Beruflich Dokumente
Kultur Dokumente
Lab Overview
This lab is designed to help attendees understand how to configure and deploy ISE Profiler. It covers the basic configuration and management for profiling devices in an 802.1X environment. Lab Users should be able to complete the lab within the allotted lab time of (2) hours.
Lab Exercises
This lab guide includes the following exercises: Lab Verification Lab Exercise 1: Enable ISE Probes for Profiling Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes Lab Exercise 3: Verify Profiled Endpoints and Probe attribute information Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints Lab Exercise 5: Verify IP Phone default Policy Lab Exercise 6: Logging and Reporting
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 1
10/20/2011
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 2
10/20/2011
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 3
10/20/2011
Internal IP addresses
The table that follows lists the internal IP addresses used by the devices in this setup.
Device Core Switch (Nexus 7k) Name/Ho stn ame 7k-core.demo.local IP Ad dress 10.1.100.1 10.1.250.1 Access Switch (3560X) Data Center Switch (3560X) ISE Appliance ISE Appliance ISE Appliance ISE Appliance AD Serv er (CA/DNS/DHCP) NTP Serv er Public Web Serv er Internal Web Serv er Admin (Management) Client (also F TP Serv er) Windows 7 Client PC 3k-access.demo.local 3k-serv er.demo.local ise-1.demo.local ise-2.demo.local ise-3.demo.local ise-4.demo.local ad.demo.local ntp.demo.local www-ext.demo.local www-int.demo.local admin.demo.local ftp.demo.local win7-pc.demo.local DHCP (10.1.10.x/24) 10.1.250.2 10.1.251.2 10.1.100.21 10.1.100.22 10.1.100.23 10.1.100.24 10.1.100.10
128.107.220.1
10.1.252.10 10.1.252.20 10.1.100.6
Network f or authenticated users or access network using ACLs Microsoft machine-authenticated dev ices (L2 segmentation) Unauthenticated or non-compliant dev ices (L2 segmentation) Dedicated Voice VLAN Network f or authenticated and compliant guest users VPN Client VLAN to ASA outside interface ASA inside network to IPEP untrusted interface Dedicated IPEP VLAN for trusted interface
40 50 60 70 80
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 4
10/20/2011
AP DATACENTER
Wireless AP connection for LWAAP tunnel Network serv ices (AAA, AD, DNS, DHCP, NTP, etc.) Dedicated interconnect subnet between Core and Access switch. Dedicated interconnect subnet between Core and Data Center switch. Web Serv er network
WEBSVR
10.1.252.0/24
No te:
Dedicated VLANs hav e been preconf igured for optional access policy assignments based on user identity , prof iling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. This lab will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment f or policy enf orcement. By def ault, all client PC access will remain in the ACCESS VLAN 10 and IP phones will be placed in VOICE VLAN 40.
No te:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 5
10/20/2011
Connect to a POD
Step 1
Launch the Remote Desktop application on your system. a. In the LabOps student portal, click on the Topology tab b. Click on the Admin PC, then click on the RDP Client option that appears:
c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Log in as DEMO\admin / cisco123 (Domain = DEMO) d. All lab configurations can be performed from the Admin client PC.
From the Admin client PC, click the VMware vSphere Client icon on the desktop The IP address of your pods ESX server is 10.1.11.X where X = 10+(your pod number) e.g. pod 1 = 10.1.11.11, pod 9 = 10.1.11.19, pod 15 = 10.1.11.25, pod 24 = 10.1.11.34
No te: Step 3
Be careful to only connect to y our pods ESX serv er. If unsure, contact y our class proctor.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 6
10/20/2011
Step 4
Click Login.
Step 2
Once logged in, you will see a list of VMs that are available on your ESX server:
Step 5
You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 7
10/20/2011
Step 6 Step 7
To access the VM console, select Open Console from the drop-down. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
To access the consoles of the lab switches and ISE servers using SSH: a. From the Admin client PC, double-click the desired PuTTY shortcut on the Windows desktop. Example:
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 8
10/20/2011
You can also use the shortcuts in the Windows Quick Launch toolbar. b. If prompted, click Yes to cache the server host key and to continue login. c. Login using the credentials listed in the Accounts and Passwords table.
Step 2
To access the console for other devices using SSH: a. From the Admin client PC, go to Start and select Menu to open a terminal session using PuTTY. from the Windows Start
b. Refer to the Internal IP Addresses table, and then enter the hostname or IP address of the desired device in the Host Name (or IP address). c. Click Open. d. If prompted, click Yes to cache the server host key and to continue login. e. Login using the credentials listed in the Accounts and Passwords table
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 9
10/20/2011
Exercise Objective
Verify the default bootstrap configuration and connectivity.
Go to the Admin client PC and open a web browser to log into your ISE appliance (https://ise-1.demo.local) with username/password = admin / default1A Verify your network access switch (3k-access) is configured and setup correctly. a. Go to Administration > Network Resources > Network Devices and select 3k-access b. Verify the IP address is 10.1.250.2 c. Verify the authentication settings shared secret being used. Click the Show button and verify cisco123 is the shared secret.
Step 2
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 10
10/20/2011
Step 3
Use the desktop shortcut for the PuTTY SSH client to launch a terminal session to the 3kaccess switch (10.1.250.2) using the credentials admin / cisco123 (enabled password cisco123 ). Make sure interface Gi 0/1 4 are administratively shutdown. In this lab we are only concerned about the IP Phone and IP Camera. On the access switch verify MAB is configured on the switch ports for non-authenticating devices. Also verify Multi-Auth authentication is enabled on the switch port. This is needed for the IP Phone to authenticate. Both voice and data domains will authenticate via 802.1X and then fall over to MAB.
interface Gi0/1 switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-ALLOW in authentication host-mode multi-auth authentication open authentication order mab dot1x authentication port-control auto authentication periodic authentication timer reauthenticate server mab d t1 th ti t
Step 4
Step 5
Step 6
Step 7
Verify the change of authorization command is configured on your switch. This is essential for when devices change profiles or the authorization settings change for a device or user. The ISE node will send the new authorization parameters to the switch via this mechanism.
aaa server radius dynamic-author client 10.1.100.21 server-key cisco123
Step 8
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 11
10/20/2011
Step 9
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 12
10/20/2011
Lab Exercise 1: Enable ISE, Probes, and Network Device for Profiling
Exercise Description
This exercise will enable the profiling probes and NAD communication on your ISE Policy Service node.
Exercise Objective
At the end of this exercise you will learn how to enable the probes for your ISE Policy Service node via the GUI.
Log into your ISE device via the admin GUI. Go to Administration > System > Deployment. Click on your ISE node. In General Settings, verify Policy Service is enabled. Verify the Enable Profiling Service is enabled. In the right hand pane click the Profiling Configuration tab. a. Leave Netflow Probe disabled b. Enable DHCP Probe. i. The device interface should be Gi0. (Gi0 is the interface on the ISE appliance) ii. Leave the default UDP port 67. c. Enable DHCPSPAN Probe. i. The device interface should be Gi0 d. Enable HTTP Probe. i. The device interface should be Gi0 e. Enable RADIUS Probe f. Enable DNS Probe i. Keep the defaults g. Enable SNMPQUERY Probe. i. Keep the defaults h. Enable SNMPTRAP Probe. i. Leave Link Trap Query Disabled ii. Enable MAC Trap Query iii. Device Interface should be Gi0 iv. Port 162 leave as default.
Step 4
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 13
10/20/2011
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 14
10/20/2011
Step 5 Step 6
Click the Save button and make sure your changes were saved successfully. Now go to your pre-configured NAD device on ISE to enable SNMP communication. Administration > Network Resources > Network Devices a. Click on the 3k-access switch b. In the configuration page enable the SNMP Settings section c. Expand the setting and select SNMP version 2c d. Enter ciscoro as the read only community string e. Verify Link Trap Query is enabled. f. Verify MAC Trap Query is enabled.
g. Set the polling interval to 600 seconds (LAB USE ONLY !) h. Leave all other settings the same and click Save.
No te: Y ou can use multiple interf aces to enable the ISE probes. You can also enable ISE Profiling on other Policy Serv ice nodes if y ou hav e the proper licensing in place.
Step 7
Enable the Change of Authorization globally for Profiling. This will allow any status changes of a device to be sent to the access device for an endpoint. a. Go to Administration > System > Settings > Profiling > CoA Type = Reauth
No te:
Use caution when enabling this feature when first profiling y our dev ices. The Change of Authorization will occur for all newly profiled dev ices.
Step 8
To verify the default actions for profiled devices, go to Policy > Policy Elements > Results > Profiling > Exception Actions (Advanced Exception actions will not be covered in this lab.)
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 15
10/20/2011
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 16
10/20/2011
Lab Exercise 2: Configure and Verify NAD Communication with ISE Probes
Exercise Description
Configure ISE probes
Exercise Objective
In this exercise, your goal is to configure and verify your ISE probes are w orking as advertised.
Step 3
Turn on SNMP debug by typing debug snmp packet at the exec shell prompt on the access switch. If using remote console (SSH/Telnet), then make sure you also enter terminal monitor on the command line so you will see the output. Verify SNMP communication between the ISE node and the switch. You should see the SNMP requests coming into the switch from ISE-1 similar to that shown below. You should also see responses from the switch for SNMP MIB requests from ISE Profiling Service.
Step 4
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 17
10/20/2011
3k-access# debug snmp packet *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Packet received via UDP from 10.1.100.21 on Gi0/24 *Apr 19 13:50:25.758: SNMP: Get-bulk request, reqid 2133241990, nonrptr 0, maxreps 10 system = NULL TYPE/VALUE9 13:50:25.758: SNMP: Response, reqid 2133241990, errstat 0, erridx 0 system.1.0 = Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2) system.2.0 = products.797 sysUpTime.0 = 428342588 system.4.0 = system.5.0 = 3k-access.demo.local system.6.0 = system.7.0 = 6 system.8.0 = 0 sysOREntry.2.1 = cisco.7.129
Step 5
Turn off the SNMP debug by typing no debug all from exec mode prompt on the switch command line interface. Bring up switchport Gi 0/2 by entering the command no shutdown under the interface in configuration mode. Verify RADIUS packets are being sent to ISE by entering debug radius authentication from exec mode on the access switch. These will be sent when a MAC Authentication Bypass (MAB) session is initiated for clientless devices. This information will be received by the Profiler Radius Probe and used in profiling endpoints. You will see the following output. MAB will take some time to initiate after the DOT1X authentication requests time out.
Step 6
Step 7
Step 8
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 18
10/20/2011
*Apr 20 14:40:45.339: %AUTHMGR-5-START: Starting 'mab' for client (001e.e599.fc5b) on Interface Gi0/2 AuditSessionID 0A0164010000000F04A3DB09 *Apr 20 14:40:45.339: AAA/AUTHEN/8021X (00000011): Pick method list 'default' *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011):Orig. component type = DOT1X *Apr 20 14:40:45.339: RADIUS(00000011): Config NAS IP: 0.0.0.0 *Apr 20 14:40:45.339: Getting session id for DOT1X(000 *Apr 20 14:40:45.339: RADIUS/ENCODE(00000011): acct_session_id: 16 *Apr 20 14:40:45.339: RADIUS/ENCODE: Best Local IP-Address 10.1.250.2 for RadiusServer 10.1.100.21 *Apr 20 14:40:45.339: RADIUS(00000011): Send Access-Request to 10.1.100.21:1812 id 1645/56, len 206 *Apr 20 14:40:45.339: RADIUS: 24 5A 60 * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: * Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.339: RADIUS: *Apr 20 14:40:45.348: RADIUS: * Apr 20 14:40:45.348: RADIUS: authenticator B7 9E 45 1D 55 C4 2F C2 - 4D 15 7F 5C B4
14 18 6 6 19 19 18
*Apr 20 14:40:45.348: RADIUS: Message-Authenticato[80] 40 F3 6D 62 B5 84 D3 [ OG}@mb] *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: id=0A0164010000000F04A3DB09" *Apr 20 14:40:45.348: RADIUS: [15] * Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: *Apr 20 14:40:45.348: RADIUS: EAP-Key-Name Vendor, Cisco Cisco AVpair
"audit-session-
NAS-Port-Type
[61]
Ethernet
6 17 6
*Apr 20 14:40:45.348: RADIUS(00000011): Started 5 sec timeout *Apr 20 14:40:45.599: RADIUS: Accept, len 157 Received from id 1645/56 10.1.100.21:1812, Access-
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 19
10/20/2011
Step 9
Turn off the Radius debug when finished by typing no debug all on the command line.
Step 10 Configure an additional IP helper address to the ISE appliance on Interface Vlan10 (Access) and
Interface Vlan40 (Voice) for DHCP information to be sent to the ISE DHCP probe (ex.):
Step 11 Do a shut/no shut on the interfaces Gi 0/1 8. This will retrigger DHCP requests and send
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 20
10/20/2011
Exercise Objective
In this exercise, your goal is to correctly identify newly profiled endpoints and their unique attributes collected on the network.
Go to the ISE-1 Home page and see if there are any Profiled Endpoints. Look at the Profiled Endpoints to see if you have endpoints being profiled.
Step 2 Step 3
Go to Administration > Identity Management > Identities > Endpoints You should now see MAC addresses show up in the Endpoints View
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 21
10/20/2011
Step 4
Click on one of the endpoints to verify attribute data received by the probes. The latest information received by a certain Probe will be listed as: EndPointSource = (ex. SNMPTrap Probe)
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 22
10/20/2011
Step 5
Go back to Endpoints and click on the Microsoft-Workstation a. You can verify the DNS probe is working by locating the host-name attribute. DNS was setup in the Bootstrap Lab 1. b. You can also verify the DHCP Probe is working by locating the dhcp-class-identifier which was sent by the DHCP request of the Windows Client.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 23
10/20/2011
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 24
10/20/2011
Lab Exercise 4: Create Profiles and Authorization Policies for Profiled Endpoints
Exercise Description
In this exercise, your goal is to create Profile and Authorization Policies.
Exercise Objective
In this exercise, your goal is to verify your Profiles and Authorization Policies for your Profiled Endpoints by validating the authentication session and its policy.
We now want to create our own Profile based on more specific information than the generic Cisco-Device profile that some of these endpoints are being profiled into. Go to Administration > Identity Management > Identities > Endpoints a. You should now see a few Endpoints profiled as Cisco-Device b. Click on the MAC address that is connected to port Gi 0/2 c. Under the attributes details look for some information that is interesting based on device type. You should see this under the cdp information collected from the SNMP Probe. d. Write down the cdp Platform information. For example, CIVS-IPC-4500 e. Also note the MAC OUI information = Cisco Systems Example output below:
Formatted: Font: (Def ault) Arial, 10 pt
Step 2
Step 3
Go to Policy > Policy Elements > Conditions > Profiling to create a matching rule for the device attribute information to be used in a Profiling Policy.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 25
10/20/2011
Step 4
Under Profiling Conditions click Create . a. Name = cdpIPCAMERA b. Type = SNMP c. Attribute Name = cdpCachePlatform d. Operator = Contains e. Attribute Value = CIVS-IPC
Step 5
Click Submit.
Now go to Policy > Profiling > Profiling Policies Click Create . a. Name the Policy = MY_IP_Cameras b. Policy Enabled = Checked
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 26
10/20/2011
c. Minimum Certainty Factor = 25 d. Exception Action = None e. Create Matching Identity Group = Enabled (This will be used later in our Authorization Policy) f. Parent Policy = None
g. Rules: i. ii. If Condition Cisco-DeviceRule1Check1 Then Certainty Factor Increases 10 If Condition cdpIPCAMERA Then Certainty Factor Increases 25
Step 8 Step 9
Click Submit. Go to Administration > Identity Management > Groups > Endpoint Identity Groups and verify the new Identity Group = MY_IP_Cameras
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 27
10/20/2011
a. Rule Name = Profiled IP_Cameras b. Identity Groups = MY_IP_Cameras c. Other Conditions = None d. Permissions = PermitAccess
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 28
10/20/2011
Step 12 Click Save. Step 13 Verify you have a default Authentication rule for MAB. This is crucial in making sure the MAB
authentication is matched and you are using the Internal Endpoints as the Identity store. Profiler Endpoints are stored in this Identity Store. a. Go to Policy > Authentication:
Formatted: Font: (Def ault) Arial, 10 pt
b. The MAB authentication rule states: If a Wired_MAB [Radius:Service-Type=10(Call Check) and Radius:NAS-PortType=15(Ethernet)] request is matched and has the allowed Protocols defined in the Default Network Access policy, then use Internal Endpoints as the Identity Store.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 29
10/20/2011
Step 14 Go to the 3k-access switch and bounce interface Gi0/2 by using shut / no shut Step 15 Verify the MAB request was successful and the device was Authorized under the Profiled IP
Step 16 Click on the details icon to get more detailed information. There are details worth pointing out
based on the configurations: a. Authentication Method = MAB b. Username = MAC address of your device c. NAS Port ID = What port the device is connected d. Service Type = Call Check e. Identity Store = Internal Endpoints f. Identity Group Profiled:MY_IP_Cameras
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 30
10/20/2011
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 31
10/20/2011
Exercise Objective
In this exercise, your goal is to verify the IP Phone has been successfully authenticated and authorized by ISE. With ISE there is a pre-configured Authorization Policy for Cisco IP Phones for convenience.
*Apr 22 15:00:14.654: %AUTHMGR-5-START: Starting 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %MAB-5-SUCCESS: Authentication successful for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:14.914: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0 *Apr 22 15:00:15.954: %AUTHMGR-5-SUCCESS : Authorization succeeded for client (1c17.d341.d18b) on Interface Gi0/1 AuditSessionID 0A0164010000001E0F026AA0
Step 3 Step 4
Verify the Authentication and Authorization was successful on the switch. On the 3k-acce ss switch, enter the command show authentication sessions interface Gi0/1 .
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 32
10/20/2011
3k-access # sh authentication sessions int Gi0/1 Interface: MAC Address: IP Address: User-Name: Status: Domain: GigabitEthernet0/1 1c17.d341.d18b Unknown 1C-17-D3-41-D1-8B
Security Policy: Security Status: Oper host mode: Oper control dir: Authorized By: ACS ACL:
Authentication Server
xACSACLx-IP-PERMIT_ALL_TRAFFIC-4d269051 N/A
N/A 0A0164010000002A24BB3A47
0x0000002B
0x1D00002A
Step 5
Log into ISE GUI and verify the Authentication. Go to Monitor > Authentications .
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 33
10/20/2011
Step 6 Click on the MAC address for the IP Phone connect to Gi0/1:
Step 7 Look into the details of the authentication and authentication result to verify the details of the
default permissions.
Step 8 Notice the cisco-av -pair=device-traffic-class=voice which tells the switch this MAC
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 34
10/20/2011
No te:
The IP Phone Authorization Profile details can be f ound here: Policy > Policy Elements > Results > Authorization Profiles > Cisco_IP_Phones
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 35
10/20/2011
Exercise Objective
In this exercise you enable debug logging and generate a Profiled endpoint report.
Go to Monitor > Reports > Catalog > Endpoint Click on the Endpoint Profiler Summary You can run a report from the last 30 minutes to the last 30 Days
Step 2
You will get the output of the endpoints logged for the day and the Policy the endpoint has been profiled into.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 36
10/20/2011
Step 3
You can enable Profiler Log collection to Debug for advanced troubleshooting
a. b. c. d. e. f.
Go to Administration > System > Logging > Debug Log Configuration Select ise-1 from right pane Scroll down the list and click on the Profiler radial button. Click on current log setting to display a drop-down list. Set the Log setting to DEBUG. Click Save.
Step 4
To display the debug logs go to Monitor > Troubleshoot > Download Logs > ISE-1 Under the Debug log type select profiler.log
End of Exercise: You have successfully completed this exercise. Proceed to next section.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 37
10/20/2011
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 38
10/20/2011
CD P Information cdpCacheVersion cdpCacheNativeVLAN cdpCacheD evicePort MACAddress cdpCacheLastChange cdpCacheAddressType cdpCacheD eviceId cdpCacheAddress cdpCachePlatform cdpCacheCapabilities cdpCacheD uplex CISCO-AUTH -FRAMEWORK-MIB cafSessionAuthorizedBy cafSessionAuthUserName cafSessionAuthVlan cafSessionClientMacAddress cafSessionDomain cafSessionStatus VlanName
DHCP Attributes Any attribute parsed out of the DH CP traffic will be mapped into an endpoint attribute. For a list of possible attributes see: http://www.iana.org/assignments/bootp-dhcp-parameters/
HTTP User Agent The browser user agent as well as any http attributes present will be captured and added to the endpoint to add to the profiling capability. For a full list of possible attributes see: http://www.rfc-editor.org/rfc/rfc2616.txt
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 39
10/20/2011
DNS Probe Upon endpoint creation, a DNS lookup will try to determine the endpoint name FQDN. A new attribute will be added to the endpoint FQDN. Reverse DNS lookup will be done only when an endpoint detected by the DH CP, Radius and SNMP probes contains following attributes. This means that, for DNS lookup, at least one of the following probes need to started along with DNS probe. DH CP IP H elper, DH CP Span dhcp-requested-address Radius Probe Framed-IP-Address SNMP Probe cdpCacheAddress H TTP Probe Source IP Radius Attributes We will be collecting and assigning to endpoints Radius attributes from both the request and the response. For a list of Radius attributes, see the RFCs defined at http://en.wikipedia.org/wiki/RAD IUS.
Netflow Attributes We will be collecting any an all attributes sent through Netflow. Please consult http://www.faqs.org/rfcs/rfc3954.html for details on netflow attributes. H ere is a sample: IN_BYTES IN_PKTS FLOWS PROTOCOL TOS TCP_FLAGS L4_SRC_PORT IPV4_SRC_AD D R SRC_MASK L4_D ST_PORT IPV4_D ST_AD D R D ST_MASK IPV4_NEXT_H OP LAST_SWITCH ED FIRST_SWITCH ED OUT_BYTES OUT_PKTS IPV6_SRC_AD D R IPV6_D ST_AD D R IPV6_SRC_MASK IPV6_D ST_MASK IPV6_FLOW_LABEL ICMP_TYPE D ST_TOS SRC_MAC D ST_MAC SRC_VL AN D ST_VLAN
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 40
10/20/2011
IP_PROTOCOL_VERSION D IRECTION
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
02_ISE_1.0_Profiling_Services_Lab_Guide(EDCS-978790_rev12a).docx 41
10/20/2011