ISE profiling BQ devices

Similar Messages

• ISE profiling on Apple-Device, Apple-iPhone and Apple-iPad

  hi,
  I have a question on ISE profiling, espcially on Apple-device.
  My testing environment: when i use iphone to connect, by default the result profiled me as apple-device.
  But when i try to get it more specific, i mark the identity store as apple-iphone on the authorization rule, it fail somehow. It seem it cannot go deeper to analyze it's iphone, instead of Apple-Device.
  The default of the apple-iphone porfiler condition for apple-iphone is checking the hostname and user-agent. So when i try to use the safari browser to get online, it won't bounce me as apple-iphone profile somehow..
  Question:
  01. what should i do in order the profiler can analyze directly it was the apple-iPhone, or any thing need to configure ? say like authorization rule?
  Thanks
  Noel

  Are you getting redirected to the web portal in ISE? That is the most common way the ISE can get the user agent of the browser in order to profile the device as the apple-iphone. Give that a try and then see if the user agent is learned, you should get a message to refresh your browser momentarily. Then coa should trigger and the wireless controller should get the new authorization profile that you configured for your apple-iphone endpoints.
  Thanks
  tarik Admani

• ISE Profiler Feed Service Update

  Hey,
  I have tried couple of times so far to update the ISE profiler feed service and it always says " it has been successfully update" after 2 seconds; however, last update feed show 2013-05. (see attached) I'm running ISE 1.2 with all patches installed (1,2,3,4,5,6,7) .Does anyone have some idea about this issue? I'd really like to update the OUI database for the new devices and seems to be this is the only automatic way!
  Thanks,
  Ali

  Cisco update the the OUI as they become available but if you are facing issue regarding specific OUI do mention or you can custom define that device for profiling (for short term solution)
  Also confirm this information.

• ISE Profiling Deployment

  We are starting a ISE deployment to segregate mobile devices (Iphones and IPads, initially) from corporate notebooks. We have a single SSID and two separate vlans, one for mobile devices and another for corporate notebooks, assigned by ISE. We successfully setup profiling in lab environment, with a few devices, but when we put in production  we had problems with devices not being profiled correctly. Since devices are not profiled their access are denied. Since devices are denied the cannot be profiled because ISE doesn´t see any traffic (DHCP, HTTP) from clients.
  What strategy are you using to deploy ISE profiling? Must I put ISE to listen our network for some time before segregating access?

  Hi
  I've had the same problem with first time users being denied, that's due to ise not being able to profile before it denies.
  I think they should come up with something that will profile devices then continue the authentication process.
  Someone mentioned doing a re-auth for couple of seconds. (see attached pic how the authorization rule looks like), that could save you from people being denied for the first time, but if your device is never being profiled then it will just spin there all the time re-authenticating.
  What you could do is also setup an unrouted VLAN and all the unknown devices stay there until profiled.
  I've talked to cisco and they recommened the same thing so I guess that's it for now
  What we have done before deploying ISE and it worked pretty good is I have forwarded all DHCP traffic to ISE before deploying ISE at that particular site, so DHCP forwarding ran for few days and I've already had their devices in my database and when I deployed it, it worked pretty neat
  By forwarding all dhcp requests I mean:
  We have Active Directory and DHCP servers centrally located, so in the router config I've added helper address to ISE ip address and that's it
  Now WLC 7.3 has DHCP PROFILING and HTTP PROFILING options.
  Http profiling sends first https packets to ISE and capturing USER-Agent string, that helps if you browse with safari, but if you use any other application that uses http traffic it will end up totally wrong.
  example you connect with your iphone to wifi and open up VIBER, ISE will capture viber_blabla_smth as user agent and will not profile accurately.
  Hope it helps

• The Ultimate Guide to Resolving Profile and Device Manager Issues

  The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
  Hello,
  I have been plagued with Profile Manager and Device Manager issues since day one.
  I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
  I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
  In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
  Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
  (Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the  operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile  and Device Manager may need a Code Signing Certificate.
  The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
  The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
  I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
  I shall outline a sensible strategy:
  1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
  2. Start the server fom the clone and shut down ALL services.
  3. It may be sensible to set up a root user access.
  4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
  5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
  6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
  In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
  Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  Erase database:
  sudo /usr/share/devicemgr/backend/wipeDB.sh
  7. Note your Directory (diradmin) password for later if you want to re-use it.
  8. Open Open Server Admin and demote OD Master to Standalone Directory.
  9. In Terminal delete the old Certificate Authority
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  This step is crucial because else re-building you OD Master will fail.
  9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
  10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
  11. Go back to Workgroup Manager and re-import users and groups.
  NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
  12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
  If the home directory has not been defined you cannot login from a network account.
  13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  14. You can now switch back on your services, including Profile Manager.
  In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
  15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
  16. Check that Apple Push Notifications are set.(you easily check if they are working later)
  17. You may want to re-boot OS Server from the clone now.
  18. After re-boot open Server App and check that your server is running well.
  19. Delete all profiles in System Preferences -> Profiles.
  19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
  20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name  should read "Trust Profile for...) and underneath in green font "Verified".
  21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
  22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
  Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
  Now enjoy Profile and Device Manager !
  Regards,
  Twistan

  HI
  1. In Action profiles, logon to system and recheck correcion are available in action definition as well in condition configuration and the schedule condition is also maintained. but the display is not coming(i.e in the worklist this action is not getting displayed).
  You can check the schedule condition for the action and match the status values...or try recreating the action with schedule condition again....for customer specific ....copy the standard aciton with ur zname and make a schedule condition and check the same.
  2, In suppport team of incident when i give individual processor it throwing a warning that u r not the processor. but when i give org unit it is working perfectly. Could anyone guide on this.
  You need to have the empolyee role for BP ..goto BP and got here dropdown for ur bp and choose role Employee and then enter ur userid
  also make sure that u have the message processing role
  Hope it clarifies ur doubt and resolve ur prob
  Regards
  Prakhar

• IOS Device-Sensor and ISE profiling not working

  Hello,
  I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
  Switchconfig:
  device-sensor filter-list dhcp list dhcp-list
   option name host-name
  device-sensor filter-spec dhcp include list dhcp-list
  device-sensor accounting
  device-sensor notify all-changes
  Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
  Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
  Proto Type:Name                       Len Value
  DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                            38
  RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
  I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
  Is this supposed to work?

  That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
  Couple of more things:
  1. What profiling probes do you have enabled?
  2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
  3. Do you have the following commands entered on your switch:
  access-session template monitor
  no macro auto monitor
  device-sensor accounting
  device-sensor notify all-changes

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• ISE profile / posture IOS device

  is there a way to profile or posture an IOS device as to wheather or not it has been rooted?
  our Corporate policy would like to say that if rooted, you get zero access.
  Thanks
  Scott

  No - future MDM integration that Cisco is working on should be able to bring is type of information to ISE. Cisco have indicated MDM integration is coming in Q4 2012.
  Sent from Cisco Technical Support iPad App

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• ISE Using my device Portal , devices still in pending registration status

  Abstract:
  I'm on ISE 1.2 patch 8.
  We want give access wireless to devices mobile using 802.1x with Active Directory. The condition is that he previously the user must register mobile device in "my device portal"
  -The corporate user connected from the LAN network,   login in "my device portal"  using their active directory account and register your device.
  -The policy defined in ISE indicates that 802.1x users in a group of AD and over condition "RegistredDevices" can access to the network (see screen 1)
  -Users access the wireless network from your mobile device by entering its name from AD and finally accesses the network.
  -From my "devices portal" devices always shows “Pending” status. All works as expected except for this situation.
  Can you please help?
  Regards,
  Marco Muñoz

  It looks like you dont have any provisioning profiles configured.
  Under Admin settings make sure client provisioning is enabled. Try to set native supplicant provisioning policy unavailable: to Allow Network Access.

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE 1.2 Device registration problem

  I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
  I cannot seem to find any information on those errors from the manuals.
  What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
  ISE 1.2

  Hi Harri,
  What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
  If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
  https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
  Therefore if you are using the custom portal, can you instead try with a default portal?
  Thanks,
  Aastha

• ISE and CDP device sensor

  Hi, all.
  Anyone can explain to me, how the CDP device sensor probe works with ISE ???
  What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.
  Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  ....
  I have done the following so far:
  Configured the switch to talk to ISE via radius accounting:
  aaa group server radius SERVERGROUP_radius_accounting
       server name ISE02
  radius server ISE02
        address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute nas-port-id include remote-id
  radius-server dead-criteria time 30 tries 3
  radius-server retry method reorder
  radius-server retransmit 2
  radius-server timeout 2
  radius-server deadtime 1
  radius-server key 7 [ISE02 radius key]
  radius-server vsa send cisco-nas-port
  radius-server vsa send accounting
  radius-server vsa send authentication
  aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting
  Configured SNMP traps to be sent to ISE:
  snmp-server host [ISE02 ip address] [SNMP RO Community]
  authentication mac-move permit
  authentication critical recovery delay 120 
  mac address-table notification change interval 60
  mac address-table notification change
  mac address-table notification mac-move 
  interface GigabitEthernet0/1
  snmp trap mac-notification change added
  snmp trap mac-notification change removed 
  Configured logging to ISE:
  epm logging
  logging host [ISE02 ip address] transport udp port 20514
  Configured CoA:
  aaa server radius dynamic-author
  client [ISE02 ip address] server-key 7 [ISE02 radius key]
  Configured DHCP snooping, device tracking and device sensors:
  ip dhcp snooping vlan xyz
  no ip dhcp snooping information option
  ip dhcp snooping
  ip device tracking
  device-sensor filter-list dhcp list DSFL_dhcp
  option name domain-name-servers
  option name host-name
  option name domain-name
  option name class-identifier
  option name client-identifier
  device-sensor filter-list lldp list DSFL_lldp
  tlv name system-name
  tlv name system-description
  tlv name system-capabilities
  tlv name management-address
  device-sensor filter-list cdp list DSFL_cdp
  tlv name device-name
  tlv name port-id-type
  tlv name capabilities-type
  tlv name version-type
  tlv name platform-type
  tlv name duplex-type
  tlv number 34
  device-sensor filter-spec dhcp include list DSFL_dhcp
  device-sensor filter-spec lldp include list DSFL_lldp
  device-sensor filter-spec cdp include list DSFL_cdp
  device-sensor notify all-changes
  Configured an additional IP helper on the AP vlan pointing to ISE:
  interface vlan xyz
  ip helper-address [ISE02 ip address]
  I have configured new profiling conditions on ISE, which use the cdp attributes:
  and used these conditions in a new profiling policy for the 114x AP:
  ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....
  However, the only thing ISE sees of this AP, is the dhcp probe:
  and therefore, the 114x policy has no effect .......
  ISE version is the following:
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.4.018
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: deess01nise02
  Version information of installed applications
  Cisco Identity Services Engine
  Version      : 1.1.2.145
  Build Date   : Fri Oct 26 21:10:35 2012
  Install Date : Fri Jan 18 07:18:49 2013
  Cisco Identity Services Engine Patch
  Version      : 2
  Install Date : Mon Jan 21 07:36:50 2013
  Cisco Identity Services Engine Patch
  Version      : 3
  Install Date : Mon Jan 21 07:42:11 2013
  Version of the switch:
  cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.
  Processor board ID FOC1619Y180
  Last reset from power-on
  7 Virtual Ethernet interfaces
  10 Gigabit Ethernet interfaces
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address       : 58:BF:EA:B9:AC:80
  Motherboard assembly number     : 73-13272-06
  Power supply part number        : 341-0407-01
  Motherboard serial number       : FOC16174ZZ5
  Power supply serial number      : LIT16120XR8
  Model revision number           : C0
  Motherboard revision number     : A0
  Model number                    : WS-C3560CG-8PC-S
  System serial number            : FOC1619Y180
  Top Assembly Part Number        : 800-33676-02
  Top Assembly Revision Number    : A0
  Version ID                      : V02
  CLEI Code Number                : CMMD900ARB
  Hardware Board Revision Number  : 0x00
  Switch Ports Model              SW Version            SW Image
  *    1 10    WS-C3560CG-8PC-S   15.0(2)SE             C3560c405ex-UNIVERSALK9-M   
  What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???
  How do the device sensors work ???
  Rgs
  Frank

  A switch with sensor capability gathers  endpoint information from network devices using protocols such as Cisco  Discovery Protocol (CDP), LLDP, and DHCP, subject to statically configured  filters, and makes this information available to its registered clients in the  context of an access session. An access session represents an endpoint's  connection to the network device
  Client notifications and accounting  messages containing profiling data along with the session events, and other  session-related data, such as MAC address and ingress port are generated and  sent to the internal and external clients (ISE). By default, for each supported  peer protocol, client notifications and accounting events are only generated  where an incoming packet includes a TLV that has not previously been received in  the context of a given session. You can enable client notifications and  accounting events for all TLV changes, where either a new TLV has been received  or a previously received TLV has been received with a different value using CLI  commands.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1112722

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• Cisco ISE Authorization with Device OS

  Hi,
  We want to permit access only to devices with Windows OS. I tried to make a authorization rule with the condition "Session:Device-OS EQUALS Windows" but it doesn't work. If I try to connect with a Windows 7 client, the access is denied and the log shows "15039 Rejected per authorization profile". What could be the problem?
  We are using ISE with Version 1.1.3
  thank you,
  Marc

  There is no issue with the ISE version 1.1.3, you are is the latest. May  be the probes are not properly configured.
  Please review the below link for assistance
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.pdf