RADIUS Probe on WLC for ISE

Answered Question
Aug 10th, 2012
User Badges:

I am doing a Proof-of-Concept for wireless, and I'm getting the infamous "Unknown" endpoint for a device that should be getting profiled as a Windows-Workstation based on the info that I received from Identity-Endpoints section.  My question is whether it is possible pull out the information from the attribute list of the endpoint (such as tcp port 135) to use as a profile?


Here are the attributes:


Endpoint


* MAC Address 






* Policy Assignment      








Static Assignment        


* Identity Group Assignment      








Static Group Assignment           


Attribute List


135-tcp msrpc


139-tcp netbios-ssn


3389-tcp            ms-term-serv


445-tcp microsoft-ds


ADDomain         truncated


AcsSessionID    ise-poc/133205055/184


Airespace-Wlan-Id          10


AuthState          Authenticated


AuthenticationIdentityStore         AD1


AuthenticationMethod     MSCHAPV2


AuthorizationPolicyMatchedRule truncated


CPMSessionID  0a64001d00000005502568b6


Called-Station-ID            64-d9-89-43-09-70:NACTEST1


Calling-Station-ID           18-3d-a2-92-0a-ec


DestinationIPAddress    


DestinationPort  1812


Device IP Address         


Device Type       Device Type#All Device Types#WLCs


DeviceRegistrationStatus            notRegistered


EapAuthentication          EAP-MSCHAPv2


EapTunnel         PEAP


EndPointMACAddress    18-3D-A2-92-0A-EC


EndPointMatchedProfile Unknown


EndPointPolicy  Unknown


EndPointProfilerServer    ise-poc


EndPointSource RADIUS Probe


ExternalGroups  ad.tdfadfa.org/departments/is/groups/sms-remote\,truncated


FQDN   lc20-isnetwrk03.ad.xxxxxx.orgg.


Framed-IP-Address       


IdentityAccessRestricted            false


IdentityGroup     Unknown


IdentityPolicyMatchedRule          Default


LastNmapScanTime       2012-Aug-10 16:30:41 CDT


Location            Location#All Locations#


MACAddress     18:3D:A2:92:0A:EC


MatchedPolicy   Unknown


MessageCode   5200


Model Name      Unknown


NAS-IP-Address            truncated


NAS-Identifier    truncated


NAS-Port          13


NAS-Port-Type  Wireless - IEEE 802.11


NetworkDeviceGroups    Device Type#All Device Types#WLCs, Location#All Locations#truncated


NetworkDeviceName      WLC09


NmapScanCount            2


OUI       Intel Corporate


PolicyVersion    4


PostureAssessmentStatus         NotApplicable


RequestLatency 54


Response          {User-Name=foo\\webb; State=ReauthSession:0a64001d00000005502568b6; Class=CACS:0a64001d00000005502568b6:-poc/133205055/184; Termination-Action=RADIUS-Request; MS-MPPE-Send-Key=9c:b0:32:f4:ec:35:91:8a:6a:fc:87:05:ba:6a:4a:3c:fd:7e:3a:bb:ff:dc:c6:cd:36:ed:14:63:3b:88:34:18; MS-MPPE-Recv-Key=16:62:80:7d:6f:1e:09:5f:24:ed:f5:5e:c5:af:7d:fb:ef:95:c4:12:f8:55:f8:52:da:dd:b0:7b:9f:69:04:ce; }


SelectedAccessService  Default Network Access


SelectedAuthenticationIdentityStores       AD1, Internal Users, Internal Endpoints


SelectedAuthorizationProfiles      PermitAccess


Service-Type      Framed


Software Version            Unknown


StaticAssignment          false


StaticGroupAssignment  false


Total Certainty Factor     0



attribute-52        00:00:00:00


attribute-53        00:00:00:00


cisco-av-pair      audit-session-id=0a64001d00000005502568b6


ip          truncated


operating-system           Microsoft Windows XP SP2 or SP3

Correct Answer by Tarik Admani about 5 years 1 week ago

James,


That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?


There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.


However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.


Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.


Hope that helps,


Thanks,

Tarik Admani
*Please rate helpful posts*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Tarik Admani Fri, 08/10/2012 - 22:45
User Badges:
  • Green, 3000 points or more

James,


That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?


There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.


However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.


Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.


Hope that helps,


Thanks,

Tarik Admani
*Please rate helpful posts*

JAMES HILL Sat, 08/11/2012 - 20:57
User Badges:

Thanks Tarik,


I'm going to try this on Monday.  FYI, I did test it with DHCP and did see the MSFT class identifier, but i don't have the option to use DHCP as one of the DHCP servers, nor is the helper statement currently used in the current config.  I tried a subset of this, but didn't set the certainty factor to 30.


I'll let you know how it goes.

Actions

This Discussion

Related Content