Page 1 of 14

Lab 11: Endpoint Profiling and Reports

Lab Overview
This lab examines the use of the profiler service within ISE. You will enable the profiler service and configure the Feed service to keep profiler up to date. You
will modify the ISE settings for profiler and verify NAD configurations in support of profiler. You will work with Logical Profiles, test Authorization Policy using
Profiler, and run various reports.

Estimated Completion Time

60 minutes

Lab Procedures
• Enable the Profiling Service

• Configure the Feed Service

• Configure Profiler Settings in ISE

• Verify NAD Configuration for Profiling

• Examine Endpoint Data

• Create a Logical Profile and Authorization Policy

• Test Authorization Policies with Profiling Data

• Run Profiler Reports

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are accessing the system after you have attended the 5
day course), you will need to prepare or verify the environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Enable the Profiling Service

In this task, you will enable and configure profiling in Cisco ISE.

1. Verify current Endpoint data.

To configure profiling in ISE, access the ISE Work Centers to view the necessary steps to prepare, define, and monitor your profiler service configuration.

1.1. From the Admin-PC, open Firefox and log in to ISE as admin/admin$Pwd.

1.2. Navigate to Work Centers > Profiler> Overview to view the required configuration steps needed to enable and configure the profiler service.

1.3.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 2 of 14

Network devices and active directory configurations were done in previous labs. You need to do some preparation in this lab environment prior to
enabling the Profiler service. Click the Endpoint Classification link. This page can also be reached via the Context Visibility > Endpoints > Endpoint
Classification.

1.4. Observe the endpoint information for your pod.

Note: Notice that many of the Endpoint Profiles indicate Unknown. Once Profiler is enabled and configured, much more information about endpoints will be
obtained. Take note of the number of pages (upper right). It may eventually grow to be more than one, requiring you to use Quick Filters or navigate
multiple pages.

2. Clean Endpoint data from ISE before Enabling Profiling.

First, you must clean the endpoint data from ISE in preparation for enabling the Profiler Service and allow ISE to profile the endpoints again after you enable
and configure Profiler.

2.1. Access your pod iPad. If necessary, directions can be found in the lab guide module titled iPad Access.

2.2. From the Wi-Fi list, identify your pod GK Guest-XX SSID.

2.3. Click the blue information circle to the right.

2.4. At the top, click Forget this Network in order to clear any previous cached settings or credentials. Confirm by clicking Forget when prompted.

2.5. Navigate back to the list of networks and disable Wi-Fi.

2.6. Return to ISE on the Admin-PC.

2.7. In Endpoint Classification, select Trash> All to remove all endpoints.

2.8. Click Yes to confirm and then Refresh to verify all endpoints are gone.

3. Enable Profiling Service.

3.1. Navigate back to Work Centers > Profiler > Overview. Under the Prepare column in the Profiling Configuration section, click the Deployment link. This
can also be reached via to Administration > System > Deployment.

3.2. In the right pane, select your ISE node to edit it.

3.3. Under the Policy Service section, select the Enable Profiling Service.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 3 of 14

3.4. In the right pane, observe that the Profiling Configuration tab became available after selecting the Enable Profiling Service feature. Select the
Profiling Configuration tab.

3.5. Observe the Cisco ISE probes that are enabled by default:

◾ DHCP

◾ HTTP

◾ RADIUS

◾ Network Scan (NMAP)

◾ SNMPQUERY

3.6. Verify all five default probes are enabled. If any are not, enable them now.

3.7. Enable the SNMPTRAP probe as follows.

3.8. Save the change.

3.9. You will get the same notification pop-up window notifying you of the Policy Service persona change. Click OK.

3.10. After several minutes, log back into the ISE using the credentials admin/admin$Pwd.

Note: You can check the status from the ISE CLI with the command show application status ise, and verifying the Application Server status is running.

Task 2: Configure the Feed Service

With the Profiler Feed Service, you can retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco
feed server through a subscription in ISE. In this task, you will enable and configure notification settings for the Cisco Profiler Feed Service. You will also force
a manual update.

4. Enable the Feed Service.

4.1. In the ISE admin portal, navigate to Work Centers > Profiler > Feeds. This page can also be reached via Administration > Feed Service > Profiler.

4.2. Select the check box for Enable Online Subscription Update.

4.3. Read the notification, and click OK.

4.4. Click Test Feed Service Connection and verify a successful result.

4.5. Check Notify administrator when a download occurs and use the email address admin@gklabs.com.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 4 of 14

Note: Email notification requires that a SMTP server is configured on Cisco ISE. This can be done via the Administration> Settings > SMTP Server page. This
was done in an earlier lab.

4.6. Scroll down and click Save.

4.7.
Now click the Update Now button and Yes to the message.

Note: The update process will take some time, at least 30 minutes.

4.8. You can verify the operation of the Feed Service operations via the admin@gklabs.com email or by scrolling to the bottom of the page and viewing
the Latest Update section.

4.9. Don′t wait for the process to finish, continue to the next task.

Task 3: Configure Profiler Settings in ISE

In this task, you will modify the NAD definition configuration for profiling in Cisco ISE.

5. Configure Cisco ISE NAD configuration for Profiling.

5.1. Navigate to Work Centers > Profiler> Network Devices. This page can also be reached via Administration > Network Resources > Network Devices.

5.2. Click the L3-Switch to edit the NAD profile and configure as follows.

Attribute Value

SNMP Settings Enabled

SNMP Version 2c

SNMP RO Community ISEisC00L (zeros, not Os)

Polling Interval 600

Link Trap Query Enabled

MAC Trap Query Enabled

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 5 of 14

Note: Notice that at the bottom of the section the Originating Policy Service Node is set to Auto. While not a mandatory step in the lab topology with a
single ISE node, the practice of setting the Originating Policy Service Node for SNMP profiling operations to the node closest to the NAD is a best practice
and tuning configuration, especially in a larger or geographically dispersed ISE deployment.

5.3. Scroll down and click Save.

5.4. Return to the list of Network Devices.

Note: Before moving on, make sure to edit the WLC and perform the same modification using the same values.

6. Modify the Profiler Configuration.

6.1. Navigate to Work Centers > Profiler> Settings. In the left pane, select Profiler Settings. This can page can also be reached via Administration> System
> Settings.

6.2. Modify the Profiler Configuration as follows.

Attribute Value

CoA Type Reauth

Change custom SNMP community strings ISEisC00L (zeros, not Os)

Confirm change custom SNMP community strings ISEisC00L

EndPoint Attribute Filter Disabled

6.3. Save your configuration.

7. Verify Profiler Exception Action.

7.1. Navigate to Work Centers > Profiler> Policy Elements. In the left pane, select Exception Actions. This can also be reached via Policy > Policy Elements
> Results > Profiling > Exception Actions.

7.2. Click FirstTimeProfile to view the action details.

7.3. Observe that the COA Action is to Force COA. This occurs when an endpoint profile which is Unknown is profiled for the first time.

Note: This is the default action for all the Cisco provided exception actions.

Task 4: Verify NAD Configuration for Profiling

In this task, you will verify the profiling configuration on your pod WLC and L3-Switch. Your pod NADs are already preconfigured for you.

8. Verify the WLC configuration.

8.1. On your Admin-PC in Firefox, open a new tab.

8.2. Click the vWLC bookmark the toolbar.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 6 of 14

8.3. Log in with the credentials admin/admin$Pwd.

8.4. Navigate to the WLANs tab.

8.5. Click WLAN ID 1 or WLAN ID 2 (both are configured for profiler).

8.6. Click the Advanced tab.

8.7. Scroll down to the right-hand side section Client Profiling.

8.8. Verify both DHCP Profiling and HTTP Profiling are enabled.

8.9. Navigate to Management > SNMP > General.

8.10. Verify that SNMP is enabled.

8.11. Click Communities and verify it looks as follows.

8.12. Click Trap Receivers and verify it looks as follows.

8.13. Return to the ISE portal tab.

9. Verify the L3-Switch configuration.

9.1. Open a console connection to your L3-Switch using the topology diagram. If needed, use the credentials admin/admin$Pwd and enable password
san-fran.

9.2. Run the following commands to see the preconfigured SNMP and MAC configurations.

L3-Switch#show run | section snmp-server

snmp-server group ISE-GROUP v3 priv read V3Read notify TRAP_VIEW access MANAGEMENT-DEVICES
snmp-server view V3Read iso included
snmp-server view TRAP_VIEW iso included
snmp-server community ISEisC00L RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.10.2.50 version 3 priv ISEBOX
snmp-server host 10.10.2.60 version 3 priv ISEBOX
snmp-server host 10.10.2.50 version 2c ISEisC00L mac-notification snmp

Note: Both SNMP V2c and V3 are configured on the switch. For the sake of simplicity, you are using V2c.

L3-Switch#show run | section mac

authentication mac-move permit
snmp trap mac-notification change added
snmp trap mac-notification change added
snmp-server enable traps mac-notification change move
snmp-server host 10.10.2.50 version 2c ISEisC00L mac-notification snmp
radius-server attribute 31 mac format ietf upper-case

Note: If you do not see the expected output, notify your instructor.

9.3. Run the following command to see the preconfigured ip helper-address configuration for the Mgmt VLAN 6, the User VLAN 7, and Guest VLAN 10 that
send DHCP packets to both the DHCP server and the ISE node.

L3-Switch#sh run int vlan 6

Building configuration...

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 7 of 14

Current configuration : 183 bytes

!
interface Vlan6
description Management Subnet
ip address 10.10.2.1 255.255.255.0
ip helper-address 10.10.1.25
ip helper-address 10.10.2.50
ip helper-address 10.10.2.60
end

L3-Switch#sh run int vlan 7

Building configuration...

Current configuration : 178 bytes

!
interface Vlan7
description User Subnet
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.1.25
ip helper-address 10.10.2.50
ip helper-address 10.10.2.60
end

L3-Switch#sh run int vlan 10

Building configuration...

Current configuration : 159 bytes

!
interface Vlan10
description Guest Subnet
ip address 10.10.90.5 255.255.255.0
ip helper-address 10.10.2.50
ip helper-address 10.10.2.60
shutdown
end

Note: If you do not see the expected output, notify your instructor.

Task 5: Examine Endpoint Data

In this task, you will examine the collected endpoint data since enabling profiling on ISE.

10. View the Endpoints in ISE.

10.1. On your Admin-PC in the ISE portal, navigate to Context Visibility > Endpoints.

10.2. Observe the list of endpoints that have been learned since the enabling profiling. Scroll to the second page, if available, to see the rest of the
endpoints.

10.3. Click the MAC address associated with the endpoint profile for the Cisco-WLC endpoint. (If the Cisco-WLC doesn′t show, click the MAC address
associated with IP Address 10.10.10.2.)

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 8 of 14

10.4. Observe the indicated attributes for this endpoint and take notice of what the EndPointSource is (in this case it is SNMPQuery Probe, your Source
Probe may be different).

10.5. Return to the Endpoint List.

11. Profile your pod User-PC2.

11.1. Access your User-PC2 and reboot it.

11.2. Log on to User-PC2 as admin/admin$Pwd. Launch Firefox and browse to www.cisco.com.

11.3. Return to your Admin-PC and your ISE portal. On your list of endpoints, click the Refresh button in the upper left-hand corner.

11.4. You should now see User-PC2 as a Microsoft-Workstation or VMware Device endpoint profile added to your list.

11.5. Edit this endpoint profile to observe the endpoint attribute data.

11.6. Observe that the attribute list contains much more data than seen before for other endpoints. Pay particular attention to the following list of
attributes:

◾ EndPointSource

◾ Framed-IP-Address

◾ IdentityGroup

◾ MatchedPolicy

◾ NAS-Port-Id

◾ OUI

◾ Total Certainty Factor

◾ client-fqdn

◾ dhcp-class-identifier

◾ host-name

11.7. Return to the Endpoint list.

Task 6: Create a Logical Profile and Authorization Policy

In this task, you will create a logical profile that will be used in the authorization policy.

12. Create a Logical Profile.

12.1. In the ISE portal, navigate to Work Centers > Profiler > Profiling Policies and then in the left pane under Profiling, select Logical Profiles.

12.2. In the right pane click the +Add button.

12.3. Create the following Logical Profile:

Attribute Value

Name Approved Smart Devices

Description Devices on the corporate approved Smart Devices list

Assigned Polices Android

Apple-iPad

Apple-iPhone

Apple-iPod

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 9 of 14

12.4. Click Submit.

13. Create a New Authorization Policy using a Logical Profile.

In this section, you will create an authorization policy assigning the previously configure logical profile to a fixed authorization profile.

13.1. In ISE, navigate to Policy > Policy Sets and select the Wireless policy set.

13.2. In the right pane, edit the Guest Access rule and configure as follows.

Attribute Value

Rule Name Guest Access

Conditions if GuestEndpoints
AND (SSID_Contains_GK_Guest AND EndPoints:LogicalProfile EQUALS Approved Smart Devices

Permissions Guest Access

13.3. Scroll down and click Save.

Task 7: Test Authorization Policies with Profiling Data

In this task, you will access the network with your iPad and match the previously configured Smart Devices:

14. Connect to the GK Guest-XX SSID with your iPad.

14.1. Access your pod iPad.

14.2. Navigate using your mouse to Settings > General > Network > Wi-Fi.

14.3. Enable Wi-Fi and click the GK Guest-XX SSID for your pod.

14.4. Open the Sarfari web browser and attempt to access www.google.com.

14.5. Log in with the credentials BBJones/gklabs.

14.6. Click Accept and Continue then verify you have Internet access from the iPad.

14.7. Return to ISE and navigate to Operations > RADIUS > Live Logs and observe the authentication records.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 10 of 14

Note: 1. The iPad MAC is seen and profiled as an Apple-Device and redirected to CWA.
2. The user authenticates via CWA
3. The iPad is profiled as an Apple-iPad and the Smart Device Rule applies to provide Guest Access

14.8. Click the authentication details for this record.

14.9. In Other Attributes, verify the Logical Profile.

14.10. In steps, notice the Logical Profile Match.

14.11. Navigate to Context Visibility > Endpoints.

14.12. Find and click the Apple-iPad Endpoint Profile name or select the check box and click Edit it in the toolbar. (It may be on the second page of
endpoints.)

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 11 of 14

14.13. Profiler has assigned the App-iPad Policy and the CWA portal has statically placed the endpoint in the GuestEndpoints ID Group.

14.14. Click Cancel when finished viewing.

Note: This same information can also be found from the Home tab and selecting Active Endpoints or Authenticated Guests. If time permits, take some time
to explore this resource as well by clicking either location and examining the options and information available to you.

Task 8: Run Profiler Reports

In this task, you will run reports based on profiling data gathered in previous labs.

15. Run the Feed Report.

15.1. In the ISE navigate to Work Centers> Profiler > Feeds.

15.2. Scroll down to the bottom and verify that a latest applied feed occurred.

Note: If you have no timestamp indicating a successful update operation, you may have to perform these steps later. Simply move on and return later to
check for updates again.

15.3. Click the Go to Update Report Page link as indicated in the above screenshot. This will automatically run the Change Configuration Audit report from
the FeedService administrator.

16. Observe the details of the Added and Changed configurations.

16.1. Click one of the Added configuration event hyperlinks.

16.2. Observe the details for this event.

16.3. Close this tab and return to the Change Configuration Audit report tab.

16.4. Click one of the Changed configuration event hyperlinks.

16.5. Observe the details for this event.

16.6. Close this tab and then close the Change Configuration Audit report tab.

16.7. On the Admin-PC, open Microsoft Outlook from the taskbar.

16.8. Navigate to the Inbox and find the ISE System message: Feed OUI applied update email and open it.

16.9. Observe the number of OUIs added and updated.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 12 of 14

Note: Your number of OUIs may vary depending upon the date of your class. This is an indication of further updates since the above screenshot.

16.10. Return to the Inbox and open the ISE System message: Feed policies applied update email.

16.11. Observe the number of feed policies applied.

Note: Your number of policies may vary depending upon the date of your class. This is an indication of further updates since the above screenshot.

16.12. Close Microsoft Outlook.

17. Run the Endpoint Profile Changes Report.

In this task, you will run reports related to profiled endpoints.

17.1. Navigate to Work Centers > Profiling> Reports.

17.2. In the Report Selector pane, navigate to Endpoint Profile Changes.

17.3. Run the report using the Time Range of Today.

17.4. Compare the Endpoint Profile (Before) pie chart to the Endpoint Profile (After) pie chart and observe the additional data as a result of enabling
profiling.

17.5. Scroll down to view a list of the Endpoint Profile Changes.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 13 of 14

17.6. Click a record detail, for example the Apple-iPad record, to see further details of the change.

17.7. Close the newly opened tab and return to the Work Centers > Profiler > Reports portal when done.

17.8. In the Report Selector pane, navigate to ISE Reports > Profiled Endpoint Summary.

17.9. Run the report using the Time Range of Today.

17.10. Observe the Details and then the Raw details of a record.

17.11. In the Raw details report page, click one of the Endpoint property hyperlinks and observe the additional level of detail available in the pop-up
message. Depending upon which link you select, your output will be different from the example shown.

17.12. Close the pop-up message and close the newly opened tab. Return to the Admin portal when done.

18. View Context Visibility Dashlet Reports.

In this task, you will view the metrics available via the Context Visibility feature in the Cisco ISE admin portal.

18.1. Navigate to the Context Visibility> Endpoints > Endpoint Classification tab.

18.2. In the ENDPOINTS dashlet, click the new window icon to detach and open the dashlet in a new tab, to drill down for further details.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017
 Page 14 of 14

18.3. In the new ENDPOINTS dashlet tab, click the Profile link to observe all profiled endpoints that ISE has seen.

18.4. By hovering your mouse over any individual section of the circle graph, ISE will display the number of devices per that category.

18.5. Similarly, the Home > Summary > Endpoints page will display the same information, as well as other summary information.

Note: Both Context Visibility and Home pages can be customized to meet your needs by adding new Dashboards, or Dashlets, by clicking the gear icon in the
upper right corner of the pane.

18.6. Close all newly opened tabs and return to the ISE portal when done.

Lab Complete

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L11.htm 19/09/2017