client profiling will be disabled on all WLANs.
is supported on access points that are in Local mode and FlexConnect mode.
Both DHCP Proxy
and DHCP Bridging mode on the controller are supported.
Server configuration on the WLAN must be pointing at an ISE running 1.1 MnR or
later releases. Cisco ACS does not support client profiling.
The type of DHCP
server used does not affect client profiling.
DHCP_REQUEST packet contains a string that is found in the Profiled Devices
list of the ISE, then the client will be profiled automatically.
The client is
identified based on the MAC address sent in the Accounting request packet.
Only a MAC
address should be sent as calling station ID in accounting packets when
profiling is enabled.
To enable client
profiling, you must enable the DHCP required flag and disable the local
Client profiling uses pre-existing profiles in the controller.
Profiling for Wireless clients are done based on MAC OUI, DHCP,
HTTP User agent.
DHCP is required for DHCP profiling and Webauth for HTTP user
Configuring Client Profiling
Profiling is not
supported for clients in the following scenarios:
associating with FlexConnect mode APs in Standalone mode.
associating with FlexConnect mode APs when local authentication is done with
local switching is enabled.
Wired clients behind the WGB will not be profiled and policy
action will not be done.
enabled for local switching FlexConnect mode APs, only VLAN override is
supported as an AAA override attribute.
controller parses the DHCP profiling information every time the client sends a
request, the profiling information is sent to ISE only once.
Custom profiles cannot be created for this release.
This release contains 88 pre-existing policies where CLI is check
only except if you create a policy.
When local profiling is enabled radius profiling is not allowed on a
Only the first policy rule that matches is applied.
Only 16 policies per WLAN can be configured and globally 16 policies
can be allowed.
Policy action is done only after L2/L3 authentication is complete or
when the device sends http traffic and gets the device profiled. Profiling and
policing actions will happen more than once per client.
If AAA override is enabled and if you get any AAA attributes from
the AAA server other than role type, configured policy does not apply since the
AAA override attributes have a higher precedence.
When a client tries
to associate with a WLAN, it is possible to determine the client type from the
information received in the process. The controller acts as the collector of
the information and sends the ISE with the required data in an optimal form.
Local Client profiling (DHCP and HTTP) is enabled at WLAN level. Clients on the
WLANS will be profiled as soon as profling is enabled.
Controller has been enhanced with some of these following capabilities:
WLC does profiling
of devices based on protocols like HTTP, DHCP, etc. to identify the end devices
on the network.
You can configure
device-based policies and enforce per user or per device end points, and
policies applicable per device.
statistics based on per user or per device end points, and policies applicable
Profiling can be based
Role, defining the
user type or the user group to which the user belongs.
Device type, such
as Windows machine, Smart Phone, iPad, iPhone, Android, etc.
Location, based on
the AP group to which the endpoint is connected
Time of the day,
based on what time of the day the endpoint is allowed on the network.
EAP type, to check
what EAP method the client uses to get connected.
Policing is decided
based on a profile which are:
Configuring Client Profiling (GUI)
Choose WLANs to open the WLANs page.
Click the WLAN ID. The WLANs > Edit page appears.
Click the Advanced tab.
In the Client Profiling area, do the following:
To profile clients based on DHCP, select the DHCP Profiling check box.
To profile clients based on HTTP, select the HTTP Profiling check box.
Click Save Configuration.
Configuring Client Profiling (CLI)
Enable or disable client profiling for a WLAN based on DHCP by entering this command: