topic Re: Help Understanding Context Visibility in Network Access Control

Help Understanding Context Visibility

DannyDulin — Wed, 16 Aug 2023 19:44:07 GMT

Hello everyone.

We are using ISE version 3.1.0.518.

When I take a look at Context Visibility/Endpoint Classification is see over 900 endpoints that ISE sees.

I have created a profile policy that groups endpoints that are joined to our AD domain. I purge all the rest of the endpoints. However, they keep coming back. Within a day or so, the total endpoints grow to over 900 endpoints.

If I don't have over 900 endpoints authenticating through ISE, why are these endpoints keep coming back?

I've even deleted endpoints that are categorized as Unknown, buth these still keep coming back.

How do I permanently remove these endpoints that are most likely stale.

Re: Help Understanding Context Visibility

Rob Ingram — Wed, 16 Aug 2023 20:02:23 GMT

@DannyDulin are these random MAC addresses? (these change everytime). https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

Typically you'd create a purge schedule to clear down these endpoints at regular intervals.

Re: Help Understanding Context Visibility

ahollifield — Thu, 17 Aug 2023 10:56:36 GMT

What are your use-cases for ISE? Wireless? Do you have guest wireless deployed on ISE? What NADs are these MAC addresses showing connected to?

Re: Help Understanding Context Visibility

Arne Bier — Thu, 17 Aug 2023 22:37:50 GMT

In addition to what Rob and Adam have said, are you using Profiling and perhaps also running regular SNMP queries against your NAD devices (SNMP configured in the ISE Network Devices definitions)? I have noticed that when I do that, ISE gets a dump of all the MAC addresses of switches, whether those MAC addresses are subject to NAC or not - it's a useful discovery method, but it can also pollute the Context Visibility.

Re: Help Understanding Context Visibility

DannyDulin — Fri, 18 Aug 2023 13:22:40 GMT

The immediate use case 3 years ago was to upgrade from ACS -> ISE for VPN and Wireless AAA with the eye on leveraging posturing and profiling.

Good question whether we have Guest Wireless deployed on ISE. I do not think so, but that's something I'll verify.

Another good question NADs MACs are connected to. What would be the relevance here?

Re: Help Understanding Context Visibility

DannyDulin — Fri, 18 Aug 2023 13:25:08 GMT

Good question are they random? I'll start to keep track to determine. Thank you for the link.

I have the default purge rules in play. Any tips on best practices for tis.

Re: Help Understanding Context Visibility

DannyDulin — Fri, 18 Aug 2023 13:26:35 GMT

Good question Arne. It's quite possible. I'll check that too.

Re: Help Understanding Context Visibility

DannyDulin — Mon, 21 Aug 2023 12:56:52 GMT

I checked a sample of network devices and neither of them are configured for SNMP. Additionally, I do not have SNMP probes enabled.

Re: Help Understanding Context Visibility

DannyDulin — Mon, 21 Aug 2023 13:05:48 GMT

Rob, I did an export of all the endpoints. It appears that there are many duplications of endpoints, with different MAC addresses. There are duplicate hostnames with different MAC addresses. There are duplicate endpoint email addresses with different MAC addresses. There are duplicate endpoint IP addresses with different MAC addresses.

I also noticed that 2/3 of the endpoints ISE PAN 1 is the Endpoint Profile Server and 1/3 use IS PAN 2. Is this correct.

How do I know which is the right instance of an enpoint to purge?

This seems much more complex than I first expected.

Re: Help Understanding Context Visibility

ahollifield — Mon, 21 Aug 2023 13:09:05 GMT

So are these wireless MACs then? On a guest network? What NAD are they connected to?

Do you use the DHCP probe?

Re: Help Understanding Context Visibility

DannyDulin — Mon, 21 Aug 2023 13:18:49 GMT

Are these wireless MACs? - Mixed. As you know typically remote users are wireless who connect to our network via VPN and the NAD for those endpoints is our ASA. I should point out that VPN users are authenticated via Duo SSO and Authorized by ISE.

On prem users connect via Wired and Wireless. We are only authenticating the Wireless users via ISE and the NAD is WLC.

We are not utilizing ISE for Wired.

The DHCP probe is being used.

Re: Help Understanding Context Visibility

ahollifield — Mon, 21 Aug 2023 13:27:21 GMT

So if you take one of these "unknown" MACs what is it connected to? The ASA VPN? Wireless?

Do you use ISE for guest wireless? WLC? AireOS or 9800?

Re: Help Understanding Context Visibility

DannyDulin — Mon, 21 Aug 2023 16:16:06 GMT

Connected to both ASA VPN and WLC.

We are not using ISE for guest wireless.

The WLC is 5500.

Re: Help Understanding Context Visibility

ahollifield — Mon, 21 Aug 2023 16:31:24 GMT

So are those MAC addresses actual clients properly authenticating to your network? Do you have a matching Live Log entry for these MAC addresses?

Re: Help Understanding Context Visibility

DannyDulin — Mon, 21 Aug 2023 16:57:13 GMT

I ran a RADIUS authentications report for the last 3 weeks. Approximately 300 endpoints that have authenticated in this time frame match the overall inventory list.

Re: Help Understanding Context Visibility

ahollifield — Mon, 21 Aug 2023 17:07:46 GMT

Got it, then this is normal. When an authentication occurs ISE adds the MAC address into the Context Visibility database to give you an view of all of the endpoints which authenticate against ISE. If you wish to remove old entries you can use endpoint purge rules.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#:~:text=Endpoints%20Purge%20Settings,-You%20can%20define&text=You%20can%20choose%20not%20to,are%20older%20than%2030%20days.

Re: Help Understanding Context Visibility

DannyDulin — Tue, 22 Aug 2023 13:18:21 GMT

Thank you for the info.

I created a schedule to purge inactive devices. Last night 1004 inactive devices were purged. This morning when I checked Contex Visibility there were 594 endpoints.

I sorted those on endpoints that were connected and there were only 49. I compared that to Live Sessions, which had 50 connected endpoints, and only 5 MAC addresses matched between the two. A mixture of VPN connected devices and Wireless.

At this point, it seems best to turn off all the probes, purge all the endpoints until the database is clear and start adding probes one at a time in order to get useful data.

What do you think about this course of action?

I just don't know why Context Visisbility>Endpoints continues to grow in the several hundreds when I'm certain not that many devices are connecting.

We are a 2 node deployment in HA and Policy Services is enabled on both Nodes.

At present, I have the following probes enabled:

DHCP - with relay sent to ISE
RADIUS - We are not doing any wired authentication. This is only for Wireless and VPN
NMAP
DNS
Active Directory
pxGrid

Re: Help Understanding Context Visibility

ahollifield — Tue, 22 Aug 2023 13:36:05 GMT

So those hundreds of other MACs, where are they connected? What do you show in the details page for these?

Are you using profiling at all? Do you have authz policies that rely on profiling? Do you use pxGrid?

Are your non-wireless or VPN NADs (and their associated SVIs) forwarding DHCP packets to ISE? You should only bother relaying from the wireless and VPN networks to match only the NADs that ISE will actually authenticate.

I would recommend disabling the NMAP probe.

Re: Help Understanding Context Visibility

DannyDulin — Tue, 22 Aug 2023 13:49:25 GMT

Thanks for bearing with me.

Those hundreds of other MACs are not connected to anything. If I filter in Context Visbility on "connected" the list reduces from several hundred to 30-50 endpoints. Additionally, Live logs only lists about 50-70 sessions.

We are not using profiling yet. We're trying to get there, but I'm not comfortable to relying on profiling for authz policies yet.

Don't have any use for pxGrid at this time.

The non-wireless NADs are forwarding DHCP packets to ISE. VPN NAD is not using DHCP rather IP pools.

Regarding this statement "You should only bother relaying from the wireless and VPN networks to match only the NADs that ISE will actually authenticate."

This makes sense now that we're seeing so many duplicate endpoints with different MACs.

Disabling PxGrid and NMAP.

Is it a problem having Policy Services enabled on both Nodes?

Re: Help Understanding Context Visibility

ahollifield — Tue, 22 Aug 2023 14:11:05 GMT

Policy Services is the PSN role for RADIUS, this must be enabled for ISE to process RADIUS.