Q: ISE 1.2 Profiling

Hi Guys,
Good Day!
I would like to ask how can I enable profling on Apple devices so that when the device connects over the WLAN, the ISE will determnined if the Apple is an iPad or an iPhone because my setup right now is that regardless if the device is an iPhone or iPad, it always goes to the Apple-Devices profile.
Thanks for the help experts!
Cheers,
Niks

enable profiling probes in ISE . ISE comes with  several profiling conditions and polices and you can get latest updates with ISE feed service. You can tweak ISE  profile conditions as per your requirements. You can use the profiling condition in the authorization policy like

Similar Messages

  • ISE 1.2 Profiler Feed Service

    Just curious if any updated device profiles have been made available for download via the feed service in ISE 1.2? 

    Just for information
          With   ISE Release 1.2, Cisco is delivering a unique feed service that   provides new and updated profiles for various IP-enabled devices when   vendors release new devices. ISE customers will be able to recognize new   devices, in addition to a multitude of other network-attached devices   such as printers, video cameras, and specialized mobile computing   devices.
    Cisco   works with various vendors, partners, and customers to profile the   multitude of IP-enabled devices that are expected to be deployed in   various customer environments and then create profiles for the devices.   These profiles are made available through the device feed service. An   ISE server that is configured to connect to the feed service establishes   a secure connection with the cloud-based service. The various profiles   on the feed service are automatically downloaded to the ISE server,   providing ISE customers the ability to detect the IP-enabled devices   that connect to their network. The feed service will be available with   ISE Release 1.2 and is part of the Advanced license.

  • ISE 1.2 Profiling - User Agent attribute incorrect

    Hi all,
    Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
    Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

    "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
    The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
    You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
    For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
    Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
    Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
    The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
    If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
    It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
    https://tools.cisco.com/bugsearch/bug/CSCuj45373

  • ISE Alarm : Critical : Profiler SNMP Request Failure : Server

    Ok, so this alarm is coming in repeatedly and is now on my projects list.  I get email alerts from the server that list thr NAD IP as the endpoint device and the Endpoint IP address is correct.  I've checked the settings and the endpoint is not listed as a NAD in ISE (ver 1.2).
    Profiler SNMP Request Failure
    Details :
    Profiler SNMP Request Failure : Server=xxx-xxx-xxx; NAD Address=10.253.124.194; Endpoint IP Address=10.253.124.194
    Description :
    SNMP request times out, or SNMP community/user auth data is incorrect.
    Suggested Actions :
    Please ensure if SNMP is running on the NAD and verify that SNMP configuration on ISE matches on NAD
    *** This message is generated by Cisco Identity Services Engine (ISE) ***
    Has anyone seen this come in before?
    PS - Why is the IOS for ISE so cut down?  Looks like something you would get from an Apple product.
    Thanks,
    Clark

    Hello,
    Please follow below CiscoLink:
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html
    Profiler SNMP Request Failure
    Either the SNMP request timed out or the SNMP community or user authentication data is incorrect.
    Ensure that SNMP is running on the NAD and verify that SNMP configuration on Cisco ISE matches with NAD.
    Also ensure what snmp version device is using.
    Thanks,

  • ISE 1.2 Profiling

    Having sat through the Cisco class and having also looked at the Cisco Press book "Cisco ISE for BYOD and Secured Unified Access", I have a question regarding profiling.  I have a dual server implementation I'm attempting to configure, and the temporary advanced license is long gone, resulting in only my BASE license.  I know that mainly because I receive an alert every 3 hours - I've disabled it.
    The courseware and the book seem to imply that any/all profiling capability is active ONLY if an Advanced license is in effect.  Does that mean ALL profiling?  Does that mean that I should just delete ALL Profiled Endpoints, as they were profiled prior to my Advanced license expiring? 
    When I go to Admin --> System --> Deployment and select a PSN, I would expect to see both a General Settings tab and a Profiling Configuration tab.     However, I only see the General Settings tab.
    In it, Enable Profle Settings is checked, but it is also grayed out.  If I deselect Policy Service, the check mark for Enable Profile Service goes away.  If I select Policy Service again, the check mark under Enable Policy Service does NOT reappear.  If I select Reset and start over, it's all back to how it was when I started.
    So since I do not have a Prorfiling Configuration tab, I am unable to change or even verify any of the potential probes.  Is there ANY base level of profiling/identification active, at any level without the Advanced license?  I think the answer is no, but the ordering of the material could be misinterpreted...

    I'm getting there.....
    My understanding was that once an endpoint is seen, it's base profile is created, and it is fine-tuned and re-evaluated as more is learned about it.  An Apple device becomes an iPad, and iPad becomes an iPad 2, etc., all based upon the profiles that are built-in.
    Correct, as probes are used and should the ID of device change it will get updated under the end point folder.
    And this activity occurs regardless of the presence of an ADV license?  I fully understand that I might not be able to profile/posture machines, but I'd like to think that the "back-office" processing takes place regardless.  The simple answer is to buy a 100 endpoint ADV license, to boost my 750 endpoint base license, unless I can get a new eval license somehow.
    I believe the intention here was that if a device became associated with the ISE implementation, say over wireless, the user of that device could join and SSID, authenticate once, and then not have to authenticate for quite some time, a variable that oculd be set by the administrators.
    This is not the case actually. When a wireless device attaches to the network the first time, it MUST authenticate. In fact, if the device doesnt support OKC, you will see your device authenticate with radius each and everytime during a roam. Specific to guest, you can tune the timers so they dont get the AUP every few minutes.
    OK, you lost me at OKC.  Please tell me auto-correct has struck again.  Dot1X is what you meant, right? 
    I fully get the fact that the first time a device is seen it has to authenticate.  Users have complained of having to reauth each time they roam.  I believe the bulk of that can be cured by having them set their WiFi Preferences.  They also want a default landing page after they authenticate.  They appear to get left with a window saying they are renewingtheir IP, but no redirection.  This is probably something I neglected to set...

  • ISE 1.2 Profiling with iPAD Mini and Chromebooks

    Anyone run into issues with profiling device properly with iPAD mini and Chromebooks.  Recent testing with customer shows that ISE was not able to identify the devices properly.  We have a case opened with Cisco, they came out with a patch for Chromebook last week but still broken, continuing to pursue with TAC.  Just wondering what others have came across.                  

    Hi Tarik,
    Thanks for the reply. I am testing this for Mike. We have setup ISE 1.2 ( running latest patch 4) for wireless BYOD
    Issue: Chrome Book Device Registration - Not Supported
    Issue: Chrome Book Profile - Unknown
    Probes Enabled - DHCP / RADIUS / HTTP / SNMP

  • Ise 1.2 profiling using language of browser as attribute

    I was wondering if anyone has any idea whether you can use the language of a device, i.e the browser language setting, to profile a device ? I have tried user-agent string matching, but this doesn't contain the language.
    Jan           

    The  administrator can use the   language templates to customize the sponsor  portal user interface and  the   guest account notification text. A  default   English template is available in the Cisco ISE Admin portal.  If you  want to   change the default language presentation of the  sponsor portal or the   language and text of the guest notifications,  you can add new  templates. You   can customize the print, email, and  short message service (SMS)  templates and   set the information that is  printed, emailed, or text-messaged to  guests.
    Please check the below links  which may be helpful for you:
    Link-1
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1068319

  • ISE, WLC Device Profiling

    Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
    My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
    Thanks for any advice/assistance.
    Kenny.

    Kenny,
    For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
    As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
    However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
    http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE and Android Profiling

    G'day All,
    I am building a wireless ISE solution that will service laptops (windows and OSX) via posture assessment, and mobile devices such as iphone, ipad and android.
    I looking for help with the profiling of the android devices. I am using the profiler radius and HTTP probes, the radius probe appears to be sufficient for the laptops and the iphone/ipads.
    HTTP has been introduced for the Androids as the radius probe wasn't receiving the user agent string from all the test android devices, for example a Samsung Galaxy S3 phone would send the user agent string and be profiled correctly, where as a Samsung Note 10.1 tablet wouldn't send the user agent string, so would be profiled as an unknown device.
    I was attempting to keep it as seamless as possible for the end user. So I am not using device registrations, supplicant provisioning, etc. Obviously the posture assessment process isn't exactly semless, but once the users have downloaded the NAC client, etc, it is pretty seamless from a user interaction point of view, then on.
    From the apple devices and the androids, I have an authorisation policy that says if the device is a profiled iphone/ipad/android, use CWA  and guest portal, users login via AD creadentials and accept the AUP and away they go. Some of the androids ignore this policy and then match on the policy for the laptops (posture assessment). Once connected and in posture pending status, the redirection to the NAC agent page fails, but the android is then profiled correctly via the HTTP probe. If I attempt to browse again, I get redirected to the guest portal via CWA as the devices has been profiled as an Android and the user can login, accept the AUP and away they go.
    I'd love to hear from people who have implemented android profiling in the production environments, and how you have done it?
    I am aware that not using device registrations/supplicant provision, etc isn't exactly validated design, but for the purpose of the Android profiling, it shouldn't be relevant.
    I am presently using ise 1.1.3
    Huge thanks in advanced guys, any assistance is always greatly appreciated.
    Cheers,
    JS

    I have ran into this scenario also and I shy away from using the http profiling on the wireless device sensor because it causes issues with applications that fail to include the typr of device.
    Have you checked the dhcp client identifier? I think the android has an android specific string so you may want to bump up the certaintity factor.
    Sent from Cisco Technical Support Android App

  • Cisco ISE and NAM profile

    Hi,
    Is there any way to push configuration.xml created localy via NAM configuration profile tool to all clients dot1x then they connects to Cisco Catalyst Swithes and make AAA with ISE-->AD.
    Cisco ASA can do it for VPN client (push them xml profile), any similar things with ISE possible?
    thanks

    You have the ability to push a file with ISE, however after you modify the configuration.xml file you then have to select repair device, which you can not do that easily. You can try to have ISE deploy a script where the client downloads the file from an ftp server and then the script repairs the network adapter.
    That will however require some knowledge on scripting.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • ISE CWA Time Profiles

    Hi
    Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
    - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
    - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
    I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
    Any who knows about these time profiles in ISE regards to WLC
    Thx
    Kasper

    Please review the below links which might be helpful:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

  • ISE - NAC agent profile

    Dears
    I want to deploy NAC agent via GPO and I need to create agent profile , I know how to create it on ISE but how i get the file in xml format to be distributed ?

    You can try installing only one PC (either by manual installation or by captive portal). If you have configured the posture rules in ISE then the NAC Agent automatically contacts the ISE server and downloads the last NACAgentcfg.xml available.
    Then you could browse the following directory and find the NACAgentcfg.xml file in your PC.
    C:\Program Files (x86)\Cisco\Cisco NAC Agent
    After that you can mass deploy the NAC agent along with the xml file. Although is not mandatory to deploy the xml file  because as a I said, every time there's a posture rule the NAC agent will download the last NACAgentcfg.xml available from ISE server.
    Please rate if it helps.

  • ISE licenses and Profiling service

    Hi,
    I tried to find proper explanation of how ISE licenses are used but I am still not sure of one thing.
    With the Plus license, when the profiling service is turned on; is the number of endpoints consumed from the Plus license for every endpoint that has been profiled and successfully authenticated or the number will be consumed from Base license first ?

    A successfully Authenticated device draws from the Base License.
    A Profiled device draws from the Plus License.
    A successfully Authenticated profiled device draws from both. 
    This is why you need at least as many Base as Plus or Apex Licenses.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE Certficate authentication Profile - Recommended Subject identifier

    Hi,
    1. I wanted to know what would be the recommended subject identifier that should be used in Certificate authentication profile when doing EAP TLS with Active Directory - CA.
    2. I am trying to use Subject - DNS Name but when issuing Certificate for a user from AD CA with DNS Name SAN value checked it fails and the following error is shown failed requests
    "DNS Name is unavailable and cannot be added to the subject alternate name" (I maybe missing some user configuration in AD that makes DNS name for a user??)
    For computers its issuing the certificate.. No Issues
    Thank in advance for your help.
    Regards,
    Mudasir Abbas

    Not a cert expert by any means but that error message does makes sense. Your domain computers automatically get a DNS record when joined to the domain. However, there is no DNS entry for your users. So for your users I would recommend that you build your certificate templates based on the SAN - Email or the Common Name. If you use the SAN-Email, make sure that your AD users do have their e-mail address listed in their domain accounts. 
    Hope this helps!
    Thank you for rating helpful posts! 

  • ISE 1.x profiler question (Network Scan Action & Exception Action)

    Could someone please explain the following based on this scenario:
    Say you create a Profiler Policy called “DeviceBrandX” and you set the Minimum Certainty Factor to 20 and you create a condition to profile based on a check for condition based on host-name in DHCP and you assign the condition a Certainty Factor Increases of 10. In additoin you define an Exception Action and a Network Scan (NMAP) Action in the policy.
    Here are the two questions:
    If you create another condition that initiates a scan Network Scan (NMAP) Action to scan say for OS - how does the scan influence the Certainty Factor?
    Also if you create a condition that initiates Exception Action - how does that influence the Certainty Factor?
    Thanks,
    Allen

    Hey Tarik,
    Thank you for the response; I have looked at the apple-device policy, I see that the “* Exception Action” field is = NONE. I only see that the Network Scan (NMAP) Action is set to OS-scan. In fact I have looked at all the generic policies and none have an “* Exception Action” field set.
    I can see that under the Rules configuration you can set the rule to "Take Exception Action" but in the top part of the configuration the "* Exception Action” there is no selection option.
    I am assuming if you wish to trigger and event you would identify the event in the “* Exception Action” field and under the rule you would select "Take Exception Action". How do you configure the “* Exception Action” to determine which Action to take?
    Thanks,
    Allen

Maybe you are looking for

  • Addition of variant in MB51

    hi all, as we know we can derive the data for material movement with T code mb51 tcode. we have serial number profile assign to some materials. now i want which serial number assign to material w r t mvt type in MB51 tcode only. so can i add a column

  • Pentax Super K100D RAW files not recognised by Lightroom

    Hi all Have tried to import Pentax .PEF files (RAW format) into Adobe Lightroom and via Adobe Bridge...no luck. It works with JPEG files, but I don't WANT to shoot in JPEG format! Have reformatted the camera memory card, have 90GB left on my HD to pe

  • Simple sum query I need help with please

    I need a query to do something like this: select customer_site_use_id from ar_payment_schedules_all ps where ps.status = 'OP' AND NVL(ps.receipt_confirmed_flag,'Y') = 'Y' and exists (select (sum(ps1.acctd_amount_due_remaining) as amtdue) from ar_paym

  • How to list referenced graphics and their captions

    The book contains a slew of referenced graphics, which I can of course list with a LOR. Most of the graphics are followed by a caption, and I can list the captions with a LOF or a LOP. However - it would be really handy, for this project, to have a c

  • Import photos in order they were taken

    When I use the camera especialy with the xactscope app the photos do not import to my computer in the order they were taken. Does anyone know how to change that?