The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Controller can do profiling of devices based on protocols such as HTTP, DHCP, and so on to identify the clients. You can configure the device-based policies and enforce per-user or per-device policy on the network. The controller also displays statistics that are based on per-user or per-device end points and policies that are applicable per device. The maximum number of policies that you can configure is 64.
User group or user role
Device type such as Windows clients, smartphones, tablets, and so on
Service Set Identifier (SSID)
Location, based on the access point group that the end point is connected to
Time of the day
Extensible Authentication Protocol (EAP) type, to check what EAP method that the client is getting connected to
Virtual local area network (VLAN)
Access control list (ACL)
Quality of Service (QoS) level
Session timeout value
Sleeping client timeout value
Select either AVC profile or role, or both based on local policy attributes defined in the AAA server.
The following are the different ways by which local policies are applied based on a combination of AVC profile and role defined in the AAA server:
If you enable AAA override and there are AAA attributes other than the role type from the AAA server, the configured policy action is not applied. The AAA override attributes have higher precedence.
On a WLAN, when local profiling is enabled, RADIUS profiling is not allowed.
Client profiling uses existing profiles on the controller.
You cannot create custom profiles.
Wired clients behind the workgroup bridge (WGB) are not profiled and the policy action is not taken.
Only the first policy rule which matches with the policy profile is given precedence. Each policy profile has an associated policy rule, which is used to match the policies.
You can configure up to 64 policies, out of which you can configure up to 16 policies per WLAN.
Policy action is taken after Layer 2 authentication is complete, or after Layer 3 authentication is complete, or when the device sends HTTP traffic and gets the device profiled. Therefore, profiling and policy actions occur more than once per client.
Only VLAN, ACL, Session Timeout, and QoS are supported as policy action attributes.
Profiling is performed only on IPv4 clients.
For all the controllers in a mobility group, it is mandatory that the local policy configurations have the same match criteria attributes and action attributes. Otherwise, the local policy configuration becomes invalid when roaming occurs across the controllers.
When local policy is configured for device type policy match and configured on a WLAN with guest anchor enabled, the AVC profile name from local policy is not applied at anchor.
ISE | Controller |
---|---|
Supports profiling using RADIUS probes, DHCP probes, HTTP, and other protocols used to identify the client type. | Supports MAC OUI, DHCP, and HTTP-based profiling. |
Supports multiple different attributes for the policy action and has an interface to pick and select each of the attributes. | Supports VLAN, ACL, Session Timeout, and QoS as policy action attributes. |
Supports customization of profiling rules with user-defined attributes. | Supports only default profiling rules. |
Choose
WLANs.
Click the
corresponding WLAN ID.
The
WLANs
> Edit page is displayed.
Click the
Policy-Mapping tab.
Enter the
Priority Index for a policy.
From the
Local
Policy drop-down list, choose the policy that has to be applied for
the WLAN.
Click
Add.
The priority
index and the policy that you choose is listed. You can apply up to 16 policies
for a WLAN.
Create or delete a local policy by entering this command:
config policy policy-name {create | delete}
Configure a match type to a policy by entering these commands:
Configure an action that has to be enforced as part of a policy by entering these commands:
Note | Ensure that you configure the Average Data Rate before you configure the Burst Data Rate. |
Configure the active time for a policy by entering this command:
config policy policy-name active {add | delete} hours start-time end-time days {mon | tue | wed | thu | fri | sat | sun | daily | weekdays}
Apply a local policy to a WLAN by entering this command:
config wlan policy {add | delete} priority-index policy-name wlan-id
Enable or disable client profiling in local mode for a WLAN, based on HTTP, DHCP, or both by entering this command:
config wlan profiling local {dhcp | http | all} {enable | disable} wlan-id
Apply a local policy to an AP group of a WLAN by entering this command:
config wlan apgroup policy {add | delete} priority-index policy-name ap-group-name wlan-id
View information about a policy by entering this command:
show policy {summary | policy-name} statistics
View local device classification profile summary by entering this command: show profiling policy summary
View all the clients with a type of device by entering this command:
show client wlan wlan-id device-type device-type
View a client profiling status that includes profiling done by the RADIUS server and the controller by entering this command:
show wlan wlan-id
View the policy details for AP groups by entering this command:
show wlan apgroups
Configure the task of debugging of policies by entering this command:
debug policy {error | event} {enable | disable}
Updating Organizationally Unique Identifier List
Step 1 | Copy the latest OUI list available at http://standards.ieee.org/develop/regauth/oui/oui.txt to the default directory on your server. |
Step 2 | Choose
.
The Download file to Controller page is displayed. |
Step 3 | From the File Type drop-down list, choose OUI Update. |
Step 4 | From the
Transfer Mode drop-down list, choose the
server type.
The server details are displayed on the same page. |
Step 5 | Click Download. |
Step 6 | After the download is complete, reboot the Cisco WLC by choosing . |
Step 7 | If prompted to save your changes, click Save and Reboot. |
Step 8 | Click OK. |
Step 1 | Copy the latest OUI list available at http://standards.ieee.org/develop/regauth/oui/oui.txt to the default directory on your server. | ||
Step 2 | Specify the server type by entering this command: transfer download mode {tftp | ftp | sftp} | ||
Step 3 | Specify the file type by entering this command: transfer download datatype oui-update | ||
Step 4 | Begin the
download of the file by entering this command:
transfer download start
| ||
Step 5 | Reboot the Cisco WLC by entering this command: reset system | ||
Step 6 | See the updated
OUI list by entering this command:
show profiling oui-string summary
|
Updating Device Profile List