems a little tedious if there's a way to do it in the GUI.
    Thanks.

    Hi Tarik,
    Thanks... I wasn't aware it just updated the profile and didn't require a delete. That's good news.
    I'll give it a shot.

  • ISE 1.3 - Failed profiling of iPhone 6 Plus

    Hi,
    Has anyone had a successful profiling of a iPhone 6 plus device? 
    My phone is profiled as "Workstation". Result of OUI is "unknown".
    How can I tweak the profiling policies the right way?

    Have you enabled the Profile Feed Service?
    To activate the Feed Service, go to Administration > Feed Service > Profiler.  Enable the checkbox for Enable Profiler Feed Service, fill out the rest of the options (optional) and click Save.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Logical Profiles in ISE 1.2

    I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
    Feed Version 1 policies downloaded.
    Total number of feed polices to apply are 3.
    Feed policies total 3 skipped.
    Feed policies warning message : Apple-Device has been changed by admin.
    Apple-Device:Apple-iDevice has been changed by admin.
    Apple-Device:Apple-iPad has been changed by admin.

    Hello Toua,
    Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
    •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
    •Probes are configured on the network Policy Service node entities.
    •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
    Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
    For more information, please visit the following link:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

  • ISE 1.2 Profiling - User Agent attribute incorrect

    Hi all,
    Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
    Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

    "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
    The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
    You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
    For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
    Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
    Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
    The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
    If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
    It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
    https://tools.cisco.com/bugsearch/bug/CSCuj45373

  • ISE 1.2 does not do HTTP profiling ???

    Hi, guys.
    Has anyone ISE 1.2 Patch 1 successfully enabled to do profiling using HTTP on a monitor session/span port ???
    I have tried the following:
    - DMZ switch, which holds a vlan where (only) the central proxy server resides
    - ESX 5.1 host, one nic connected to the DMZ switch
    - configured a virtual switch/network on this host, which uses the nic connected to the DMZ switch (enabled promiscious mode on the vswitch and network)
    - ISE 1.2 Patch 1 installed on the ESX host, two interfaces (Gig 0 and 1), Gig 1 connected to the vswitch and virtual network
    - configured virtual ISE to do http profiling on Gig 1
    Here are some shows:
    #sh moni
    Session 1
    Type                   : Local Session
    Source VLANs           :
        Both               : xx
    Destination Ports      : Gi2/0/48
        Encapsulation      : Native
              Ingress      : Disabled
    #sh run int gig2/0/48
    interface GigabitEthernet2/0/48
    description *** ISE Proxy SPAN Port
    switchport access vlan xx
    The span destination port shows lots of outgoing packets:
    #sh int gig2/0/48
    GigabitEthernet2/0/48 is up, line protocol is down (monitoring)
      Hardware is Gigabit Ethernet, address is 588d.0941.7130 (bia 588d.0941.7130)
      Description: *** ISE-Riker Proxy SPAN Port
      MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
         reliability 255/255, txload 10/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
      input flow-control is off, output flow-control is unsupported
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input never, output 00:22:36, output hang never
      Last clearing of "show interface" counters 03:03:20
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14352300
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 42962000 bits/sec, 13051 packets/sec
         33 packets input, 2436 bytes, 0 no buffer
         Received 33 broadcasts (18 multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 18 multicast, 0 pause input
         0 input packets with dribble condition detected
        223104868 packets output, 98731284385 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    But the interface on ISE hardly shows any incoming packets:
    # sh int gig 1
    GigabitEthernet 1
              Link encap:Ethernet  HWaddr 00:50:56:8D:4A:C1
              inet6 addr: fe80::250:56ff:fe8d:4ac1/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3810 errors:0 dropped:0 overruns:0 frame:0
              TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:347928 (339.7 KiB)  TX bytes:936 (936.0 b)
              Interrupt:67 Base address:0x20a4
    I have tested if the vmware virtual network makes the packets disappear, therefore I have connected a windows virtual machine to the same network as ISE 
    Running Wireshark on this windows machine shows me LOOOOOTS of http packets on this virtual network, seem like the ISE nic just doesn't see them ......
    Any ideas ???
    Rgs
    Frank

    1. it is vm, right?    
    Yepp !!
    can you get netstat -i?
    Executed where ?? On the esx host ?? On the ise vm ??
    What do you expect to see ??
    2. Did you configure an ip for the span receive interface?
    No, why should this be necessary ?? (switchport, wireshark, etc. don't need an ip to capture
    packets on a promiscuous interface, even ISE 1.1.4 didn't need one on the http profiling interface .....)
    Configuration guide doesn't say so anyway ......
    if not, you must configure one to make it work.
    looks like you don't have one,,, pls configure one...
    Ok, ok ..., configured an ip address, checked the profiling attributes ...
    Result: did not make any difference ..... (tadaaaahhhhh !!!)
    tcpdump: WARNING: eth1: no IPv4 address assigned
    Right, but tcpdump shows dozens of live packets as they arrive live on ise, they are just not reflected in the "sh int gig 1" counters
    and furthermore not picked up by the application, that is why I would suspect a nic driver malfunction on the underlying linux os ......
    3. on vswitch make sure the port is in promiscuous mode.
    As I already mentioned before in this thread, it is.
    If the vmware virtual network inbetween ise and the non-virtual network would swallow the packets, why would "tech dumptcp 1" show anything at all ??
    (see screenshots above)
    Rgs
    Frank

Maybe you are looking for

  • Problem in selection screen because of GEN_SELECTION_SCREEN_ERROR  error

    Hi Experts, I have one strange problom in selection screen. here is my code..for selection screen. Report Z_TEST_BEGINOF_ENDOF. SELECTION-SCREEN: BEGIN OF BLOCK B1 WITH FRAME TITLE TEXT-001. SELECTION-SCREEN: BEGIN OF LINE. SELECTION-SCREEN: COMMENT

  • Change visual_attribute on current item at block level

    Hello everybody. Is there anyway to apply visual_attribute on current item at block level ? Explanation: i have block with a lot of items, so it's really hard to create many POST-TEXT-ITEM triggers on every item and apply visual_attribute on it... Th

  • Help install net framework 3.5 on surface pro

    Hi everybody , my name is Bruno and im from Mexico . I have some problems with my surface pro installing net 3.5 . ive never used a Windows pc before so .... ive tried to install the 3.5 and 2.0 package and didnt work , ive tried  lots of method and

  • Custom Image deploy and custom default profile how?

    Hi, I have custom created wim image(Windows 8.1 update2 x64 enteprise) with all programs that I want - like: Office2013 7zip antivirus software etc... Question is - Can I create default profile with my custom settings (control panel list icons, This

  • Is it possible to get a unique session per browser window?

    I'm playing with the idea that each browser window may have it's own unique session. So, if I have two or more IE browsers open and I point each one at my web site, I want each window to maintain their own session id. Same if I have two or more Firef