topic Re: Comprehensive report of all endpoints on the network in Network Access Control

Comprehensive report of all endpoints on the network

jjahn — Thu, 26 Apr 2018 16:59:43 GMT

Looking for some advice on how to best extract a list of all of the endpoints on my network (or at least on ISE 802.1x authenticated ports!) We are in monitor mode at several sites, and trying to give a comprehensive answer about which endpoints are not meeting our policy and hitting the catch-all rule is proving more challenging than I was expecting.

Things I've looked at:

Live Sessions - seems like a good area, but I notice that long-lasting MAB sessions on the switch are still happily connected (and the switch access-session shows 'Authorized') but they disappear from ISE after some time. So I can't rely on this to tell me what's on the network.

Live Logs - way too much raw data to try and dump this out in report format and stitch back together, when I just need to know the most recent result per endpoint

Endpoint Profiler export - this is what I've been using, the Connected/Disconnected state seems to suffer similar to the Live Sessions issue but overall this is pretty good. The report is handy because you get the Authorization rule that was applied, switchport, IPs, hostnames, etc all in one spot. I have noticed some oddities with exporting this though, multiple rows with the same MAC address and similar.

So...

I was wondering if I have an issue with my switch config that could be resolved to make the switch check in more often for MAB devices? In theory I would think RADIUS accounting would do that, but maybe I'm missing something. I never seem to notice this issue for 802.1x devices. Everything works perfectly, it just makes me a bit nervous giving the data to a project team and saying "this is what's in monitor mode that needs fixing" when I don't have full confidence in that data.

ISE 2.3 w/ Patch 2 - distributed environment w/ 8 PSNs

(note, we were previously on 2.1 and I saw the same behavior, doesn't seem version dependent)

I've attached a sanitized switch config. All of the access switches are 3850s, all should be running IOS XE 3.6.5 (there may be a tiny bit of variation here but not much)

Any thoughts?

Re: Comprehensive report of all endpoints on the network

jjahn — Thu, 26 Apr 2018 17:04:41 GMT

Example of a switch port access-session for a device that is working fine, but doesn't show up as a live session in ISE:

----------------------------------------

Interface: GigabitEthernet1/0/46

IIF-ID: 0x105468[snip]

MAC Address: [snip]

IPv6 Address: Unknown

IPv4 Address: [snip]

User-Name: [snip]

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Session Uptime: 491277s

Common Session ID: 0A5544120000164F5BFEF538

Acct Session ID: 0x0000194C

Handle: 0xA300033B

Current Policy: DOT1X-DEFAULT

Server Policies:

ACS ACL: xACSACLx-IP-ACL-PERMIT-ALL-56609d01

Method status list:

Method State

dot1x Stopped

mab Authc Success

Re: Comprehensive report of all endpoints on the network

Craig Hyps — Thu, 26 Apr 2018 20:49:06 GMT

There are two tools to achieve this:

Endpoint Analysis Tool (EAT) available from iseeat.cisco.com
"Get All Endpoints" option from PAN CLI: # application configure ise

EAT was specifically developed to address the requirements for endpoint profile extraction for offline analysis and review. Authorization report was specifically added to handle the use case you request >> Show me the policies that my endpoints are hitting by Location, Switch, Port, etc. Show me which endpoints and users continue to hit default or incorrect policy!

The CLI option was added later and backported to earlier ISE versions as a way to extract same data without external app, but I still like the app for quickly filtering based on specific use case. I think the CLI option is generally quicker.

Craig

Re: Comprehensive report of all endpoints on the network

paul — Fri, 27 Apr 2018 02:57:13 GMT

You don't appear to have reauthentication enable on your switch ports:

authentication periodic

authentication timer reauthenticate server

This allows ISE to set the reauth timer. All my wired authorization profiles have a reauth timer of 65,000 seconds. I am guaranteed to get an accurate picture of what is connected to the network each day.

ISE has several bugs on the Context Visibility screen that make it a bit hard to answer the question "What is hitting the Catch All rule as their last authentication?". One of the pitfalls of CPL is that every Dot1x MAC address will do a Catch All MAB because CPL does MAB and Dot1x at same time.

I have a macro that I have been using since ISE 1.0 to process the radius authentication report to point out devices sitting in the Monitor Catch All state.

If the Context Visibility screen reliably updated the Authorization Profile column for each authentication you could use Context Visibility but it is not reliable at this point.

Re: Comprehensive report of all endpoints on the network

jjahn — Fri, 27 Apr 2018 12:16:43 GMT

Thanks Paul - I figured it was something silly I missed. That's got to be the issue with the reauth.

Re: Comprehensive report of all endpoints on the network

jjahn — Fri, 27 Apr 2018 12:17:38 GMT

Great options and I wasn't aware of either one previously! I will investigate both. Thanks much.