The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
By default, client profiling will be disabled on all WLANs.
Client profiling is supported on access points that are in Local mode and FlexConnect mode.
Both DHCP Proxy and DHCP Bridging mode on the controller are supported.
Accounting Server configuration on the WLAN must be pointing at an ISE running 1.1 MnR or later releases. Cisco ACS does not support client profiling.
The type of DHCP server used does not affect client profiling.
If the DHCP_REQUEST packet contains a string that is found in the Profiled Devices list of the ISE, then the client will be profiled automatically.
The client is identified based on the MAC address sent in the Accounting request packet.
Only a MAC address should be sent as calling station ID in accounting packets when profiling is enabled.
To enable client profiling, you must enable the DHCP required flag and disable the local authentication flag.
Client profiling uses pre-existing profiles in the controller.
Note | DHCP is required for DHCP profiling and Webauth for HTTP user agent. |
With profiling enabled for local switching FlexConnect mode APs, only VLAN override is supported as an AAA override attribute.
While the controller parses the DHCP profiling information every time the client sends a request, the profiling information is sent to ISE only once.
Custom profiles cannot be created for this release.
This release contains 88 pre-existing policies where CLI is check only except if you create a policy.
When local profiling is enabled radius profiling is not allowed on a particular WLAN.
Only the first policy rule that matches is applied.
Only 16 policies per WLAN can be configured and globally 16 policies can be allowed.
Policy action is done only after L2/L3 authentication is complete or when the device sends http traffic and gets the device profiled. Profiling and policing actions will happen more than once per client.
If AAA override is enabled and if you get any AAA attributes from the AAA server other than role type, configured policy does not apply since the AAA override attributes have a higher precedence.
When a client tries to associate with a WLAN, it is possible to determine the client type from the information received in the process. The controller acts as the collector of the information and sends the ISE with the required data in an optimal form. Local Client profiling (DHCP and HTTP) is enabled at WLAN level. Clients on the WLANS will be profiled as soon as profling is enabled.
Wireless LAN Controller has been enhanced with some of these following capabilities:
WLC does profiling of devices based on protocols like HTTP, DHCP, etc. to identify the end devices on the network.
You can configure device-based policies and enforce per user or per device end points, and policies applicable per device.
WLC displays statistics based on per user or per device end points, and policies applicable per device.
Profiling can be based on:
Role, defining the user type or the user group to which the user belongs.
Device type, such as Windows machine, Smart Phone, iPad, iPhone, Android, etc.
Username/ password pair.
Location, based on the AP group to which the endpoint is connected
Time of the day, based on what time of the day the endpoint is allowed on the network.
EAP type, to check what EAP method the client uses to get connected.
This feature is designed to enable the WLC to identify and profile clients connecting from ports apart from HTTP port 80.
The custom http port profiling feature including High Availability (HA) will be supported on all WLC and Access Point platforms in 8.2 release. The profiling port configuration will be configurable and maintained in the WLC, and the value will be included in the configuration update when the AP joins this WLC.
Configuring Client Profiling
Enable or disable client profiling for a WLAN based on DHCP by entering this command:
config wlan profiling radius dhcp {enable | disable} wlan-id
Enable or disable client profiling in RADIUS mode for a WLAN based on HTTP, DHCP, or both by entering this command:
config wlan profiling radius {dhcp | http | all} {enable | disable} wlan-id
Note | Use the all parameter to configure client profiling based on both DHCP and HTTP. |
Enable or disable client profiling in Local mode for a WLAN based on HTTP, DHCP, or both by entering this command:
config wlan profiling local {dhcp | http | all} {enable | disable} wlan-id
To see the status of client profiling on a WLAN, enter the following command:
show wlan wlan-id
To enable or disable debugging of client profiling, enter the following command:
debug profiling {enable | disable}
Configuring Custom HTTP Port for Profiling
Note | The HTTP port 80 is always open for gathering HTTP profiling data, irrespective of the custom HTTP port configuration. |