topic Re: Deploying ISE for Wired Visibility on Switches in Network Access Control

Deploying ISE for Wired Visibility on Switches

pacavell — Fri, 04 Jan 2019 21:46:37 GMT

My customer is evaluating ISE 2.4 primarily for visibility. A large part of that is getting visibility about the wired endpoints on their network. We would like to set up Device Sensor probes for them on their switches. I've gone through the new ISE Profiling Design Guide and looked at the info about a deployment on switches that does not pre-suppose any previous configurations for RADIUS AAA. We've added what we think are the needed config lines on a test switch (2960X) and defined the switch to ISE. We've done the "test aaa group....." command and confirmed the switch can speak RADIUS to ISE. A running of the "show device-sensor cache all" command displays the expected output. However, we have not added any RADIUS port level commands on the switch (only global commands). The switch is not showing up in ISE (Context Visibility--> Network Devices) and we don't see any endpoints that are connected to the switch being reported in ISE. Also note that wireless visibility is working fine.

Any guidance on what we may be missing? We did not include any port level configs because we are not doing any authentication/authorization but I'm thinking that may be the problem. I'm wondering that I really need to apply the port level RADIUS configs to place the switch in "Monitor Mode" to get it to start sending the RADIUS info to ISE without forcing any access control. In my ISE 2.4 lab I have 2 switches defined along with all the global AND port level RADIUS configs and my switches are showing up and reporting on their attached endpoints via RADIUS probes.

Thanks for any assistance.

Re: Deploying ISE for Wired Visibility on Switches

Mohammed al Baqari — Sat, 05 Jan 2019 07:41:48 GMT

Hi, when you configure radius server on the switch, you need to define
radius ports 1812 and 1813 which ISE is using for authorization,
authentication , accounting. Even if you don't use aaa you need to point to
right ports.

By default the switch uses 1645 and 1646.

Re: Deploying ISE for Wired Visibility on Switches

Sheraz.Salim — Sat, 05 Jan 2019 11:05:20 GMT

curious if you have the right config. here what i remember.

=======================================

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa group server radius ISE

radius name CISCO

aaa radius server dynamic author

client 1.1.1.1 server key cisco

radius server CISCO

address ipv4 1.1.1.1 auth-port 1812 acct-port 1813

key cisco

radius-server attributes 6 on

radius-server attributes 8

radius-server attriibutes 25

radius-server attributes 31

radius-server vsa sen auth

radius-server vsa sen acct

ip device tracking

epm logging

dot1x system auth

dot1x logg verb

======================================

kindly make sure you have radius port correctly configured on both ISE and the switch.

Re: Deploying ISE for Wired Visibility on Switches

pacavell — Sun, 06 Jan 2019 15:21:13 GMT

Thanks Mohammed. I have defined ports 1812 and 1813.

Re: Deploying ISE for Wired Visibility on Switches

gbekmezi-DD — Mon, 07 Jan 2019 17:24:13 GMT

Please share your switch configuration.

Re: Deploying ISE for Wired Visibility on Switches

mnagired — Mon, 07 Jan 2019 18:00:31 GMT

Hi,

Please refer to Device-Sensor section in the below deployment guide for configurations related to device-sensor and CLI are more or less same for 2960X as well.

https://community.cisco.com/t5/mcc-security-archive-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3759910

You need below configuration for Device-Sensor data

   1. Enabling Accounting Augmentation under respective sections..

   aaa new-model
   aaa accounting dot1x default start-stop group radius

   radius-server host{hostname|ip-address}[auth-port port-number][acct-port port-number][timeout seconds][retransmit retries][key string]

   radius-server vsa send accounting
   device-sensor accounting
   device-sensor notify all-changes

   2. Gather Raw Endpoint data from protocols such as CDP, LLDP, DHCP - Refer to the URL for configs..

Hope this helps..

Re: Deploying ISE for Wired Visibility on Switches

pacavell — Mon, 07 Jan 2019 18:09:13 GMT

I’ve included all those lines in my config. What I don’t have are any port level config commands. I’m thinking that is the issue.

Re: Deploying ISE for Wired Visibility on Switches

Sheraz.Salim — Mon, 07 Jan 2019 18:20:17 GMT

port level config is only need when you doing dot1x authentication or doing mab etc. or unless you have cts running on to ports where you core is actiing as seed switch

Re: Deploying ISE for Wired Visibility on Switches

mnagired — Mon, 07 Jan 2019 19:56:03 GMT

Yes, thats right you need port-level authentication configs and yeah it can be in monitor-mode either..

Found this old doc.. Refer to the troubleshooting section..

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

Re: Deploying ISE for Wired Visibility on Switches

Sheraz.Salim — Mon, 07 Jan 2019 20:05:55 GMT

I am sorry i mixed up my post. do apologies i thought this post if for cts trouble.

to many windows open in my browser. so please forgive me.