ISE, WLC Device Profiling

Similar Messages

• ISE 1.2 Profiler Feed Service

  Just curious if any updated device profiles have been made available for download via the feed service in ISE 1.2? 

  Just for information
        With   ISE Release 1.2, Cisco is delivering a unique feed service that   provides new and updated profiles for various IP-enabled devices when   vendors release new devices. ISE customers will be able to recognize new   devices, in addition to a multitude of other network-attached devices   such as printers, video cameras, and specialized mobile computing   devices.
  Cisco   works with various vendors, partners, and customers to profile the   multitude of IP-enabled devices that are expected to be deployed in   various customer environments and then create profiles for the devices.   These profiles are made available through the device feed service. An   ISE server that is configured to connect to the feed service establishes   a secure connection with the cloud-based service. The various profiles   on the feed service are automatically downloaded to the ISE server,   providing ISE customers the ability to detect the IP-enabled devices   that connect to their network. The feed service will be available with   ISE Release 1.2 and is part of the Advanced license.

• ISE 1.2 Profiling - User Agent attribute incorrect

  Hi all,
  Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
  Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

  "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
  The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
  You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
  For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
  Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
  Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
  The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
  If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
  It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
  https://tools.cisco.com/bugsearch/bug/CSCuj45373

• Q: ISE 1.2 Profiling

  Hi Guys,
  Good Day!
  I would like to ask how can I enable profling on Apple devices so that when the device connects over the WLAN, the ISE will determnined if the Apple is an iPad or an iPhone because my setup right now is that regardless if the device is an iPhone or iPad, it always goes to the Apple-Devices profile.
  Thanks for the help experts!
  Cheers,
  Niks

  enable profiling probes in ISE . ISE comes with  several profiling conditions and polices and you can get latest updates with ISE feed service. You can tweak ISE  profile conditions as per your requirements. You can use the profiling condition in the authorization policy like

• ISE & WLC

  Quick question:
  If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?
  [cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)
  Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

  Tarik,
  First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:
  Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)
  No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.
  If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.
  Here is a cisco HREAP/FlexConnect Limitation.
  Other H REAP Limitations
  If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.
  Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.
  Thanks for your help, I hope my question is clear.

• How to obtain an updated Device Profile List xml file

  Hi,
  I would like to update the Device profile List used by the WLC to categorize WiFi devices.
  I found in documentation how to upload the file to the controller,but where can I get a newer xml file?
  Thanks.

  Hi Terry,
  Have you tried the procedures layed out in this 12.2.15 doc?
  Working with Software Images
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080209240.html#wp1035507
  You could also contact Cisco Tac, I'm sure they could get you a copy of the image. I do have one still but I'm sure there are legal ramifications to posting it here.
  Let me know,
  Rob

• How to use Device Profiles and Viewing Conditions Profile in Photoshop Elements 11?

  In trying to get to grips with the Colour management aspects of PSE11, I have encountered the following problems:
  Having selected "Display" a sequence of clicks (Change display settings -> Advanced settings -> Colour Management -> Colour Management tab -> Colour Management)
  gives a screen which includes the headings:
  Device Profile  and Viewing Conditions Profile.
  1. Device Profile. Besides sRGB and ARGB, the profile list includes the profiles for all of the Epson papers. (I have an Epson Stylus Photo PX810FW).
  I changed the Profile to an Epson Grayscale, this was accepted within the menu, but there are no changes from normal when I viewed the image on the Windows screen or within
  PSE11. ("normal" is sRGB or ARGB).
  I thought it worth a try to test that, if I wanted the display image to closely represent what I would get on a particular Epson paper, this may be a way to do it.(I suspected this approach because I have never
  seen it in the literature!).
  So what is the purpose of all of the paper Profiles appearing in the Display listing?
  2. The Viewing Conditions Profile has also several options. I have tried to find the criteria for choosing one rather than the other, but failed to find any information. Can anyone help? I seek general guidance
  rather than the details of the Profiles.
  As a seperate question:
  Selecting Image on the PSE11 menu across the top of the displayed image, and then Convert Colour Profile, I tried this process on an image, converting tiff to sRGB. When saved there was an extra asterisk in the saved title but in this case,
  the file was still labelled tiff and there was no change in the number of Mbs. If a conversion has taken place, how is one to know?  Does saving a tiff file as jpeg change its colour profile? When is it useful to use this feature?
  Many thanks to all responders! 

  Addressing your second question, you are confusing two different things.
  tiff is an image file format, as is jpeg, as is psd, as is png, as are dozens (if not hundreds, http://en.wikipedia.org/wiki/Image_file_formats) of other formats.
  A colour profile represents the colour characteristics of devices so that, for example, displays know how to display the colours, printers know how to print them.
  Image files MAY, but do not have to, contain colour profiles.
  For details:
  http://help.adobe.com/en_US/creativesuite/cs/using/WS52323996-D045-437d-BD45-04955E987DFB. html
  http://en.wikipedia.org/wiki/Color_management#Color_profiles
  http://en.wikipedia.org/wiki/ICC_profile
  Cheers,
  Neale
  Insanity is hereditary, you get it from your children
  If this post or another user's post resolves the original issue, please mark the posts as correct and/or helpful accordingly. This helps other users with similar trouble get answers to their questions quicker. Thanks.

• Is it possible to separate call forward unregistered & busy on a device profile?

  I've got the following situation cropping up a surprising amount at our site:
  User has 2 jobs within our institution. Works 3 days a week on job 1, 2 days on job 2. Each job is billed to a different cost centre, and the user doesn't want to be getting calls for job 1 when they're supposed to be working on job 2, and vice versa.
  As such, we've created them 2 device profiles. When they log into the phone at the desk of whichever job they're currently working, they get prompted for which profile they want to log in to. The other device profile (if still logged in to the phone on the desk of the other job) is then forcibly logged out.
  When profile 1, for job 1, is logged in, but the user is already on a call, they want incoming calls to that extension to be directed to their voicemail (i.e. set Call Forward Busy [Internal|External] to send to voicemail). They can then check voicemail and follow up on the call as soon as they're off the current one.
  When profile 1/job 1 is logged *out*, i.e. they're currently working job 2, they want incoming calls to job 1's extension to be immediately diverted to a colleage within the same job 1 team.
  I thought I could do this by utilising Call Forward Unregistered [Internal|External], but this does not seem to be the case. When a device profile is not logged in to a device it seems like the busy trigger just gets treated as 0 so the value of Call Forward Busy is followed. I can't see any situation where Call Forward Unregistered is ever utilised if an extension is only associated with a device profile.
  Is there any way to do what I want (without massively convoluted configuration on Call Manager)? If not, do people think this is worth raising as a feature request (or bug in expected behaviour) for later versions of Call Manager?
  We're currently on CUCM 8.5, FYI, in case this is something that's already been updated in version 9 or later.

  Some progress on second idea. Saved a copy of universal access plist with cursor set to large then set the cursor to small again. Replacing the plist file had no effect until I went into the UA pane and changed a setting at which point it must rewrite the file and refresh because the cursor size also changed at this point.
  Tried the same again and restarted Finder, no effect. Also tried altering another pref pane instead with no effect. Need a way to force the computer to look at the plist files, no idea how though. :-)

• CUCM 9.1.1 ucmuser web sort order of controlled device profiles

  Hi !
  Anyone has an idea, how the web interface for the users (ucmuser) does sort the controlled em device profiles ?
  Or even better how to change the displayed sort order ?
  Changing the order of controlled device profiles in the user configuration in ccmadmin does not change anything in ucmuser.
  And the controlled device profiles in ucmuser seem to have no recognizable order at all, but the order keeps being the same,
  regardless any changes we make in ccmadmin.
  Thanks
  Ralph

  Hi.
  You can export all UDP.
  Edit it with Excel
  filter only entries with empty user
  Upload the modified file as UDP- UDP Delete Custom File
  Select delete device profile from BAT menu
  HTH
  Regards
  Carlo

• User device profile

  Hello,
  Scenario,
  7960 Phone:
  extenion : 5555 it is on phone line
  partition: internal
  CSS: internal
  User Device Profile created for user for EM by choosing 7960 device
  extension : 5555 it is on user device profile line
  partition: UDP
  CSS: GSM
  Question:
  when a user is logged in 7911 phone and when a PSTN users call 5555 the phone rings to a Phone line on 7960 but not on the profile where is logged in i.e 7911
  why like that???
  Thanks

  Phone and DN CSS are concatenated when both are assigned, where the CSS applied to the DN on a phone has higher preference. The most typical case for applying both is "device/line approach" for building classes of restrictions where you assign routing CSS to the device (CSS with access to routing patterns) and then blocking CSS to the DN in order to block let's say international dialing. This approach allows you to considerebly reduce number of required paritions and CSSes in your deployment. For more details you can refer to UC SRND which describes it in great detail with examples and nice diagrams.
  HTH, please rate all useful posts!
  Chris

• How to search for unused User Device Profiles in CUCM 10?

  Hi guys, 
  I have a customer who would like to find out which User Device Profiles are not being used.  I think the following methods would work but I have no idea how to do these in bulk: 
  1: Figure out if the User Device Profile is associated with a user or not 
  2: Figure out when the last time the user device profile was used (Is this possible?  Direct database query?  If so how?) 
  Any help would be greatly appreciated
  -Akin

  I had the same issue in my former company but luckily we used the "Login User ID" field wher we had the end user associated.
  As soon as the User left the company and therefor was deleted in CUCM that field became empty.
  So what I did was following
  Generate a User Device Profile Report (Bulk Administration > User device Profiles > Generate UDP Reports
  Select from the device fields Profilename and Login User ID
  Let the report run and open the report file (you will find it at the job scheduler)
  All UDP's without a login user ID are usually not assigned to a user and you may want to delete those.
  No idea about the SQL query but you maybe find something usefull in the database dictionary http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-programming-reference-guides-list.html
  Eike

• CUCM 10.5: User Device Profiles provisioning possible?

  Recently we've Upgraded our CUCM Cluster from 8.6.2 to 10.5 to gain some new features. In the feature list there is a lot of stuff for provisioning and making admin things easier. Right now, if there is a new employee in our company, we manually create the specific UserDeviceProfile for this user and make the settings needed, but it's more or less some standard procedure, which in my opinion, can be created by a template for example.
  The phones itself will still be manually created as we need to assign the company logo to the background, installing certificates and stuff like that, which can't (can it be?) be done remotely.
  In 10.5 I've seen that under "User Management - User/Phone Add" there are some points where to define different templates. So is there any way in automatically create the user device profiles, for example if the user has been created in the MS Active Directory with the proper filds (ipphone, name, ...)? I haven't found a manual for this scenario (just for the self-provisioning with IVR, which I don't want)
  Thanks in advance :)

  We are experiencing the same issue in our organisation.  Is this simply a limitation of the Self Care Portal?  If so, is it on the roadmap to support configurations with multiple Remote Destination Profiles in the future?
  Error message attached.
  Regards,
  John.

• Name Dialing and Find button in Device Profile

  I have two questions.
  1. How do I enable "Name Dialing" option in CUCM 8.6, I dont have that option in End user Configuration.
  2. How do I have "FIND" button next to Phone Button Templet in Device Profile configuration window.
  Thanks

  Name dialing not even sure where you got that screenshot, I also don't have it
  Find is only available when you have so many phone button templates and they cannot be shown in the dropdown.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• CS3 Device Profile Updates

  How can I tell which is the last Device Profile Update
  installed on the computer I work on?
  How can I tell if the Flash Lite 3 update was installed
  before the Device Profile Update #4 or not?
  Was the Flash Lite 3 update done by the built in CS3 updater
  automatically, or it sould have been installed manually?
  My apologies if the questions sound stupid.

  jsnandi,
  With all due respect, you misunderstand my question.
  You're telling me to install the Update #4. If I do it,
  seeing some changes in the status of the profiles could mean a
  successful update--and a successful downgrade too. Just think about
  it: if the #5 has already been installed and I overwrite it with
  #4, it causes changes too. This is not a solution, this is blind
  flying.
  The question is if there is a way to tell which is the latest
  update installed on this computer--prior to any actions.
  I don't want to do any guesswork, don't want to investigate
  any changes in the status of the profiles after an experimental
  install, want to know it for sure. Is there a way or not?

• Device profile settings

  Have now done 3 tv resets to try and get this to work whilst attempting to set up cloud. Agreed to terms and conditions etc but then the screen seems to freeze when it comes to "device profile settings" . Any suggestions? Thanks in advance.

  That's OK now... Day after I had pop up for software update and I update it and I adjusted profile settings. The number is OK, its produced for German market and it's the same as 50L4300U ( your model ). But still I have a flash player problem, kinda annoying.