Client Device Profiling with a Cisco WLC

Client Device Profiling using Cisco WLC Device Sensor Feature


What is Profiling?

Device Profiling is all the rage these days because it is extremely useful in implementing network segmentation using automated methods.

Instead of manually classifying devices based on their MAC address or other unique features, profiling automatically identifies end devices by various means - such as data snooping or active probing.

Profiling allows devices to be placed in certain VLANs or have certain ACLs applied, according to their profiles - so you have a dynamic way to classify and place a device in the relevant VLAN.

Another benefit of client profiling is to provide more details about the client session for better operational visibility, or for policy control. For example, it allows customers to see how many types of iPhone/Android/Windows devices are active on the network. Another handy element is the device hostname which can assist in troubleshooting.

Cisco 8540 WLC

Profiling for Free - Cisco Device Sensor

A number of Cisco products are able to inspect client traffic and map additional characteristics to the client MAC address. Cisco calls this feature 'Device Sensor', and DHCP and HTTP inspection can be performed by the controller (as well as a number of Cisco Switches too).

Going way back to Cisco AirOS 7.4 WLC’s, they introduced the ability to perform a basic form of client device profiling that goes beyond simply interpreting the device’s MAC OUI (Organisational Unique Identifier). The MAC OUI is useful in learning about the network adapter’s manufacturer, but it doesn’t tell the complete story.

Enabling DHCP / HTTP Profiling

From the controller, access the WLANs Menu, then the Advanced tab. Enable both DHCP Profiling and HTTP Profiling, as shown below:



Assuming that clients use DHCP, the WLC can glean information such as the hostname, IP address and operating system from the DHCP discovery message. In addition, if the client is performing HTTP/HTTPS traffic, then the browser agent data from these packets reveals a bit more information about the client’s operating system.

All of this data can either be kept local to the WLC and then displayed in the GUI. Alternatively, the data can be sent to Cisco ISE in the form of Radius Accounting Interim-Updates, in order that ISE can enrich its database with these client attributes. The more information ISE has about the client, the more targeted the Policies can be made to ensure that the client device is receiving the correct treatment.

It should be noted that ISE requires a Plus license in order to process and display profiling data. Without a Plus license the Profiling menu options will not be available

The act of Profiling itself does not consume any licenses. A Plus license is only consumed if a
Policy Set Authorization Rule is executed and results in an Authorization Profile. Even with the
bare minimum of 100 Plus licenses installed, ISE Profiling Probes are available for on all Policy Nodes.


ISE can perform client profiling using a variety of Probes that run on the Policy Nodes - but if the WLC is already performing this role then there is no need for ISE to repeat the work. If the Device Sensor can be used, then it will perform the job of two ISE Probes (DHCP and HTTP probes). The Device Sensor is a more efficient way to glean this data because it does not require the DHCP traffic to be sent to ISE Policy Nodes.

Conclusion

ISE can make use of profiling information in various ways:

  • Better visibility by centralising all of the data into ISE dashboards and reports. Below is an example of the ISE Context Visibility where devices were profiled using the Device Sensor in Cisco Switches and Wireless Controllers.
  • Better Network Access Control by changing authorization of client sessions based on profiling data

If you need assistance with your Cisco ISE / Cisco Wi-Fi installation, drop us a line at sales@iptel.com.au

©IPTel Solutions .