topic Re: Setting LLDP options using ISE Authorization Profile Advanced Attr in Network Access Control

Setting LLDP options using ISE Authorization Profile Advanced Attrib's

netwerkbeheer — Wed, 19 Apr 2023 15:04:41 GMT

Hi,

We have ISE 2.7.0.356 patch 9, with most of our switches on Cisco IOS XE Software, Version 16.12.05b, and some newer switches running 17.06.04

For our LAN we would like the option to enable or disable all, or specific LLDP TLV advertisements, depending on what devices authenticates, (or fails to authenticate) on our switch ports.

We don't yet use Profiling, so no incoming LLDP data in our switches is used in our auth. policies. So that is no issue in this case.

Interface Profiles was my first guess to use for this, but I understood LLDP is not supported by the Interface Profile feature(?)

In the Advanced Attributes Settings for Authorization Profiles the following appears when LLDP is entered in the search bar:

LLDP:lldpSystemDescription =

LLDP:lldpTimeToLive =

LLDP:lldpPortDescription =

LLDP:lldpManAddress =

LLDP:lldpCapabilitiesMapSupported =

LLDP:lldpCacheCapabilities =

LLDP:lldpPortId =

LLDP:lldpSystemCapabilitiesMapEnabled =

LLDP:lldpSystemName =

LLDP:lldpChassisId = 

LLDP:cdpCacheAddress =

But what do I enter or select there to the right of the "=", in the second column?
- Enable/ Disable, On/Off, or .... ?

(Under Policy > Policy Elements > Dictionaries > LLDP i hoped to find something, but it says STRING, and nothing else which could be usefull.)

Is this even a valid set of Attributes, for use to SET options for LLDP on switchports, or could it be a set of Profiling options that should not even appear in an Authorization Profile? (I ask this in part because all LLDP related ISE search terms only give Profiling-related results.)

If these Advanced Attributes are no option;

Is there another way to set LLDP option/ config on switchports using ISE Authorization Profiles?

And, because I spent all day looking for a more in depth document about this, and failing to find one:

Is there a Deep-Dive, Advanced, In Depth guide for configuring Authorization Profiles, including of course the options under Advanced Attributes Settings?

If anyone knows, please make my day.

Best Regards,

Rick Roersma

Re: Setting LLDP options using ISE Authorization Profile Advanced Attr

Arne Bier — Sun, 23 Apr 2023 20:25:40 GMT

Hi @netwerkbeheer - I understand what you're trying to achieve, but what is the reason you want to do this - is there a requirement by the endpoints to process custom LLDP attributes? Not sure how this can be done - as far as I understand, the changes in the switch interface should influence what attributes the switch advertises to the endpoint - as opposed to the other way around, where the Device Sensor processes the attributes, it hears from endpoints.

Do you want the ability to selectively NOT return certain attributes, or do you want to have the ability to set the values of those attributes? Have you tried creating a named template on the switch? Does it accept LLDP commands in the template? If yes, then try returning that template to an endpoint and see if the config accepts it (show derived-config interface xyz)

I don't know about the LLDP Dictionary - I would assume that this is used by ISE to process the Device Sensor data it receives from the switch as part of the Device Sensor (profiling).

Re: Setting LLDP options using ISE Authorization Profile Advanced Attr

poongarg — Mon, 24 Apr 2023 09:44:07 GMT

You can control the send and receive of TLV on switchport using LLDP-MED

LLDP-MED

LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices. It specifically provides support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power over Ethernet, inventory management and location information. By default, all LLDP-MED TLVs are enabled.

LLDP-MED Supported TLVs

LLDP-MED supports these TLVs:

LLDP-MED capabilities TLV

Allows LLDP-MED endpoints to determine the capabilities that the connected device supports and has enabled.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/int_hw/b_1612_int_and_hw_9200_cg/configuring_lldp__lldp_med__and_wired_location_service.html

Re: Setting LLDP options using ISE Authorization Profile Advanced Attr

netwerkbeheer — Thu, 08 Jun 2023 10:50:52 GMT

Thanks for your reply!

What we are looking for is the ability to selectively NOT return certain attributes.

Your confusion as to why I'm trying to achieve this is understandable, I myself would be fine with just a default set of returned attributes configured on access ports, but some voices in our organisation are very.. carefull.. about any attributes advertised on access ports.

We have NAC implemented, switch software is up-to-date, so the switches have no horrible vulnerabilities, the risk of advertised lldp attributes seems manageable in my opinion.

But as it is, I was asked to investigate if it is possible, so here we are.

Named Templates, i'll give that a try and will be back, with good or bad news.

Thanks again!