topic Re: Enabling radius probes as best practice in Network Access Control

Enabling radius probes as best practice

umahar — Mon, 16 Jul 2018 14:33:01 GMT

I have a customer who has disabled Radius probes on recommendation by TAC. I should get more clarity today.

It was my understanding that enabling Radius probes was a best practice recommendation.

Also Craig mentioned before on the below link that there was a plan to make Radius probe mandatory.

Re: MAC address using only DHCP probes

I have also seen some weird behaviour in lab while testing NMAP profiling without Radius probes enabled.

Re: Enabling radius probes as best practice

Craig Hyps — Mon, 16 Jul 2018 16:10:19 GMT

>> "It was my understanding that enabling Radius probes was a best practice recommendation."

This is False and RADIUS profiling is critical to support a number of core functions. It is actually enabled by default and runs without Plus license.

Re: Enabling radius probes as best practice

umahar — Mon, 16 Jul 2018 16:14:03 GMT

Craig, so RADIUS profiling should always be enabled even though there is an option to disable it ?

Re: Enabling radius probes as best practice

kthiruve — Mon, 16 Jul 2018 19:16:21 GMT

Hi Utkarsh,

What is the use case here.

ISE profiling requires MAC and IP address as a neccessary attribute for profiling to work.

MAC and IP can be gathered by DHCP and RADIUS typically. Other probes that typically uses IP address such as NMAP needs this information. Also for NMAP to work you have to make sure to disable firewall on endpoints and try a manual scan as well.

Please use the Profiling best practices guide(pg 127 through 139) for information on what probes should be used in what situation.

ISE Profiling

Thanks

Krishnan

Re: Enabling radius probes as best practice

Arne Bier — Tue, 17 Jul 2018 23:09:33 GMT

I have to chime in here because this topic has bothered me since day 1. By default, the Profiling checkbox is enabled when you install ISE. And in the past I always unchecked that box for customers who don't have Plus licensing. I thought this made some logical sense. As Craig always says, only enable what needs to be enabled. Right??? I have no idea how much compute power I save by doing that.

But the murky details about what is really happening under the covers has never been properly explained (or at least I have not found that explanation). Here is what I believe is happening

Scenario 1: No Plus License installed - Profiling disabled - PSN will still "profile" the data from Device Sensor Radius Accounting Interim Updates. (this is the poor man's profiling and comes for free. No Plus license required because there are no AuthZ rules. It's just like magic)
Scenario 2: No Plus License installed - Profiling enabled - PSN will "profile" the data from Device Sensor Radius Accounting Interim Updates. Same as above. But, what is the PSN now doing in addition?? Let's say I enable Radius probe only. Have I enabled any additional functionality, given that perhaps I only want to use the Device Sensor data as my source? Is this better magic than Scenario 1?

The word "probe" is misleading in the case where NAD's are sending Device Sensor data via Radius Acct because ISE is not doing any active probing at all. It's a gratuitous piece of data from the NAD that ISE decodes and uses for various purposes.

Just to save myself the heartache , I just leave Profiling enabled even for customers who don't have Plus Licenses. On the upside, the application services don't restart when I do that (bonus!) and what's the worst that can happen, right? - customer who don't care about profiling for their AuthZ might still be interested to know what types of devices are on their network (just for statistical purposes)