ePub(1.7 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(1.2 MB) View on Kindle device or Kindle app on multiple devices
Updated:October 5, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how WiFi Analytics for Endpoint Classification works. It also describes how to configure, verify, and troubleshoot it.
Cisco recommends that you have knowledge of these topics:
9800 Wireless LAN Controllers (WLC) configuration
Identity Services Engine (ISE) configuration
RADIUS Authentication. Authorization and Accounting (AAA) packet flow and terminology
This document assumes that there is already a working WLAN authenticating clients using ISE as RADIUS server.
For this feature to work, it is required to have at least:
9800 WLC Cisco IOS® XE Dublin 17.10.1
Identify Services Engine v3.3.
802.11ac Wave2 or 802.11ax (Wi-Fi 6/6E) access points
The information in this document is based on these software and hardware versions:
9800 WLC Cisco IOSXE v17.12.x
Identity Services Engine (ISE) v3.3
Android 13 Device
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Through WiFi Device Analytics, Cisco 9800 WLC can learn attributes, such as model number and OS version from a set of endpoints connected to this device, and share it with ISE. ISE then can use this information for Endpoint Classification, also known as Profiling, purposes.
Currently, WiFi Analytics is supported for these vendors:
The WLC shares the attribute information with ISE server using RADIUS Accounting packets.WiFi Analytics Data Flow
It is important to remember that RADIUS Accounting packets on a RADIUS AAA flow are sent only after the RADIUS server sends a RADIUS Access-Accept packet as a reply to the endpoint authentication attempt. In order words, WLC shares the endpoint attribute information only after a RADIUS session for that endpoint is established between the RADIUS server (ISE) and Network Access Device (WLC).
These are all the attributes that ISE can make use of for Endpoint Classification and authorization:
Note: WLC can send more attributes depending on the endpoint type connecting, but only the listed ones can be used for Authorization Policies creation in ISE.
Once ISE receives the Accounting packet, it can process and consume this analytics data within it, and use it to reassign an endpoint profile/identity group.
The WiFi Endpoint Analytics attributes are listed under the WiFi_Device_Analytics dictionary. Network administrators can include these attributes on the endpoint authorization policies and conditions.
WiFi Device Analytics Dictionary
If any changes in the current attribute values that ISE stores for the endpoint take place, ISE then initiates a Change of Authorization (CoA), allowing the endpoint to be evaluated taking in count the updated attributes.
Configurations on WLC
Step 1. Enable Globally the Device Classification Feature
Navigate to Configuration > Wireless > Wireless Global and mark the Device Classification checkbox.
Device Classification Configuration
Step 2. Enable TLV Caching and RADIUS Profiling
Navigate to Configuration > Tags and Profiles > Policy and select the Policy Profile used by the WLAN where the RADIUS clients are connecting.
Wireless Policy Selection
Click Access Policies and check the RADIUS Profiling, HTTP TLV Caching and DHCP TLV Caching options. Due to action taken in previous step, Global State of Device Classification now shows on Enabled status. RADIUS Profiling and Caching Configuration
Log in to WLC CLI and enable dot11 TLV Accounting.
Note: Wireless policy profile must be disabled before using this command. This command is only available on Cisco IOS XE Dublin 17.10.1 version and beyond.
Configurations on ISE
Step 1. Enable Profiling Services in the PSNs in the Deployment
Navigate to Administration > Deployment and click the name of the PSN.
ISE PSN Node Selection
Scroll down to Policy Service section and mark the Enable Profiling Service checkbox. Click the Save button.
Profiler Services Configuration
Step 2. Enable the RADIUS Profiling Probe on ISE PSN
Scroll up to the top of the page and click Profiling Configuration tab. This displays all the profiling probes available to use on ISE. Enable the RADIUS Probe and click Save.
RADIUS Profiling Probe Configuration
Step 3. Set CoA Type and Endpoint Attribute Filter
Navigate to Administration > System > Settings > Profiling. Set CoA Type to Reauth and ensure that Endpoint Attribute Filter checkbox is unchecked.
CoA Type and Attribute Filter Configuration
Step 4. Configure Authorization Policies with WiFi Analytics Data Attributes
Navigate to Policy > Policy Sets menu and select the Policy Set used by your wireless network.
Policy Set Selection
Click Authorization Policies and configure the Authorization Conditions to include the Endpoint Policy and WiFi Device Analytics dictionary attributes.Authorization Policy Configuration
On ISE GUI, navigate to Operations > RADIUS > Live logs. You can use several fields to filter the entries on this window and locate the testing endpoint records.
ISE Live Logs for Testing Endpoint
a. Initial endpoint Authentication request reaches ISE. Endpoint profile field is empty since Accounting packet for this session has not reached ISE at this point.
b. CoA is sent from ISE towards the NAD since Accounting packet containing endpoint attributes has now been received.
c. After successfully sending the CoA, endpoint gets reauthenticated. This time you can observe the new assigned endpoint profile, and see that a different Authorization result has been assigned.
Note: CoA packet always has an empty identity field, but endpoint ID is the same as in the first Authentication packet.
Click the icon located in the Details column on the Change of Authorization record.
Access to CoA Packet Details
The CoA detailed information is displayed in a new browser tab. Scroll down to the Other Attributes section.
CoA source component displays as profiler. CoA Reason displays as Change in endpoint identity group/policy/logical profile which are used in Authorization policies.
CoA Triggering Component and Reason
Navigate to Context Visibility > Endpoints > Authentication tab. On this tab, use the filters to locate the testing endpoint.
Click the endpoint MAC Address to access the endpoint attributes.
Endpoint on Context Visibility
This action displays all the information ISE is storing about this endpoint. Click Attributes section and then select Other Attributes.
Endpoint Other Attribute Selection on Context Visibility
Scroll down until you find the WiFi_Device_Analytics dictionary attributes. Locating these attributes on this section means that ISE received them successfully through the Accounting packets and can be used for Endpoint Classification.
WiFi Analytics Attributes on Context Visibility
For your reference, here are examples of Windows 10 and iPhone attributes:
Example of Windows 10 Endpoint AttributesExample of iPhone Endpoint Attributes
Step 1. Accounting Packets reach ISE
On WLC CLI, ensure that DOT11 TLV accounting, DHCP TLV caching and HTTP TLV caching are enabled on the policy profile configurations.
Once located, expand the Cisco-AVPair fields to locate the WiFi Analytics Data within the Accounting packet.
Endpoint TLV Attributes within an Accounting Packet
Step 2. ISE Parses the Accounting Packet with the Endpoint Attributes
On ISE end, these components can be set to DEBUG level to ensure that RADIUS Accounting packets sent by then WLC reach ISE and are correctly processed.
You can then collect ISE Support Bundle to gather the log files. For more information about how to collect Support Bundle, please refer to the Related Information section.
Components to Debug for Troubleshoot
Note: Components are enabled to DEBUG level only on the PSN that authenticates the endpoints.
On iseLocalStore.log, Accounting-Start message is logged without the need of enabling any component to DEBUG level. Here, ISE must see the incoming Accounting packet containing the WiFi Analytics attributes.
On prrt-server.log, ISE parses the received accounting packet syslog message including the WiFi Analytics attributes. Use the CallingStationID and CPMSessionID fields to ensure that the correct session and endpoint are tracked.