Cisco Cisco Identity Services Engine 1.3 백서
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 13 of 27
HTTP traffic can be captured and parsed by ISE appliances through URL redirection of endpoint web requests,
such as occurs in central web authentication or hotspot guest access, or through direct requests to ISE portals,
including the guest, sponsor, or My Devices portal. HTTP traffic can also be mirrored from a switch to dedicated
ISE appliance interfaces using SPAN or network taps.
such as occurs in central web authentication or hotspot guest access, or through direct requests to ISE portals,
including the guest, sponsor, or My Devices portal. HTTP traffic can also be mirrored from a switch to dedicated
ISE appliance interfaces using SPAN or network taps.
Note: The IP address of the endpoint must be known in order to associate HTTP traffic to the endpoint’s MAC
address. The exception is URL-redirected traffic where the ISE appliance directly correlates client HTTP/S
requests to an existing endpoint session.
address. The exception is URL-redirected traffic where the ISE appliance directly correlates client HTTP/S
requests to an existing endpoint session.
The main attribute gathered from an HTTP probe is:
●
User-Agent (browser string)
The HTTP probe is disabled by default.
Note: Even if it is disabled, the HTTP probe still automatically parses web traffic that is sent to the IP address of
an ISE appliance interface where profiling services are enabled. The HTTP probe should be enabled to parse
HTTPS traffic sent to other targets such as mirrored SPAN traffic or local HTTPS traffic promiscuously captured by
an ISE appliance interface.
an ISE appliance interface where profiling services are enabled. The HTTP probe should be enabled to parse
HTTPS traffic sent to other targets such as mirrored SPAN traffic or local HTTPS traffic promiscuously captured by
an ISE appliance interface.
Best practice: When it is available, use the Device Sensor to collect HTTP and other endpoint attributes from the
network access devices. (The Device Sensor is discussed later in this guide.)
network access devices. (The Device Sensor is discussed later in this guide.)
DNS Probe
The DNS probe is triggered when the IP address of an endpoint is learned. The probe queries the name server
configured on the ISE appliance to resolve the hostname or FQDN assigned to the IP address. This request is
commonly known as a reverse host or reverse DNS lookup.
The DNS probe is triggered when the IP address of an endpoint is learned. The probe queries the name server
configured on the ISE appliance to resolve the hostname or FQDN assigned to the IP address. This request is
commonly known as a reverse host or reverse DNS lookup.
Many organizations have well-defined naming conventions that they use to assign specific names or strings to their
network hosts to quickly identify location, responsible group, or device type. For example, the hostname maybe
assigned a prefix of “MRI” or “CT” to indicate that it is an imaging device. The subdomain may be assigned to a
specific clinical organization, as in “biomed.ogranization.org.”
network hosts to quickly identify location, responsible group, or device type. For example, the hostname maybe
assigned a prefix of “MRI” or “CT” to indicate that it is an imaging device. The subdomain may be assigned to a
specific clinical organization, as in “biomed.ogranization.org.”
In some cases the manufacturer of the medical device may populate the hostname with a default value to indicate
the vendor or device model.
the vendor or device model.
The main attribute gathered from the DNS probe is:
FQDN (hostname + domain name)
The DNS probe is disabled by default.
Best practice: It is recommended that the DNS probe be deployed if medical devices have or can be made to
have a well-defined name format and if these names populate the organizational name servers either statically or
dynamically (through dynamic DNS).
have a well-defined name format and if these names populate the organizational name servers either statically or
dynamically (through dynamic DNS).
The endpoint hostname and FQDN may also be acquired by the DHCP probe. Of the two sources of information,
DNS probe data is more reliable and trustworthy. DHCP options are submitted by the client, whereas the DNS
probe acquires information from the DNS name server.
DNS probe data is more reliable and trustworthy. DHCP options are submitted by the client, whereas the DNS
probe acquires information from the DNS name server.