topic Re: Device-Sensor Profiling Doesn't Appear To Be Working in Network Access Control

Device-Sensor Profiling Doesn't Appear To Be Working

loverbey — Wed, 30 May 2018 23:20:39 GMT

Devices are configured with device-sensor CDP, LLDP and RADIUS:

device-sensor filter-list cdp list manual-cdp-list

tlv name device-name

tlv name address-type

tlv name capabilities-type

tlv name platform-type

device-sensor filter-list lldp list manual-lldp-list

tlv name system-name

tlv name system-description

device-sensor filter-list dhcp list manual-dhcp-list

option name host-name

option name default-ip-ttl

option name requested-address

option name parameter-request-list

option name class-identifier

option name client-identifier

device-sensor filter-spec dhcp include list manual-dhcp-list

device-sensor filter-spec lldp include list manual-lldp-list

device-sensor filter-spec cdp include list manual-cdp-list

device-sensor accounting

device-sensor notify all-changes

SNMP:

snmp trap mac-notification change added

snmp trap mac-notification change removed

snmp trap mac-notification change added

snmp trap mac-notification change removed

snmp-server host 192.168.101.169 public

I see ISE receives the CDP LLDP info, but is not profiling the endpoint correctly (under context visibility endpoint details):

cdpCacheDeviceId APCC16.7E98.7A2C

cdpCachePlatform cisco AIR-AP3802I-B-K9

but in the logs and main context visibility page it is classified as a Cisco-Switch

Re: Device-Sensor Profiling Doesn't Appear To Be Working

Arne Bier — Wed, 30 May 2018 23:46:50 GMT

Do you send Radius Accounting to ISE PSN? The Device Sensor data is contained inside the Radius Accounting Cisco AVPairs.

Re: Device-Sensor Profiling Doesn't Appear To Be Working

loverbey — Thu, 31 May 2018 00:00:15 GMT

Thank you, Arne. I do have this configured, but oddly it isn't showing up in the running-config. I enabled debug:

*May 30 23:57:34.464: RADIUS/DECODE(0000117F): There is no General DB. Reply server details may not be recorded

*May 30 23:57:34.464: RADIUS(0000117F): Unique id not in use

*May 30 23:57:34.464: RADIUS/DECODE(0000117F): There is no RADIUS DB Some Radius attributes may not be stored

*May 30 23:57:34.464: RADIUS(0000117F): Unique id not in use

*May 30 23:57:34.464: RADIUS/DECODE(0000117F): There is no RADIUS DB Some Radius attributes may not be stored

*May 30 23:57:35.871: RADIUS/ENCODE(00001180):Orig. component type = CTS

Re: Device-Sensor Profiling Doesn't Appear To Be Working

Arne Bier — Thu, 31 May 2018 00:06:27 GMT

If your radius servers are not showing up in the running config then alarm bells should be ringing! IOS can hide config defaults and that is normal, but your aaa config should always be visible. Perhaps there is an additional command to include VSA' in the Radius accounting (I have a vague memory of this ... you have to tell IOS what all to include in the Accounting requests).

Can you share your relevant aaa IOS config?

Re: Device-Sensor Profiling Doesn't Appear To Be Working

loverbey — Thu, 31 May 2018 00:36:41 GMT

They are showing up and authen/authorization is working:

aaa group server radius dnac-client-radius-group

server name dnac-radius_192.168.101.179

ip radius source-interface Loopback0

aaa authentication dot1x default group dnac-client-radius-group

aaa authorization network default group dnac-client-radius-group

aaa authorization network dnac-cts-list group dnac-client-radius-group

aaa accounting dot1x default start-stop group dnac-client-radius-group

aaa server radius dynamic-author

client 172.25.0.179 server-key notforyou2

client 192.168.101.179 server-key notforyou2

client 172.25.0.178 server-key notforyou2

ip radius source-interface Loopback0

snmp-server enable traps trustsec-server radius-server provision-secret

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 30

radius server dnac-radius_192.168.101.179

address ipv4 192.168.101.179 auth-port 1812 acct-port 1813

timeout 2

retransmit 1

pac key notforyou2

METRO-A5#sh radius server-group all

Server group radius

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server(192.168.101.179:1812,1813) Transactions:

Authen: 0 Author: 0 Acct: 0

Server_auto_test_enabled: FALSE

Keywrap enabled: FALSE

Server group dnac-client-radius-group

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server(192.168.101.179:1812,1813) Transactions:

Authen: 6228 Author: 61 Acct: 44771

Server_auto_test_enabled: FALSE

Keywrap enabled: FALSE

Re: Device-Sensor Profiling Doesn't Appear To Be Working

Arne Bier — Thu, 31 May 2018 01:17:12 GMT

Perhaps there is a command missing in the AP config. Sorry I don't have experience with this.

I would run a tcpdump on the ISE PSN node and look for your accounting requests from your Cisco AP. If the AP is sending the Cisco AVPair then it should be visible in the tcpdump. If not, then it's not an ISE issue. I have included an example from a Cisco 5520 WLC below which has device sensor enabled.

Re: Device-Sensor Profiling Doesn't Appear To Be Working

hslai — Thu, 31 May 2018 02:48:04 GMT

If this is a lab, please post the complete list of attributes for this endpoint. Or, you may unicast me the info and, if available, along with the profiler.log file (profiler in DEBUG).

I am guessing other attributes, such as LLDP and NMAP, making it as Cisco-Switch.

Re: Device-Sensor Profiling Doesn't Appear To Be Working

hslai — Sat, 02 Jun 2018 03:20:48 GMT

After reviewing the complete list of attributes of the endpoints, it appears that the endpoint is not performing authentication so IOS device sensor is unlikely at work and, instead, the attributes are gathered by SNMP probe.

I've open CSCvj77125 to track the issue of CDP platform strings for the newer Cisco APs.