ISE 2.7 - DHCP Probe not working

Scaremonger — Tue, 29 Nov 2022 16:06:35 GMT

Hi,
I am attempting to discover laptops connecting to a VPN endpoint that terminates on an F5 Load balancer using the DHCP Probe, but none of the devices get added as ISE Endpoints!

This was my approach:

I added the ISE policy nodes as DHCP servers (Helpers) on the F5 alongside the real ones.
Opened up Port 67 on the Firewalls between the F5 and ISE
Disconnect my test laptop from the F5 VPN
Set up a TCPDump on ISE for traffic from the F5 on port 67.
Reconnect my test laptop to the F5 VPN.

The firewall shows the DHCP traffic is permitted, and the TCPDump from ISE shows the following:

12:43:06.932974 IP (tos 0x0, ttl 252, id 59525, offset 0, flags [DF], proto UDP (17), length 361)
  192.168.150.1.13711 > redacted.bootps: BOOTP/DHCP, Request, length 333, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
    Gateway-IP XXX.XXX.207.254
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
        Vendor-Class Option 60, length 6: "f5-APM"
        Hostname Option 12, length 10: "TESTLAPTOP"
        MSZ Option 57, length 2: 1344
        Lease-Time Option 51, length 4: 4294967295
        Agent-Information Option 82, length 48: 
          Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
          Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
          Subscriber-ID SubOption 6, length 8: testuser
12:43:06.936788 IP (tos 0x0, ttl 252, id 28432, offset 0, flags [DF], proto UDP (17), length 373)
  192.168.150.1.bootps > redacted.bootps: BOOTP/DHCP, Request, length 345, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
    Gateway-IP 172.30.207.254
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
        Server-ID Option 54, length 4: TESTLAPTOP.redacted-domain.uk
        Requested-IP Option 50, length 4: TESTLAPTOP.redacted-domain.uk
        Vendor-Class Option 60, length 6: "f5-APM"
        Hostname Option 12, length 10: "TESTLAPTOP"
        MSZ Option 57, length 2: 1344
        Lease-Time Option 51, length 4: 4294967295
        Agent-Information Option 82, length 48: 
          Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
          Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
          Subscriber-ID SubOption 6, length 8: testuser

In ISE under "WorkCenter | Profiler | Endpoint Classification", the endpoint with MAC address shown in the TCPDUMP (e8:6a:64:xx:xx:xx) does not exist, even though the TCPDump shows traffic is arriving.

I have double checked that the PSN's have the "Policy service" checked and that the DHCP Probe is enabled.

All LAN Devices are using device sensors on the switches, so this is the first real use of the DHCP probe and I've run out of things to check. Any suggestions on where I should look next would be greatly appreciated.

Thanks in advance,
Si.

Re: ISE 2.7 - DHCP Probe not working

Greg Gibbs — Tue, 29 Nov 2022 21:17:24 GMT

It sounds like you are trying to have ISE add an endpoint to the database solely on information from the DHCP Probe, which will not work. ISE needs to learn the endpoint MAC address from a RADIUS session. I can then supplement that endpoint data with profiling information it may learn from the DHCP Probe.
The MAC address is not typically something a RADIUS server learns about a VPN endpoint. With Cisco VPN endpoints, the MAC address is provided to ISE by the AnyConnect client via ACIDEX (AnyConnect Identity Extensions).

topic ISE 2.7 - DHCP Probe not working in Network Access Control

ISE 2.7 - DHCP Probe not working

Re: ISE 2.7 - DHCP Probe not working