瞭解ISE 3.3上適用於終端分類的Wifi分析

下載選項

  • PDF     (2.1 MB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (1.7 MB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (1.2 MB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2023 年 10 月 5 日
文件 ID:221050

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本檔案說明WiFi Analytics for Endpoint Classification的工作方式。本章還介紹了如何配置、驗證和排除故障。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 9800無線LAN控制器(WLC)配置
    • 身份服務引擎(ISE)配置
    • RADIUS 驗證.授權和記帳(AAA)封包流程和術語

    本文檔假定已有一個正在工作的WLAN對使用ISE作為RADIUS伺服器的客戶端進行身份驗證。

    此功能若要運作,至少必須具備:

    • 9800 WLC Cisco IOS® XE都柏林17.10.1 
    • 辨識服務引擎v3.3。
    • 802.11ac Wave2或802.11ax (Wi-Fi 6/6E)存取點

    採用元件

    本文中的資訊係根據以下軟體和硬體版本:

    • 9800 WLC Cisco IOSXE v17.12.x
    • 身分辨識服務引擎(ISE) v3.3
    • Android 13裝置

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    背景資訊

    透過WiFi裝置分析,Cisco 9800 WLC可以從連線到此裝置的一組終端瞭解屬性(例如型號和作業系統版本),並與ISE共用這些屬性。然後,ISE可以將此資訊用於終端分類(也稱為分析)。

    目前,以下廠商支援WiFi分析:

    • 蘋果
    • Intel
    • 三星

    WLC使用RADIUS記帳資料包與ISE伺服器共用屬性資訊。WiFi分析資料流WiFi分析資料流

    請務必記住,RADIUS AAA流上的RADIUS記帳資料包僅在RADIUS伺服器傳送RADIUS Access-Accept資料包作為對終端身份驗證嘗試的應答之後傳送。換句話說,只有在RADIUS伺服器(ISE)和網路訪問裝置(WLC)之間建立了該終端的RADIUS會話後,WLC才會共用該終端屬性資訊。

    以下是ISE可用於終端分類和授權的所有屬性:

    • DEVICE_INFO_FIRMWARE_VERSION
    • DEVICE_INFO_HW_MODEL
    • 裝置_資訊_製造商_模型
    • DEVICE_INFO_MODEL_NAME
    • DEVICE_INFO_MODEL_NUM
    • 裝置_資訊_作業系統_版本
    • DEVICE_INFO_VENDOR_TYPE
    附註圖示

    注意:WLC可以根據連線的終端型別傳送更多屬性,但只有列出的屬性可用於在ISE中建立授權策略。

    一旦ISE收到記帳資料包,它可以在其中處理和使用此分析資料,並使用它來重新分配終端配置檔案/身份組。

    WiFi Endpoint Analytics屬性列在WiFi_Device_Analytics詞典下。網路管理員可以在終端授權策略和條件中包含這些屬性。

    WiFi裝置分析詞典WiFi裝置分析詞典

    如果ISE為終端儲存的當前屬性值發生任何更改,則ISE會啟動授權更改(CoA),允許對終端進行評估,計算更新的屬性。

    設定

    WLC上的配置

    步驟 1.全局啟用裝置分類功能

    導航到Configuration > Wireless > Wireless Global,然後選中Device Classification覈取方塊。 

    裝置分類配置裝置分類配置

    步驟 2.啟用TLV快取和RADIUS分析

    導航到配置>標籤和配置檔案>策略,選擇RADIUS客戶端所連線的WLAN所使用的策略配置檔案

    無線策略選擇無線策略選擇

    按一下Access Policies,然後選中RADIUS Profiling、HTTP TLV CachingDHCP TLV Caching 選項。由於在上一步中執行的操作,裝置分類全局狀態現在將顯示為「已啟用」狀態。 RADIUS分析和快取配置RADIUS分析和快取配置

    登入到WLC CLI並啟用dot11 TLV Accounting

    vimontes-wlc#configure terminal
    vimontes-wlc(config)#wireless profile policy policy-profile-name
    vimontes-wlc(config-wireless-policy)#dot11-tlv-accounting

    附註圖示

    注意:使用此命令之前,必須停用無線策略配置檔案。此命令僅適用於Cisco IOS XE Dublin 17.10.1版及更高版本。

    ISE上的配置 

    步驟 1.在部署中的PSN中啟用分析服務

    導航到管理>部署,然後點選PSN的名稱。

    ISE PSN節點選擇ISE PSN節點選擇

    向下滾動到Policy Service部分並標籤Enable Profiling Service覈取方塊。按一下Save按鈕。

    效能分析工具服務組態效能分析工具服務組態

    步驟 2.在ISE PSN上啟用RADIUS分析探測

    向上滾動到頁面頂部,然後按一下Profiling Configuration頁籤。這會顯示可在ISE上使用的所有分析探測。啟用RADIUS探測,然後按一下儲存

    RADIUS分析探測配置RADIUS分析探測配置

    步驟 3.設定CoA型別和終端屬性篩選器

    導航到管理>系統>設定>分析。將CoA Type設定為Reauth,並確保Endpoint Attribute Filter覈取方塊未選中。

    CoA型別和屬性過濾器配置CoA型別和屬性過濾器配置

    步驟 4.使用WiFi Analytics資料屬性配置授權策略

    導航到策略>策略設定選單,選擇無線網路使用的策略集

    策略集選擇策略集選擇

    點選授權策略並配置授權條件,以包括終端策略WiFi裝置分析詞典屬性。授權策略配置授權策略配置

    驗證

    在ISE GUI上,導航到操作> RADIUS >即時日誌。您可以使用多個欄位來過濾此窗口中的條目並查詢測試終端記錄。

    用於測試終端的ISE即時日誌用於測試終端的ISE即時日誌

    a.初始終端身份驗證請求到達ISE。終端配置檔案欄位為空,因為此會話的記帳資料包此時尚未到達ISE。

    b.CoA從ISE傳送到NAD,因為現在已收到包含終端屬性的記帳資料包。

    c.成功傳送CoA後,終端將重新進行身份驗證。這一次,您可以觀察新的已分配終端配置檔案,並檢視已分配不同的授權結果。

    附註圖示

    注意:CoA資料包的標識欄位始終為空,但終端ID與第一個身份驗證資料包中的終端ID相同。

    按一下位於「Change of Authorization」記錄上的Details列中的圖示

    訪問CoA資料包詳細資訊訪問CoA資料包詳細資訊

    CoA詳細資訊顯示在新的瀏覽器頁籤中。向下滾動到Other Attributes部分。

    CoA源元件顯示為效能分析器。CoA Reason在用於授權策略的終端身份組/策略/邏輯配置檔案中顯示為更改。

    CoA觸發元件和原因CoA觸發元件和原因

    導航到情景可視性>端點>身份驗證頁籤。在此頁籤上,使用過濾器查詢測試端點。 

    點選終端MAC地址以訪問終端屬性

    情景可視性上的端點情景可視性上的端點

    此操作顯示ISE儲存的有關此終端的所有資訊。點選屬性部分,然後選擇其他屬性

    在情景可視性上選擇終結點其他屬性在情景可視性上選擇終結點其他屬性

    向下滾動,直到找到WiFi_Device_Analytics詞典屬性。在此部分找到這些屬性意味著ISE透過記帳資料包成功接收這些屬性,可用於終端分類。

    WiFi分析屬性與情景可視性WiFi分析屬性與情景可視性

    以下是Windows 10和iPhone屬性的示例,供您參考:

    Windows 10終端屬性示例Windows 10終端iPhone終端屬性示例示例iPhone終端屬性示例

    疑難排解

    步驟 1.會計資料包到達ISE

    在WLC CLI上,確保在策略配置檔案配置中啟用DOT11 TLV記帳、DHCP TLV快取HTTP TLV快取

    vimontes-wlc#show running-config | section wireless profile policy policy-profile-name
    wireless profile policy policy-profile-name
     aaa-override
     accounting-list AAA-LIST
     dhcp-tlv-caching
     dot11-tlv-accounting
     http-tlv-caching
     radius-profiling
     no shutdown

    連線終端時,在WLC或ISE端上收集資料包捕獲。您可以使用任何已知的資料包分析工具(如Wireshark)來分析收集的檔案。

    按RADIUS記帳資料包和呼叫站ID(測試終端MAC地址)進行過濾。例如,可以使用以下過濾器: 

    radius.code == 4 && radius.Calling_Station_Id == "xx-xx-xx-xx-xx-xx"

    找到後,展開Cisco-AVPair欄位以查詢Accounting資料包中的WiFi Analytics Data

    記賬資料包中的終端TLV屬性記賬資料包中的終端TLV屬性

    步驟 2.ISE使用終端屬性解析記帳資料包

    在ISE端,可以將這些元件設定為調試級別,以確保所傳送的RADIUS記帳資料包到達ISE並正確處理。

    然後,您可以收集ISE支援捆綁包以收集日誌檔案。有關如何收集支援捆綁的詳細資訊,請參閱相關資訊部分。

    要調試以進行故障排除的元件要調試以進行故障排除的元件

    附註圖示

    :僅在驗證終端的PSN上啟用元件到DEBUG級別。

    在iseLocalStore.log上,記帳-Start消息無需啟用任何元件到調試級別。在這裡,ISE必須看到包含WiFi分析屬性的傳入記帳資料包。

    2023-09-27 18:19:23.600 +00:00 0000035538 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=1493, 
    Device IP Address=172.16.5.169, UserName=bob, NetworkDeviceName=lab-wlc, User-Name=bob, NAS-IP-Address=172.16.5.169, NAS-Port=260613,
    Framed-IP-Address=172.16.5.76, Class=CACS:A90510AC0000005BD7DDDAA7:iselab/484624451/303, Called-Station-ID=00-1e-f6-5c-16-ff, 
    Calling-Station-ID=0a-5a-f0-b3-b5-9c, NAS-Identifier=vimontes-wlc, Acct-Status-Type=Start, Acct-Delay-Time=0, Acct-Session-Id=00000018, 
    Acct-Authentic=Remote, Event-Timestamp=1695838756, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=dc-profile-name=Samsung Galaxy S22+, 
    cisco-av-pair=dc-device-name=Victor-s-S22, cisco-av-pair=dc-device-class-tag=Samsung Galaxy S22+, cisco-av-pair=dc-certainty-metric=40, 
    cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:01:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1025, cisco-av-pair=dhcp-option=host-name=Victor-s-S22, 
    cisco-av-pair=dhcp-option=dhcp-class-identifier=android-dhcp-13, cisco-av-pair=dhcp-option=dhcp-parameter-request-list=1\, 3\, 6\, 15\, 26\, 28\, 51\, 58\, 59\, 43\, 114\, 108, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_MODEL_NUM=Samsung Galaxy S22+, cisco-av-pair=dot11-device-info=DEVICE_INFO_FIRMWARE_VERSION=WH6, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_SALES_CODE=MXO, cisco-av-pair=dot11-device-info=DEVICE_INFO_DEVICE_FORM=1, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_OS_VERSION=Android 13, cisco-av-pair=dot11-device-info=DEVICE_INFO_COUNTRY_CODE=Unknown, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_VENDOR_TYPE=2, cisco-av-pair=audit-session-id=A90510AC0000005BD7DDDAA7, cisco-av-pair=vlan-id=2606, cisco-av-pair=method=dot1x, 
    cisco-av-pair=cisco-wlan-ssid=VIcSSID, cisco-av-pair=wlan-profile-name=ISE-AAA, Airespace-Wlan-Id=1, AcsSessionID=iselab/484624451/304, SelectedAccessService=Default Network Access, 
    RequestLatency=15, Step=11004, Step=11017, Step=15049, Step=15008, Step=22083, Step=11005, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, 
    NetworkDeviceGroups=Device Type#All Device Types, CPMSessionID=A90510AC0000005BD7DDDAA7, TotalAuthenLatency=15, ClientLatency=0, Network Device Profile=Cisco, Location=Location#All Locations, 
    Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,

    在prrt-server.log上,ISE解析收到的記帳資料包系統日誌消息,包括WiFi Analytics屬性。使用CallingStationIDCPMSessionID欄位確保跟蹤正確的會話和終端。 

    Radius,2023-09-27 18:19:23,586,DEBUG,0x7f50a2b67700,cntx=0000192474,sesn=iselab/484624451/304,
    CPMSessionID=A90510AC0000005BD7DDDAA7,CallingStationID=0a-5a-f0-b3-b5-9c,FramedIPAddress=172.16.5.76,RADIUS PACKET:: 
    Code=4(AccountingRequest) Identifier=39 Length=934  [1] User-Name - value: [bob] [4] NAS-IP-Address - value: [172.16.5.169] [5] NAS-Port - value: [260613] [8] Framed-IP-Address - value: [172.16.5.76] [25] Class - value: [****] [30] Called-Station-ID - value: [00-1e-f6-5c-16-ff] [31] Calling-Station-ID - value: [0a-5a-f0-b3-b5-9c] [32] NAS-Identifier - value: [vimontes-wlc] [40] Acct-Status-Type - value: [Start] [41] Acct-Delay-Time - value: [0] [44] Acct-Session-Id - value: [00000018] [45] Acct-Authentic - value: [Remote] [55] Event-Timestamp - value: [1695838756] [61] NAS-Port-Type - value: [Wireless - IEEE 802.11] [26] cisco-av-pair - value: [dc-profile-name=Samsung Galaxy S22+] [26] cisco-av-pair - value: [dc-device-name=Victor-s-S22] [26] cisco-av-pair - value: [dc-device-class-tag=Samsung Galaxy S22+] [26] cisco-av-pair - value: [dc-certainty-metric=40] [26] cisco-av-pair - value: [dc-opaque=<01><00><00><00><00><00><00><00><00><00><00><00>] [26] cisco-av-pair - value: [dc-protocol-map=1025] [26] cisco-av-pair - value: [dhcp-option=<00><0c><00><0c>Victor-s-S22] [26] cisco-av-pair - value: [dhcp-option=<00><<00><0f>android-dhcp-13] [26] cisco-av-pair - value: [dhcp-option=<00>7<00><0c><01><03><06><0f><1a><1c>3:;+rl] [26] cisco-av-pair - value: [dot11-device-info=<00><00><00><13>Samsung Galaxy S22+] [26] cisco-av-pair - value: [dot11-device-info=<00><01><00><03>WH6] [26] cisco-av-pair - value: [dot11-device-info=<00><02><00><03>MXO] [26] cisco-av-pair - value: [dot11-device-info=<00><03><00><01>1] [26] cisco-av-pair - value: [dot11-device-info=<00><04><00> Android 13] [26] cisco-av-pair - value: [dot11-device-info=<00><05><00><07>Unknown] [26] cisco-av-pair - value: [dot11-device-info=<00> <00><01>2] [26] cisco-av-pair - value: [audit-session-id=A90510AC0000005BD7DDDAA7] [26] cisco-av-pair - value: [vlan-id=2606] [26] cisco-av-pair - value: [method=dot1x] [26] cisco-av-pair - value: [cisco-wlan-ssid=VIcSSID] [26] cisco-av-pair - value: [wlan-profile-name=ISE-AAA] [26] Airespace-Wlan-Id - value: [<00><00><00><01>] ,RADIUSHandler.cpp:2453

    步驟 3.終端屬性已更新且終端已分類

    然後,此系統日誌消息將與Profiler元件共用。Profiler.log接收經過解析的系統日誌消息並提取終端屬性。

    2023-09-27 18:19:23,601 DEBUG [SyslogListenerThread][[]] cisco.profiler.probes.radius.SyslogMonitor -:::::- Radius Packet Received 1266 2023-09-27 18:19:23,601 DEBUG [SyslogListenerThread][[]] cisco.profiler.probes.radius.SyslogDefragmenter -:::::- parseHeader inBuffer=<181>Sep 27 18:19:23 iselab 
    CISE_RADIUS_Accounting 0000000297 3 0 2023-09-27 18:19:23.600 +00:00 0000035538 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=1493, Device IP Address=172.16.5.169, 
    UserName=bob, NetworkDeviceName=lab-wlc, User-Name=bob, NAS-IP-Address=172.16.5.169, NAS-Port=260613, Framed-IP-Address=172.16.5.76, Class=CACS:A90510AC0000005BD7DDDAA7:iselab/484624451/303, 
    Called-Station-ID=00-1e-f6-5c-16-ff, Calling-Station-ID=0a-5a-f0-b3-b5-9c, NAS-Identifier=vimontes-wlc, Acct-Status-Type=Start, Acct-Delay-Time=0, Acct-Session-Id=00000018, Acct-Authentic=Remote, 
    Event-Timestamp=1695838756, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=dc-profile-name=Samsung Galaxy S22+, cisco-av-pair=dc-device-name=Victor-s-S22, 
    cisco-av-pair=dc-device-class-tag=Samsung Galaxy S22+, cisco-av-pair=dc-certainty-metric=40, 
    cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:01:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1025, 2023-09-27 18:19:23,601 DEBUG [SyslogListenerThread][[]] cisco.profiler.probes.radius.SyslogMonitor -:::::- Radius Packet Received 1267 2023-09-27 18:19:23,601 DEBUG [SyslogListenerThread][[]] cisco.profiler.probes.radius.SyslogDefragmenter -:::::- parseHeader inBuffer=<181>Sep 27 18:19:23 iselab CISE_RADIUS_Accounting 0000000297 3 1 
    cisco-av-pair=dhcp-option=host-name=Victor-s-S22, cisco-av-pair=dhcp-option=dhcp-class-identifier=android-dhcp-13, cisco-av-pair=dhcp-option=dhcp-parameter-request-list=1\, 3\, 6\, 15\, 26\, 28\, 51\, 58\, 59\, 43\, 114\, 108, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_MODEL_NUM=Samsung Galaxy S22+, cisco-av-pair=dot11-device-info=DEVICE_INFO_FIRMWARE_VERSION=WH6, cisco-av-pair=dot11-device-info=DEVICE_INFO_SALES_CODE=MXO, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_DEVICE_FORM=1, cisco-av-pair=dot11-device-info=DEVICE_INFO_OS_VERSION=Android 13, cisco-av-pair=dot11-device-info=DEVICE_INFO_COUNTRY_CODE=Unknown, 
    cisco-av-pair=dot11-device-info=DEVICE_INFO_VENDOR_TYPE=2, cisco-av-pair=audit-session-id=A90510AC0000005BD7DDDAA7, cisco-av-pair=vlan-id=2606, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=VIcSSID, 
    cisco-av-pair=wlan-profile-name=ISE-AAA, Airespace-Wlan-Id=1, AcsSessionID=iselab/484624451/304,

    終端屬性資訊已更新。

    2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_FIRMWARE_VERSION=[WH6] 2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_SALES_CODE=[MXO] 2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_DEVICE_FORM=[1] 2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_OS_VERSION=[Android 13] 2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_COUNTRY_CODE=[Unknown] 2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Device Analytics data 1: DEVICE_INFO_VENDOR_TYPE=[2]
    2023-09-27 18:19:23,602 DEBUG [RADIUSParser-1-thread-2][[]] cisco.profiler.probes.radius.RadiusParser -:A90510AC0000005BD7DDDAA7::::- Endpoint: EndPoint[id=,name=] MAC: 0A:5A:F0:B3:B5:9C Attribute:AAA-Server value:iselab Attribute:Acct-Authentic value:Remote Attribute:Acct-Delay-Time value:0 Attribute:Acct-Session-Id value:00000018 Attribute:Acct-Status-Type value:Start Attribute:AcsSessionID value:iselab/484624451/304 Attribute:Airespace-Wlan-Id value:1 Attribute:BYODRegistration value:Unknown Attribute:CPMSessionID value:A90510AC0000005BD7DDDAA7 Attribute:Called-Station-ID value:00-1e-f6-5c-16-ff Attribute:Calling-Station-ID value:0a-5a-f0-b3-b5-9c Attribute:Class value:CACS:A90510AC0000005BD7DDDAA7:iselab/484624451/303 Attribute:ClientLatency value:0 Attribute:DEVICE_INFO_COUNTRY_CODE value:Unknown Attribute:DEVICE_INFO_DEVICE_FORM value:PHONE Attribute:DEVICE_INFO_FIRMWARE_VERSION value:WH6 Attribute:DEVICE_INFO_MODEL_NUM value:Samsung Galaxy S22+ Attribute:DEVICE_INFO_OS_VERSION value:Android 13 Attribute:DEVICE_INFO_SALES_CODE value:MXO Attribute:DEVICE_INFO_VENDOR_TYPE value:SAMSUNG Attribute:Device IP Address value:172.16.5.169 Attribute:Device Type value:Device Type#All Device Types Attribute:DeviceRegistrationStatus value:NotRegistered Attribute:EndPointPolicy value:Unknown Attribute:EndPointPolicyID value: Attribute:EndPointSource value:RADIUS Probe Attribute:Event-Timestamp value:1695838756 Attribute:Framed-IP-Address value:172.16.5.76 Attribute:IPSEC value:IPSEC#Is IPSEC Device#No Attribute:Location value:Location#All Locations Attribute:MACAddress value:0A:5A:F0:B3:B5:9C Attribute:MatchedPolicy value:Unknown Attribute:MatchedPolicyID value: Attribute:MessageCode value:3000 Attribute:NAS-IP-Address value:172.16.5.169 Attribute:NAS-Identifier value:vimontes-wlc Attribute:NAS-Port value:260613 Attribute:NAS-Port-Type value:Wireless - IEEE 802.11 Attribute:Network Device Profile value:Cisco Attribute:NetworkDeviceGroups value:IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types Attribute:NetworkDeviceName value:lab-wlc Attribute:NmapSubnetScanID value:0 Attribute:OUI value:UNKNOWN Attribute:PolicyVersion value:0 Attribute:PortalUser value: Attribute:PostureApplicable value:Yes Attribute:RequestLatency value:15 Attribute:StaticAssignment value:false Attribute:StaticGroupAssignment value:false Attribute:Total Certainty Factor value:0 Attribute:TotalAuthenLatency value:15 Attribute:User-Name value:bob Attribute:cisco-av-pair value:dc-profile-name=Samsung Galaxy S22+, dc-device-name=Victor-s-S22, dc-device-class-tag=Samsung Galaxy S22+, dc-certainty-metric=40, 64:63:2d:6f:70:61:71:75:65:3d:01:00:00:00:00:00:00:00:00:00:00:00, dc-protocol-map=1025, dhcp-option=host-name=Victor-s-S22, dhcp-option=dhcp-class-identifier=android-dhcp-13, dhcp-option=dhcp-parameter-request-list=1\, 3\, 6\, 15\, 26\, 28\, 51\, 58\, 59\, 43\, 114\, 108, dot11-device-info=DEVICE_INFO_MODEL_NUM=Samsung Galaxy S22+, dot11-device-info=DEVICE_INFO_FIRMWARE_VERSION=WH6, dot11-device-info=DEVICE_INFO_SALES_CODE=MXO, dot11-device-info=DEVICE_INFO_DEVICE_FORM=1, dot11-device-info=DEVICE_INFO_OS_VERSION=Android 13, dot11-device-info=DEVICE_INFO_COUNTRY_CODE=Unknown, dot11-device-info=DEVICE_INFO_VENDOR_TYPE=2, audit-session-id=A90510AC0000005BD7DDDAA7, vlan-id=2606, method=dot1x, cisco-wlan-ssid=VIcSSID, wlan-profile-name=ISE-AAA Attribute:dhcp-class-identifier value:android-dhcp-13 Attribute:dhcp-parameter-request-list value:1, 3, 6, 15, 26, 28, 51, 58, 59, 43, 114, 108 Attribute:host-name value:Victor-s-S22 Attribute:ip value:172.16.5.76 Attribute:SkipProfiling value:false

    屬性更新會觸發新的端點分析事件。再次評估分析策略,並分配新的配置檔案。

    2023-09-27 18:19:24,098 DEBUG [pool-533-thread-35][[]] cisco.profiler.infrastructure.profiling.ProfilerManager -:A90510AC0000005BD7DDDAA7::62cc7a10-5d62-11ee-bf1f-b6bb1580ab0d:Profiling:- Policy Android matched 0A:5A:F0:B3:B5:9C (certainty 30) 2023-09-27 18:19:24,098 DEBUG [pool-533-thread-35][[]] cisco.profiler.infrastructure.profiling.ProfilerManager -:A90510AC0000005BD7DDDAA7::62cc7a10-5d62-11ee-bf1f-b6bb1580ab0d:Profiling:- EndPoint is profiled by Admin First: ADMINFIRST 2023-09-27 18:19:24,098 DEBUG [pool-533-thread-35][[]] cisco.profiler.infrastructure.profiling.ProfilerManager -:A90510AC0000005BD7DDDAA7::62cc7a10-5d62-11ee-bf1f-b6bb1580ab0d:Profiling:- Policy Android matched 0A:5A:F0:B3:B5:9C (certainty 30)com.cisco.profiler.infrastructure.profiling.ProfilerManager$MatchingPolicyInternal@14ec7800

    步驟 4.CoA和重新認證

    當WiFi裝置分析屬性發生更改時,ISE必須為終端會話傳送CoA。

    2023-09-27 18:19:24,103 DEBUG [pool-533-thread-35][[]] cisco.profiler.infrastructure.profiling.ProfilerManager -:A90510AC0000005BD7DDDAA7::62cc7a10-5d62-11ee-bf1f-b6bb1580ab0d:Profiling:- Endpoint 0A:5A:F0:B3:B5:9C IdentityGroup / Logical Profile Changed/ WiFi device analytics attribute changed. Issuing a Conditional CoA 2023-09-27 18:19:24,103 DEBUG [pool-533-thread-35][[]] cisco.profiler.infrastructure.profiling.ProfilerManager -:A90510AC0000005BD7DDDAA7::62cc7a10-5d62-11ee-bf1f-b6bb1580ab0d:Profiling:- ConditionalCoAEvent with Endpoint Details : EndPoint[id=62caa550-5d62-11ee-bf1f-b6bb1580ab0d,name=] MAC: 0A:5A:F0:B3:B5:9C Attribute:AAA-Server value:iselab Attribute:Airespace-Wlan-Id value:1 Attribute:AllowedProtocolMatchedRule value:Default Attribute:AuthenticationIdentityStore value:Internal Users Attribute:AuthenticationMethod value:MSCHAPV2 Attribute:AuthenticationStatus value:AuthenticationPassed Attribute:AuthorizationPolicyMatchedRule value:Catch Policy Attribute:BYODRegistration value:Unknown Attribute:CLASSIFICATION_FLOW value:none Attribute:CacheUpdateTime value:1695838764086 Attribute:Called-Station-ID value:00-1e-f6-5c-16-ff Attribute:Calling-Station-ID value:0a-5a-f0-b3-b5-9c Attribute:ClientLatency value:0 Attribute:DEVICE_INFO_COUNTRY_CODE value:Unknown Attribute:DEVICE_INFO_DEVICE_FORM value:PHONE Attribute:DEVICE_INFO_FIRMWARE_VERSION value:WH6 Attribute:DEVICE_INFO_MODEL_NUM value:Samsung Galaxy S22+ Attribute:DEVICE_INFO_OS_VERSION value:Android 13 Attribute:DEVICE_INFO_SALES_CODE value:MXO Attribute:DEVICE_INFO_VENDOR_TYPE value:SAMSUNG Attribute:DTLSSupport value:Unknown Attribute:DestinationIPAddress value:172.16.5.112 Attribute:DestinationPort value:1812< Attribute:Device IP Address value:172.16.5.169 Attribute:Device Type value:Device Type#All Device Types Attribute:DeviceRegistrationStatus value:NotRegistered Attribute:DoReplicate value:false Attribute:EnableFlag value:Enabled Attribute:EndPointMACAddress value:0A-5A-F0-B3-B5-9C Attribute:EndPointPolicy value:Android Attribute:EndPointPolicyID value:ffafa000-8bff-11e6-996c-525400b48521 Attribute:EndPointProfilerServer value:iselab.vimontes.cisco.com Attribute:EndPointSource value:RADIUS Probe Attribute:EndPointVersion value:4 Attribute:FailureReason value:- Attribute:FirstCollection value:1695838763963 Attribute:Framed-IP-Address value:172.16.5.76 Attribute:IPSEC value:IPSEC#Is IPSEC Device#No Attribute:IdentityGroup value:Android Attribute:IdentityGroupID value:ffa36b00-8bff-11e6-996c-525400b48521 Attribute:IdentityPolicyMatchedRule value:Default Attribute:IdentitySelectionMatchedRule value:Default Attribute:IsThirdPartyDeviceFlow value:false Attribute:LastActivity value:1695838764083 Attribute:LastNmapScanTime value:0 Attribute:Location value:Location#All Locations Attribute:LogicalProfile value: Attribute:MACAddress value:0A:5A:F0:B3:B5:9C Attribute:MatchedPolicy value:Android Attribute:MatchedPolicyID value:ffafa000-8bff-11e6-996c-525400b48521 Attribute:MessageCode value:3000 Attribute:NAS-IP-Address value:172.16.5.169 Attribute:NAS-Identifier value:vimontes-wlc Attribute:NAS-Port value:260613 Attribute:NAS-Port-Type value:Wireless - IEEE 802.11 Attribute:Network Device Profile value:Cisco Attribute:NetworkDeviceGroups value:IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types Attribute:NetworkDeviceName value:lab-wlc Attribute:NetworkDeviceProfileId value:b0699505-3150-4215-a80e-6753d45bf56c Attribute:NetworkDeviceProfileName value:Cisco Attribute:NmapScanCount value:0 Attribute:NmapSubnetScanID value:0 Attribute:OUI value:UNKNOWN Attribute:PolicyVersion value:0 Attribute:PortalUser value: Attribute:PostureApplicable value:Yes Attribute:PostureAssessmentStatus value:NotApplicable Attribute:PreviousMACAddress value:0A:5A:F0:B3:B5:9C Attribute:RadiusFlowType value:Wireless802_1x Attribute:Response value:{Class=CACS:A90510AC0000005BD7DDDAA7:iselab/484624451/303; EAP-Key-Name=19:12:31:7e:8a:2e:d7:9f:3b:00:3e:ab:bd:27:22:2a:30:45:b8:7a:1b:ab:b6:1a:b1:e6:21:ee:bd:b1:2c:b8:f5:a8:c9:27:27:c1:0e:95:fa:a0:b6:dc:1f:a4:e6:98:2c:89:5e:b1:5c:11:56:ea:d9:93:a8:92:b0:47:57:3a:6e; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; } Attribute:SSID value:3c-41-0e-31-77-80:VIcSSID Attribute:SelectedAccessService value:Default Network Access Attribute:SelectedAuthenticationIdentityStores value:Internal Users, All_AD_Join_Points, Guest Users Attribute:SelectedAuthorizationProfiles value:PermitAccess Attribute:Service-Type value:Framed Attribute:StaticAssignment value:false Attribute:StaticGroupAssignment value:false Attribute:StepData value:4= Normalised Radius.RadiusFlowType, 71=All_User_ID_Stores, 72=Internal Users, 95= WiFi_Device_Analytics.DEVICE_INFO_MODEL_NUM, 96= WiFi_Device_Analytics.DEVICE_INFO_MODEL_NUM, 97= WiFi_Device_Analytics.DEVICE_INFO_MODEL_NUM, 98= WiFi_Device_Analytics.DEVICE_INFO_MODEL_NUM, 99= EndPoints.EndPointPolicy, 100= EndPoints.EndPointPolicy, 101= EndPoints.EndPointPolicy Attribute:TLSCipher value:ECDHE-RSA-AES256-GCM-SHA384 Attribute:TLSVersion value:TLSv1.2 Attribute:TimeToProfile value:139 Attribute:Total Certainty Factor value:30 Attribute:TotalAuthenLatency value:15 Attribute:UpdateTime value:0 Attribute:User-Name value:bob Attribute:UserType value:User Attribute:allowEasyWiredSession value:false Attribute:dhcp-class-identifier value:android-dhcp-13 Attribute:dhcp-parameter-request-list value:1, 3, 6, 15, 26, 28, 51, 58, 59, 43, 114, 108 Attribute:epid value:epid:293810839814635520 Attribute:host-name value:Victor-s-S22 Attribute:ip value:172.16.5.76 Attribute:undefined-186 value:00:0f:ac:04 Attribute:undefined-187 value:00:0f:ac:04 Attribute:undefined-188 value:00:0f:ac:01 Attribute:undefined-189 value:00:0f:ac:06 Attribute:SkipProfiling value:false

    資料包捕獲有助於確保ISE將CoA傳送到WLC。它還顯示在處理CoA之後收到新的訪問請求資料包。

    終端分析後的RADIUS CoA資料包終端分析後的RADIUS CoA資料包

    終端分析後的Radius CoA和新的訪問請求終端分析後的Radius CoA和新的訪問請求

    相關資訊

    修訂記錄

    修訂 發佈日期 意見
    1.0
    05-Oct-2023
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Victor Montes Angeles
      Security Escalation Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品