Cisco Cisco Identity Services Engine 2.1 Manual Técnica

AD 2012 R2

●

The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.

The AD probe:

Improves the fidelity of Operating System (OS) information for Windows endpoints. Microsoft
AD tracks detailed OS information for AD-joined computers that includes version and service
pack levels. The AD probe retrieves this information directly and uses the AD Runtime
connector in order to provide a highly reliable source of client OS information.

●

Helps to distinguish between corporate and non-corporate assets. A basic, but important
attribute available to the AD probe is whether an endpoint exists in AD. This information can
be used to classify an endpoint contained in the AD as a managed device or corporate asset.

●

This is the flow:

Client connects to the wireless network via MAC Authentication Bypass (MAB), limited
access is given to the endpoint.

1.

WLC via Device Sensor feature sends hostname of the Client Machine to ISE.

2.

ISE triggers AD query in order to get attributes: AD-Host-Exists, AD-Join-Point, AD-
Operating-System, AD-OS-Version, Ad-Service-Pack.

3.

Since there is manual Profiling Policy configured, Authorization Rule is in place, endpoint is
profiled and Change of Authorization (CoA) is triggered.

4.

Full Access is given to the endpoint.

5.

The WLC is configured for Basic MAB Authentication. Settings are highlighted in red.