https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516956#M529156 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Hi Everyone,</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I have been struggling with problem since a couple of weeks now and seems that I need some help.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I would be grateful if some could give me some hints or ideas regarding this.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">The situation is the following:</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">We are planning to roll out wired 8021x in our organization using ISE and the switches are mostly 3850, 3750 and 3560.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Now because there are more than 30k switch ports I’m trying to do the simplest configuration for a start.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">We would like to start with just profiling the devices for a couple of months maybe even a year.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I was thinking to use device sensor and radius probe to achieve this. Data will be sent using accounting to ISE.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">The important thing is that authentication and authorization will not be configured for now! So the switch port configuration will not be touched, nothing new will be added here.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I am following Craig Hyps trustsec guide regarding profiling(and other official documentation), and based on them this type of configuration is a valid one. It just needs a couple of global commands on the switches.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Now the problem that I am facing is that it’s not working on any of the switch models for now.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Device senor cache is populated on all switch types, but</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">on the 3850 and 3560 the accounting is not sent no matter what I do.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">On the 3750 the accounting is sent and contains sensor data but no calling station ID, so ISE cannot create and endpoint.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">(of course if I configure authentication and accounting and use the standard switch port configuration for 8021x this works, but as I said this is not what we want for now)</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I am working with TAC but no notable result for now.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">At this point I beginning to lose my hope that this is even doable.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Did someone ever manage to do this king of configuration that also worked? Can you let me know the exact IOS version and maybe an example of the configuration.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Any ideas are welcome.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">laszlo</SPAN></P></BODY></HTML> Fri, 09 Jun 2017 05:18:26 GMT laposilaszlo 2017-06-09T05:18:26Z https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516956#M529156 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Hi Everyone,</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I have been struggling with problem since a couple of weeks now and seems that I need some help.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I would be grateful if some could give me some hints or ideas regarding this.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">The situation is the following:</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">We are planning to roll out wired 8021x in our organization using ISE and the switches are mostly 3850, 3750 and 3560.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Now because there are more than 30k switch ports I’m trying to do the simplest configuration for a start.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">We would like to start with just profiling the devices for a couple of months maybe even a year.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I was thinking to use device sensor and radius probe to achieve this. Data will be sent using accounting to ISE.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">The important thing is that authentication and authorization will not be configured for now! So the switch port configuration will not be touched, nothing new will be added here.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I am following Craig Hyps trustsec guide regarding profiling(and other official documentation), and based on them this type of configuration is a valid one. It just needs a couple of global commands on the switches.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Now the problem that I am facing is that it’s not working on any of the switch models for now.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Device senor cache is populated on all switch types, but</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">on the 3850 and 3560 the accounting is not sent no matter what I do.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">On the 3750 the accounting is sent and contains sensor data but no calling station ID, so ISE cannot create and endpoint.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">(of course if I configure authentication and accounting and use the standard switch port configuration for 8021x this works, but as I said this is not what we want for now)</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">I am working with TAC but no notable result for now.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">At this point I beginning to lose my hope that this is even doable.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Did someone ever manage to do this king of configuration that also worked? Can you let me know the exact IOS version and maybe an example of the configuration.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Any ideas are welcome.</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"> </SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">laszlo</SPAN></P></BODY></HTML> Fri, 09 Jun 2017 05:18:26 GMT https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516956#M529156 laposilaszlo 2017-06-09T05:18:26Z https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516957#M529158 <HTML><HEAD></HEAD><BODY><P>IOS Device Sensor requires RADIUS to work.&nbsp; If you're not doing any AAA, you won't get any information from Device Sensor.&nbsp; You may want to look at other profiling methods such as DHCP probe (using IP helpers) or SNMP query while you are in monitor mode for the deployment.&nbsp; You could also try NMAP as well as the AD probe but be sure ISE is getting the hostname of the endpoint.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Fri, 09 Jun 2017 14:23:26 GMT https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516957#M529158 Timothy Abbott 2017-06-09T14:23:26Z https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516958#M529160 <HTML><HEAD></HEAD><BODY><P>Hi Tim,</P><P></P><P></P><P>Correct, that is what I was thinking also.</P><P>Accounting usually happens after authentication.</P><P></P><P>But then there is this part in the TrustSec document:</P><P></P><P style="font-size: 13.4px; font-family: sans-serif;">Note:</P><P style="font-size: 13.4px; font-family: sans-serif;">RADIUS accounting is required to forward sensor data to ISE. However, RADIUS authentication and authorization are not required to collect and send sensor data to ISE. Therefore, it is possible to use the Device Sensor for pre-ISE deployments during a network discovery phase when an organization is not yet ready to enable RADIUS authentication, even if only Monitor Mode. This support extends to deployments using ISE Profiling Services with Cisco NAC Appliance where RADIUS access control is not deployed.</P><P style="font-size: 13.4px; font-family: sans-serif;"></P><P style="font-size: 13.4px; font-family: sans-serif;"></P><P style="font-size: 13.4px; font-family: sans-serif;">Page 78</P><P style="font-size: 13.4px; font-family: sans-serif;"><A href="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf" title="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf">http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf</A></P><P style="font-size: 13.4px; font-family: sans-serif;"></P><P style="font-size: 13.4px; font-family: sans-serif;">And I have talked to Craig Hyps and he confirmed that this should work.</P><P style="font-size: 13.4px; font-family: sans-serif;">So its confusing. I'm am still not sure if this is possible or not.</P><P style="font-size: 13.4px; font-family: sans-serif;"></P><P style="font-size: 13.4px; font-family: sans-serif;">Thanks,</P><P style="font-size: 13.4px; font-family: sans-serif;">laszlo</P></BODY></HTML> Mon, 12 Jun 2017 05:57:33 GMT https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516958#M529160 laposilaszlo 2017-06-12T05:57:33Z https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516959#M529164 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If that is the case, you would need to find a way to send RADIUS accounting because it holds the profiling data as you are aware.&nbsp; At the same time, a monitor mode deployment where no enforcement is taking place could be another option.&nbsp; Check out the below doc for more information.</P><P></P><P><A href="https://community.cisco.com/docs/DOC-68150">How-To: Monitor Mode Deployment with ISE</A></P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Mon, 12 Jun 2017 13:57:11 GMT https://community.cisco.com/t5/network-access-control/ise-profiling-on-wired-using-radius-probe-and-accounting-no/m-p/3516959#M529164 Timothy Abbott 2017-06-12T13:57:11Z