Native Profiling

Native profiling

Native profiling is a network security feature that

  • profiles devices based on HTTP and DHCP to identify end devices on the network

  • configures device-based policies and enforces these policies per user or per device policy on the network, and

  • allows profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN.

Native profiling characteristics

Policies assign ACL and QoS or configure session timeouts.

The policies are defined based on the following attributes:

  • User group or user role

  • Device type such as Windows clients, smartphones, tablets, and so on

  • Service Set Identifier (SSID)

  • Location, based on the access point group that the end point is connected to

  • Time of the day

  • Extensible Authentication Protocol (EAP) type, to check what EAP method that the client is getting connected to

When a wireless client joins an access point, certain QoS policies get enforced on the access point. One such feature is the native profiling for both upstream and downstream traffic at AP. The native profiling feature when clubbed with AAA override supports specific set of policies based on the time of day and day of week. The AAA override then applies these policies coming from a RADIUS server to the access point.

Let's consider a use case of time of the day in conjunction with user role. Usually, the user role is used as an extra matching criteria along with the time of day. You can club the time of day usage with any matching criteria to get the desired result. The matching will be performed when the client joins the controller .

You can configure policies as two separate components:

  • Defining policy attributes as service templates that are specific to clients joining the network and applying policy match criteria

  • Applying match criteria to the policy.


Note

Before proceeding with the native profile configuration, ensure that HTTP Profiling and DHCP Profiling are enabled.

Note

Native profiling is not supported with FlexConnect Local Authentication and Local Switching. Hence, do not configure no central switching, no central authentication, and subscriber-policy-name name commands together. ISSU will fail for this type of configuration. Ensure that you remove the configuration before attempting ISSU.

To configure Native Profiling, use one of the following procedures:

  • Create a service template

  • Create a class map


    Note

    You can apply a service template using either a class map or parameter map.

  • Create a parameter-map and associate the service template to parameter-map

    • Create a policy map

      1. If class-map has to be used: Associate the class-map to the policy-map and associate the service-template to the class-map.

      2. If parameter-map has to be used: Associate the parameter-map to the policy-map

    • Associate the policy-map to the policy profile.

Create a class map (GUI)

Procedure

Step 1

Click Configuration > Services > QoS.

Step 2

In the QoS – Policy area, click Add to create a new QoS Policy or click the one you want to edit.

Step 3

Add Add Class Map and enter the details.

Step 4

Click Save.

Step 5

Click Update and Apply to Device.

Create a class map (CLI)


Note

Configuration of class maps via CLI offer more options and can be more granular than GUI.

Before you begin

Follow these steps to create a class map using CLI commands:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-any cls_user

Step 3

Specify the class map attribute filter criteria.

Example:

Device(config-filter-control-classmap)# match username ciscoise

Step 4

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-any cls_userrole

Step 5

Specify the class map attribute filter criteria.

Example:

Device(config-filter-control-classmap)# match user-role engineer

Step 6

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-any cls_oui

Step 7

Specify the class map attribute filter criteria.

Example:

Device(config-filter-control-classmap)# match oui 48.f8.b3

Step 8

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-any cls_mac

Step 9

Specify the class map attribute filter criteria.

Example:

Device(config-filter-control-classmap)# match mac-address 0040.96b9.4a0d

Step 10

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-any cls_devtype

Step 11

Specify the class map attribute filter criteria.

Example:

Device(config-filter-control-classmap)# match device-type windows

Step 12

Specify the class map type and name.

Example:

Device(config)# class-map type control subscriber match-all match_tod

Step 13

Specify a match to the time of day.

Example:

Device(config-filter-control-classmap)# match join-time-of-day 10:30 12:30

Here, join time is considered for matching. For example, if the match filter is set from 11:00 am to 2:00 pm, a device joining at 10:59 am is not considered, even if it acquires credentials after 11:00 am.

Here,

start-time and end-time specifies the 24-hour format.

Use the show class-map type control subscriber name name command to verify the configuration.

Note

 

You should also disable AAA override for this command to work.

Step 14

Match name using the device type.

Example:

Device(config-filter-control-classmap)# match device-type android

Type a question mark (?) after the device type and select the device from the list.

Note

 

You should enable the device classifier for the device list to be populated.

Create a service template (GUI)

Procedure

Step 1

Choose Configuration > Security > Local Policy.

Step 2

On the Local Policy page, Service Template tab, click ADD.

Step 3

In the Create Service Template window, enter the following parameters:

  • Service Template Name: Enter a name for the template.

  • VLAN ID: Enter the VLAN ID for the template. Valid range is between 1 and 4094.

  • Session Timeout (secs): Sets the timeout duration for the template. Valid range is between 1 and 65535.

  • Access Control List: Choose the Access Control List from the drop-down list.

  • Ingress QOS: Choose the input QoS policy for the client from the drop-down list

  • Egress QOS: Choose the output QoS policy for the client from the drop-down list.

Step 4

Click Save & Apply to Device.

Create a service template (CLI)

Before you begin

Follow these steps to create a service template using CLI commands:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter service template configuration mode.

Example:

Device(config)# service-template svc1

Step 3

Specify the VXLAN network identifier (VNID).

Example:

Device(config-service-template)# vnid test

Use the show service-template service-template-name command to verify the configuration.

Step 4

Specify the access list to be applied.

Example:

Device(config-service-template)# access-group acl-auto

Step 5

Specify VLAN ID.

Example:

Device(config-service-template)# vlan 10
Valid range is from 1-4094.

Step 6

Specify session timeout value for a service template.

Example:

Device(config-service-template)# absolute-timer 1000

Valid range is from 1-65535.

Step 7

Configure an input QoS policy for the client.

Example:

Device(config-service-template)# service-policy qos input in_qos

Step 8

Configure an output QoS policy for the client.

Example:

Device(config-service-template)# service-policy qos output out_qos

Create a parameter map (CLI)

Before you begin

Follow these steps to create a parameter map:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the parameter map type and name.

Example:

Device(config)# parameter-map type subscriber attribute-to-service param

Step 3

Specify the parameter map attribute filter criteria.

Example:

Device(config-parameter-map-filter)# 1 map device-type eq "windows" 
mac-address eq 3c77.e602.2f91 username eq "cisco"

Multiple filters are used in the example provided here.

Step 4

Specify the service template and its precedence.

Example:

Device(config-parameter-map-filter-submode)# 1 service-template svc1 precedence 150

Create a policy map (GUI)

Before you begin

Follow these steps to create a policy map using the GUI:

Procedure

Step 1

Choose Configuration > Security > Local Policy > Policy Map tab.

Step 2

Enter a name for the Policy Map in the Policy Map Name text field.

Step 3

Click Add

Step 4

Choose the service template from the Service Template drop-down list.

Step 5

For the following parameters select the type of filter from the drop-down list and enter the required match criteria

  • Device Type

  • User Role

  • User Name

  • OUI

  • MAC Address

Step 6

Click Add Criteria

Step 7

Click Update & Apply to Device.

Create a policy map (CLI)

Create and configure a policy map to control subscriber behavior and apply service templates in wireless environments.
Policy maps define how the system responds to specific events and conditions. This procedure creates a subscriber control policy map that can be applied to wireless profiles for client management and service provisioning.

Before you begin

Before removing a policy map or parameter map, you should remove it from the target or shut down the WLAN profile or delete the session.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the policy map type.

Example:

Device(config)# policy-map type control subscriber policy-map-name

Example:

Device(config)# policy-map type control subscriber polmap5

Step 3

Specify the match criteria to the policy map.

Example:

Device(config-event-control-policymap)# event identity-update match-all

Step 4

You can apply a service template using either a class map or a parameter map, as shown here.

  • Configure the local profiling policy class map number and specify how to perform the action.
  • Activate the service template.
  • Map an identity-update attribute to an auto-configured template.

Example:

The following example shows how a class-map with a service-template has to be applied:

Device(config-class-control-policymap)# class-num class class-map-name do-until-failure
Device(config-action-control-policymap)# action-index activate service-template service-template-name

Example:

The following example shows how a parameter map has to be applied (service template is already associated with the parameter map 'param' while creating it): 

Device(config-action-control-policymap)# action-index map attribute-to-service table parameter-map-name

Step 5

Exit configuration mode.

Example:

Device(config-action-control-policymap)# end

Step 6

Enter global configuration mode.

Example:

Device# configure terminal

Step 7

Configure a wireless policy profile.

Example:

Device(config)# wireless profile policy wlan-policy-profile-name

Caution

 

Do not configure aaa-override for native profiling under a named wireless profile policy. Native profiling is applied at a lower priority than AAA policy. If aaa-override is enabled, the AAA policies will override native profile policy.

Step 8

Add a description for the policy profile.

Example:

Device(config-wireless-policy)# description profile-policy-description

Example:

Device(config-wireless-policy)# description "default policy profile"

Step 9

Configure DHCP TLV caching on a WLAN.

Example:

Device(config-wireless-policy)# dhcp-tlv-caching

Step 10

Configure client HTTP TLV caching on a WLAN.

Example:

Device(config-wireless-policy)# http-tlv-caching

Step 11

Configure the subscriber policy name.

Example:

Device(config-wireless-policy)# subscriber-policy-name policy-name

Example:

Device(config-wireless-policy)# subscriber-policy-name polmap5

Step 12

Configure a VLAN name or VLAN ID.

Example:

Device(config-wireless-policy)# vlan vlan-id

Example:

Device(config-wireless-policy)# vlan 1

Step 13

Save the configuration.

Example:

Device(config-wireless-policy)# no shutdown
The policy map is created and configured with the specified parameters, and the wireless policy profile is activated with the associated subscriber policy.

Configure native profiling in local mode (CLI)

To enable native profiling for wireless users in local mode by updating the policy profile configuration.

To configure native profiling in the local mode, you must follow the steps described in Create a policy map (CLI) . In the policy profile, you must enable central switching as described in the step given below in order to configure native profiling.

Procedure

Enable central switching.

Example:

Device(config-wireless-policy)# central switching

Native profiling is now enabled in local mode. The device uses central switching, allowing profiling information to be collected and used for network management.

Verify native profile configuration

Use these show commands to verify the native profile configuartion: 

Device# show wireless client device summary 

Active classified device summary
MAC Address       Device-type                       User-role                             Protocol-map  
------------------------------------------------------------------------------------------------------
1491.82b8.f94b    Microsoft-Workstation             sales                                            9  
1491.82bc.2fd5    Windows7-Workstation              sales                                           41 
 
Device# show wireless client device cache

Cached classified device info
 
MAC Address       Device-type                       User-role                             Protocol-map  
------------------------------------------------------------------------------------------------------
2477.031b.aa18    Microsoft-Workstation                                                              9  
30a8.db3b.a753    Un-Classified Device                                                               9  
4400.1011.e8b5    Un-Classified Device                                                               9  
980c.a569.7dd0    Un-Classified Device        
Device# show wireless client mac-address 4c34.8845.e32c detail | s 
Session Manager:
  Interface :
  IIF ID           : 0x90000002
  Device Type      : Microsoft-Workstation
  Protocol Map     : 0x000009
  Authorized       : TRUE
  Session timeout  : 1800
  Common Session ID: 78380209000000174BF2B5B9
  Acct Session ID  : 0
  Auth Method Status List
  	Method : MAB
  		SM State        : TERMINATE
  		Authen Status   : Success
  Local Polices:
  	Service Template : wlan_svc_C414.3CCA.0A51 (priority 254)
  		Absolute-Timer   : 1800
  Server Polices:
  Resultant Policies:
  Filter-ID        : acl-auto
  Input QOS        : in_qos
  Output QOS       : out_qos
  Idle timeout     : 60 sec
  VLAN              : 10
  Absolute-Timer   : 1000

Use this show command to verify the class map details for a class map name: 

Device# show class-map type control subscriber name test
Class-map               Action                       Exec  Hit  Miss  Comp
---------                ------                      ----  ---  ----   ---
match-any test     match day Monday                    0     0    0     0    
match-any test     match join-time-of-day 8:00 18:00   0     0    0     0    
Key:
  "Exec" - The number of times this line was executed
  "Hit"  - The number of times this line evaluated to TRUE
  "Miss" - The number of times this line evaluated to FALSE
  "Comp" - The number of times this line completed the execution of its
       condition without a need to continue on to the end